Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3188
Views
0
Helpful
11
Replies

Cisco ISE and Wireless LAN issue with CWA and policy manager state

smartcare.de
Level 1
Level 1

‎05-21-2015 07:45 AM - edited ‎03-10-2019 10:44 PM

Hi guys, 

 

I have a strange situation at a customer with a common guest internet access using a cisco ISE and a cisco Wireless network. 

 

The ISE is a physical 3415 using wireless-only licenses and is on the software release 1.4.0.253. 

The WLC is a 5508 running currently 7.6.110.0, the APs are 2700 series models. The rest of the infrastructure is cisco LAN switches. 

 

The goal for the guest implementation is to use CWA to get the guests to a guest-portal. 

on the wireless controller, I have a SSID set to use no l2 security, enabled mac filtering, has set the ISE as radius auth and acct server (RFC3576 is enabled) and on the advanced tab I have activated aaa override and NAC state RADIUS NAC. 

The ACL for redirect is similar to: 

permit any any dhcp

permit any any dns

permit any ISE-HOST TCP 8443

deny any any

 

On the ISE I have a authz profile for cwa set to have access-accept, CWA redirect using the ACL redirect (yep, no typo in) and nothing else. 
The AuthZ profile has the guest flow check for the internet access once authenticated and the default rule is set to trigger the cwa profile. 

 

So far so good... 

 

When testing the network, I see my client being connecting, getting IP address and also on the ISE logs, that the CWA url and ACL were pushed to the WLC. On the WLC client detail, the ACL is also shown to be applied BUT the client is in the policy manager state RUN. 

If I am not mistaken (and this is not my first ISE guest implementaion) It should be set to WEBAUTH_REQU as long as the user has not been redirected and authenticated to the portal. 

 

Now the biggie on this is, the user can surf the internet without being authenticated. 

 

Has anyone ever met this issue and can help me? Thanks. 

1 person had this problem
Labels:
0 Helpful
11 Replies 11

mecharek1
Level 1
Level 1

‎05-21-2015 10:45 AM

I have a same problems with ISE Central Web Authentication deployement

When the user associates to the web authentication SSID, and opens the browser, the WLC redirects to the guest portal, only just when he introduced the ip address of the website ex:41.180.200.35 not URL ex: www.google.com,

knowing that i don't have DNS server

0 Helpful

ammahend
VIP
VIP
In response to mecharek1

‎05-22-2015 05:27 AM

I think the redirect url send to the end user contains hostname of ISE, not the IP, so how do you expect the users to be redirected if you don't have a dns which can resolve fqdn for ise.

it looks something like : https://ISE1.test.local:8443/guestportal/gateway?sessionId=0A00020A0000001604D3F5BE&action=cwa#sthash.aRlyXduY.dpuf

 

so a user should be able to resolve ISE1.test.local into a valid IP of ISE.

if you are redirecting with IP, your acl is good.

 

rate this post if it helps you !

-hope this helps-
0 Helpful

mecharek1
Level 1
Level 1
In response to ammahend

‎05-22-2015 06:24 AM

the redirect url send to the end user contains the @IP  of ISE, not the hostname

like : https://10.143.10.25:8443/guestportal/gateway?sessionId=0A00020A0000001604D3F5BE&action=cwa#sthash.aRlyXduY.dpuf

the guestportal is reachable but when i tape URL like www.cisco.com in a browser the redirection  don't work???

 

thank you for your interaction and help.

 

 

0 Helpful

ammahend
VIP
VIP
In response to mecharek1

‎05-22-2015 06:44 AM

for a site to be redirected the NAD uses http and https services, do you have both services enable on the network access device (controller or switch), also from your WLC under WLANS>security>AAA servers>Order Used For Authentication , make sure radius is at the top and remove ldap and local, if you are not using them.

-hope this helps-
0 Helpful

mecharek1
Level 1
Level 1
In response to ammahend

‎05-25-2015 01:58 PM

Hi,

Wireless users can access to the configuration interface of ISE (https://IP_address_ISE:443/admin) before authentication how to resolve this problem?

 

0 Helpful

Patrick Meyer
Level 1
Level 1
In response to mecharek1

‎06-09-2015 02:12 AM

You might want to either block TCP 443 to the ISE IP or use a different physical port on ISE with a different IP address for the guest portal. Both works fine with me. 

0 Helpful

Patrick Meyer
Level 1
Level 1
In response to ammahend

‎06-09-2015 02:29 AM

I have the AuthZ Profile configured to have the static IP address of the port I connected to my guest VLAN. 

I am running WLC version 8.0.115.0 and ISE 1.4 and my guest clients are put directly into RUN state on the WLC (policy manager state). I see the AAA redirect ACL is applied but no redirect URL in place. 

What influence does 

config network web-auth captive-bypass enable

have on none-iOS devices? I know I need to have this in place to have iOS devices work properly with cisco web redirects but how does it affect windows or Android clients?

0 Helpful

ammahend
VIP
VIP

‎05-21-2015 11:01 AM

In WLC 2 way ACL is important so try something like  this

if it still does't work make sure, http and http services are enabled on the WLC.

I am assuming your ISE config is correct.


Also use the Cisco ref guide - http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html

 

rate this post if it helps !

-hope this helps-
0 Helpful

mecharek1
Level 1
Level 1
In response to ammahend

‎05-21-2015 11:29 AM

 

 

i use this ACL rules

Preview file
101 KB
0 Helpful

mecharek1
Level 1
Level 1
In response to ammahend

‎05-22-2015 05:05 AM

What diffrence between this ACL rules and your exemple? thank you for help

0 Helpful

Patrick Meyer
Level 1
Level 1
In response to mecharek1

‎06-09-2015 02:24 AM

This ACL looks like from a 3850/5760 WLC using IOS XE. These models have a different approach on how to use ACLs. You can use dACLs from ISE on these. This does not work with AireOS WLCs like the 5500/2500 series. They have to use named ACLs and are not stateful, therefore you need to have  inbound AND outbound rules configured. 

Also, for AireOS the redirect statements are opposite as they are for IOS based ACLs. in IOS, you would think the ACL to be "anything that is permitted will be redirected" while the AireOS logic is "everything I have denied will be redirected". 

Following this logics, your ACL is correct in terms of allowing DHCP and DNS to be directed as wished and everything else redirected to ISE. 

If http redirects do not work but https does, check whether you have the ip http server enabled on your device. I happened to configure my first IOS XE controller to have no ip http server enabled and therefore, the controller did not redirect http traffic as it didn't recognize it. So ip http server has to be enabled for http redirect to work. 

 

I hope I didn't confuse anyone and you got my points. 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents