Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
3045
Views
2
Helpful
8
Replies

Cisco ISE and pfSense - Captive Portal

Go to solution
bonedaddy76
Level 1
Level 1

‎10-26-2017 09:15 AM

Hi. I was wondering if anyone has been able to get the captive portal functioning with ISE. We would like to use the ISE portals in this scenario. If anyone has, is there a step by step out there somewhere to follow? I'm running into some issues and need to demonstrate this ability. Thanks in advance!

1 Accepted Solution

Accepted Solutions

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎10-26-2017 11:05 AM

this is a rather general comment is there a specific use case or flow you're asking for?, there are many docs on how to get started under the communities.

Identity Services Engine (ISE)

Look under guest

ISE Guest & Web Authentication

under documentation there is

ISE Design & Integration Guides

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Joseph Johnson
Level 1
Level 1

‎10-26-2017 10:17 AM

You can find a really good step-by-step here:

http://www.network-node.com/blog/2016/1/2/ise-20-guest-wireless-policy

It is for a sponsored guest portal but you can tweak it if you want to only do a hotspot.

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎10-26-2017 11:05 AM

this is a rather general comment is there a specific use case or flow you're asking for?, there are many docs on how to get started under the communities.

Identity Services Engine (ISE)

Look under guest

ISE Guest & Web Authentication

under documentation there is

ISE Design & Integration Guides

0 Helpful

Go to solution
Craig Hyps
Level 10
Level 10

‎10-26-2017 11:37 AM

pfSense is an open source firewall, so my guess is that you are trying to use ISE Guest Portal as a way to webauth firewall users.  ISE is not a general purpose web server and web auth via ISE assumes specific capabilities on the access device (the firewall in this example).  I would not say impossible, but will say integration may be difficult as would require understanding of how LWA flow works (whereby ISE returns credentials to NAD via POST command) which we don't document.  Typical web auth is performed via CWA (a different mechanism whereby ISE never returns credentials to NAD).

/Craig

0 Helpful

Go to solution
bonedaddy76
Level 1
Level 1

‎10-26-2017 12:14 PM

Thanks folks. I appreciate the feedback. The guides are definitely a help. Right now I'm just trying to authorize with the built-in portal and it's getting failed. I have searched quite a bit and can't find anyone who has done this with ISE (or ACS for the matter), so I guess my first issue is getting the right attributes to pfSense. Like chyps says, it is open source and I know that there is going to be some work need put in to make it all run with a portal, but I wouldn't think it would be an issue just to get a RADIUS accept. So I was hoping that someone had this working and could point me in the right direction as to what to send back in the authorization profile.

0 Helpful

Go to solution
Craig Hyps
Level 10
Level 10
In response to bonedaddy76

‎10-26-2017 12:26 PM

Per previous, this is not something we expect to work out of the box, and may not even with some special coding on pfSense side.  Access-Accept is tied to a RADIUS session, not a simple web page login.  With legacy LWA flow, the user is sent to a web page by NAD and ISE captures and returns the credentials submitted by user back to the NAD which in turn sends to ISE in a separate RADIUS request.  I am not aware of any documentation that details the requirements on NAD to allow this flow with 3rd-party.  The CWA flow relies on support for URL redirection and CoA, and I highly doubt the firewall is capable of processing this flow without a high amount of customization.

0 Helpful

Go to solution
bonedaddy76
Level 1
Level 1
In response to Craig Hyps

‎10-26-2017 12:40 PM

So, I guess to be more specific, pfSense has a built-in portal and can simply send out a RADIUS query without engaging the ISE captive portal mechanism. I've been able to get access-accepts from other devices use ISE and RADIUS, but for some reason this device is giving me problems.So I'm not sure if it's getting what it needs from ISE or if there is another issue.

Image.gif

0 Helpful

Go to solution
Craig Hyps
Level 10
Level 10
In response to bonedaddy76

‎10-26-2017 01:24 PM

Christopher,

Your initial query was specific to portal integration so now sounds like you are reverting the conversation to be about pure RADIUS auth without any integration of ISE portal.

"I was wondering if anyone has been able to get the captive portal functioning with ISE. We would like to use the ISE portals in this scenario." => "pfSense has a built-in portal and can simply send out a RADIUS query without engaging the ISE captive portal mechanism"

For starters, make sure you enter IP address of PSN or LB VIP into RADIUS server address in your form!  :-)

Next, you need to enable MSCHAPv2 under the Allowed Protocols for Default Network Access, or create custom Allowed Protocols entry which include MSCHAPv2 to match your auth protocol selection.  As a quick test, you can select PAP instead which is enabled by default.

/'Craig

0 Helpful

Go to solution
bonedaddy76
Level 1
Level 1
In response to Craig Hyps

‎10-27-2017 07:57 AM

Actually, it is about both I wanted to start out with the internal portal and make sure it works and then work in the custom portal. I just posted the pic to show what was available, but I did set up the items as you lay out above. I know pfSense can recognize the wispr attributes, I'm just not sure if anything other than an accept or reject is needed to be returned from ISE to get a good authorization.

0 Helpful
Customers Also Viewed These Support Documents
Top