cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5885
Views
25
Helpful
13
Replies

Cisco ISE integration with BlueCoat proxy

Shaik Moinuddin
Beginner
Beginner

Hi,

i really appreciate if anybody help me out in this issue.

we have the scenario where our Wireless users get authenticated by Cisco ISE (802.1x), but after authentication passed how can i apply BlueCoat Proxy policies?

right now we set "do not authenticate option" in BlueCoat but in this case we unable to apply Policies, if we enable authentication in BlueCoat then users need to provide credentials two times, isn't it?

ISE running on 1.4.

if it can be fixed by Radius VSA or any other solution? kindly suggest me.

thank you very much,

regards,

- Moin -

2 Accepted Solutions

Accepted Solutions

Solution:

"Single Sign-On with RADIUS Accounting"

 

Summary:

Setup policy substitution on Proxy

Policy substitution can work with LDAP

Setup WLC to send radius accounting to Proxy

Proxy read RADIUS accounting then recheck with LDAP

 

I have used this solution for 2 years ago, it working find till now.

View solution in original post

Hi Chansit,

 

can you please provide us any document.

 

thank you,

- Moin -

View solution in original post

13 Replies 13

Tulga Bat
Beginner
Beginner

Any reply or found solution?

Solution:

"Single Sign-On with RADIUS Accounting"

 

Summary:

Setup policy substitution on Proxy

Policy substitution can work with LDAP

Setup WLC to send radius accounting to Proxy

Proxy read RADIUS accounting then recheck with LDAP

 

I have used this solution for 2 years ago, it working find till now.

Hi Chansit,

 

 Do you have any guideline document? or can i get details of configurations?

Hi Chansit,

 

can you please provide us any document.

 

thank you,

- Moin -

Config WLC to send radius accounting to Proxy :

*** pre-shared key on WLC and Proxy need to be matched

----------------------------------------------------------------------------

Config your Proxy, following below command :

session-monitor

enable

radius shared-secret <pre-shared key>

attributes

add User-Name

add Calling-Station-ID

 

security policy-substitution create-realm <real name>

security policy-substitution edit-realm <real name>

authorization-realm-name <LDAP realm>

identification determine-usernames by-search

identification realm-name <LDAP realm>

identification search-filter "(sAMAccountName=$(session-monitor.attribute.User-Name))"

 

refresh-time authorization-refresh 36000

refresh-time surrogate-refresh 36000

inactivity-timeout 36000

exit

 

Create Authentication rule on Web Authentication Layer :

 Source = client ip subnet //define your wireless subnetwork IP.

Action = authentication mode is Origin IP Redirect and Realm is your Policy substitution Realm

----------------------------------------------------------------------------

For more detail, please see below subjects on the Proxy Admin Guide :

  • Session-monitor.
  • Policy Substitution Realm

For TSHOOT :

  • https://<proxy ip>:<proxy port>/sessionmonitor/dumpbin

SSO Step :

1) User authen to wireless network
2) WLC send user identity to ISE
3) ISE check user identity on AD
4) AD reply result to ISE
5) ISE send authen reply to WLC
6) WLC accept User connection
7) WLC send radius accounting to ISE and Proxy
8) Proxy verifies radius attribute then create session-monitor table, combined with User IP, User MAC address and Username
9) User connect to the internet
10) Proxy verifies source IP from User
9) Proxy query username on LDAP, which matched source IP on session-monitor table
10) If username found, Proxy create authentication row that combined with Username and User IP
11) Proxy allowed User package to the internet

Hi,

In your text you are saying that the wlc send the radius account information to Cisco ISE and Bluecoat ProxySG at same time.  In the wlc security configuration and wlan configuration I only see available just one option to send radius information to just one RADIUS server at a time, I mean only the first in the list or lowest Index number.

 

Could you help me how to configure to both at same time?

 

Regards,

 

Claudio

It's impossible with a Cisco WLC.  You need to send the accounting to something that can perform a replication job for you.  In my case I send it to an F5 load balancer, and the load balancer can replicate the Accounting request and send one copy to ISE, and a second copy to the proxy.  The F5 is also clever enough to know that it doesn't expect a Radius ACK for the traffic it just originated.

I believe that on other vendors like Aruba, you can send parallel streams of accounting data.  A very cool feature that would be nice to have on a Cisco WLC too.

You can send RADIUS Accounting to multiple AAA server at the same time.

 

Please see below detail.

rbc.png

----------------------------------------------

Example.

Untitled.png

PLEASE NOTE: SATISFACTION DEPEND ON YOUR NETWORK ENVIRONMENT AND DESIGN

@Chansit Watthanaphothidit - I think you are referring to a non Cisco WLC product there?  Is that Cisco IOS?  In any case, on a Cisco WLC you cannot do this as far as I know.  If stand to be corrected.

My Device is Cisco WLC 5700 with IOS-XE and it can send broadcast accounting.
If your device can't, you might consider only send RADIUS ACCOUNTING NETWORK to Proxy.

Thank you.

Let me try to help.  We are doing a new way to do this integration:

  1. We removed the authentication process from the BlueCoat Proxies;
  2. BlueCoat Proxies are trusting in the 802.1x authentication results;
  3. After authentication had been success with the communication between authenticator devices (wlc or switches), the authorization server is defined in the wlc or switches in the Free RADIUS servers.  Why?  Easy, because it was the only RADIUS server that we found a way to spread the authorization request to a group of destinations, in our case a Cisco ISE Servers and Blue Coat Proxies at the same time.
  4. In the Cisco ISE, it is a standard authorization process;
  5. In the Blue Coat Proxies is more complicated:
    1. A RADIUS session monitor was enabled to listend the packets sent by the Free RADIUS Servers;
    2. A LDAP Authentication definition was created to be able to, in the authorization process, search a user or device group with the information listened by the RADIUS session monitor;
    3. A Policy Substitution was created to prepair the search using as input, the information that comes from session monitor and it will become in a LDAP search in the Active Directory (our credential database);
  6. The authentication process is based on EAP-TLS (digital certificates)

After many adjustments in all environment involved, Active Directory, PKI, Workstations, Mobiles Devices, wlc, switches and MDM and months of hard work, it is working fine  :-)

 

Claudio