cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7845
Views
25
Helpful
13
Replies

Cisco ISE integration with BlueCoat proxy

Shaik Moinuddin
Level 1
Level 1

Hi,

i really appreciate if anybody help me out in this issue.

we have the scenario where our Wireless users get authenticated by Cisco ISE (802.1x), but after authentication passed how can i apply BlueCoat Proxy policies?

right now we set "do not authenticate option" in BlueCoat but in this case we unable to apply Policies, if we enable authentication in BlueCoat then users need to provide credentials two times, isn't it?

ISE running on 1.4.

if it can be fixed by Radius VSA or any other solution? kindly suggest me.

thank you very much,

regards,

- Moin -

2 Accepted Solutions

Accepted Solutions

Solution:

"Single Sign-On with RADIUS Accounting"

 

Summary:

Setup policy substitution on Proxy

Policy substitution can work with LDAP

Setup WLC to send radius accounting to Proxy

Proxy read RADIUS accounting then recheck with LDAP

 

I have used this solution for 2 years ago, it working find till now.

View solution in original post

Hi Chansit,

 

can you please provide us any document.

 

thank you,

- Moin -

View solution in original post

13 Replies 13

TM13
Level 1
Level 1

Any reply or found solution?

Solution:

"Single Sign-On with RADIUS Accounting"

 

Summary:

Setup policy substitution on Proxy

Policy substitution can work with LDAP

Setup WLC to send radius accounting to Proxy

Proxy read RADIUS accounting then recheck with LDAP

 

I have used this solution for 2 years ago, it working find till now.

Hi Chansit,

 

 Do you have any guideline document? or can i get details of configurations?

Hi Chansit,

 

can you please provide us any document.

 

thank you,

- Moin -

Config WLC to send radius accounting to Proxy :

*** pre-shared key on WLC and Proxy need to be matched

----------------------------------------------------------------------------

Config your Proxy, following below command :

session-monitor

enable

radius shared-secret <pre-shared key>

attributes

add User-Name

add Calling-Station-ID

 

security policy-substitution create-realm <real name>

security policy-substitution edit-realm <real name>

authorization-realm-name <LDAP realm>

identification determine-usernames by-search

identification realm-name <LDAP realm>

identification search-filter "(sAMAccountName=$(session-monitor.attribute.User-Name))"

 

refresh-time authorization-refresh 36000

refresh-time surrogate-refresh 36000

inactivity-timeout 36000

exit

 

Create Authentication rule on Web Authentication Layer :

 Source = client ip subnet //define your wireless subnetwork IP.

Action = authentication mode is Origin IP Redirect and Realm is your Policy substitution Realm

----------------------------------------------------------------------------

For more detail, please see below subjects on the Proxy Admin Guide :

  • Session-monitor.
  • Policy Substitution Realm

For TSHOOT :

  • https://<proxy ip>:<proxy port>/sessionmonitor/dumpbin

SSO Step :

1) User authen to wireless network
2) WLC send user identity to ISE
3) ISE check user identity on AD
4) AD reply result to ISE
5) ISE send authen reply to WLC
6) WLC accept User connection
7) WLC send radius accounting to ISE and Proxy
8) Proxy verifies radius attribute then create session-monitor table, combined with User IP, User MAC address and Username
9) User connect to the internet
10) Proxy verifies source IP from User
9) Proxy query username on LDAP, which matched source IP on session-monitor table
10) If username found, Proxy create authentication row that combined with Username and User IP
11) Proxy allowed User package to the internet

Hi,

In your text you are saying that the wlc send the radius account information to Cisco ISE and Bluecoat ProxySG at same time.  In the wlc security configuration and wlan configuration I only see available just one option to send radius information to just one RADIUS server at a time, I mean only the first in the list or lowest Index number.

 

Could you help me how to configure to both at same time?

 

Regards,

 

Claudio

It's impossible with a Cisco WLC.  You need to send the accounting to something that can perform a replication job for you.  In my case I send it to an F5 load balancer, and the load balancer can replicate the Accounting request and send one copy to ISE, and a second copy to the proxy.  The F5 is also clever enough to know that it doesn't expect a Radius ACK for the traffic it just originated.

I believe that on other vendors like Aruba, you can send parallel streams of accounting data.  A very cool feature that would be nice to have on a Cisco WLC too.

You can send RADIUS Accounting to multiple AAA server at the same time.

 

Please see below detail.

rbc.png

----------------------------------------------

Example.

Untitled.png

PLEASE NOTE: SATISFACTION DEPEND ON YOUR NETWORK ENVIRONMENT AND DESIGN

@Chansit Watthanaphothidit - I think you are referring to a non Cisco WLC product there?  Is that Cisco IOS?  In any case, on a Cisco WLC you cannot do this as far as I know.  If stand to be corrected.

My Device is Cisco WLC 5700 with IOS-XE and it can send broadcast accounting.
If your device can't, you might consider only send RADIUS ACCOUNTING NETWORK to Proxy.

Thank you.

Let me try to help.  We are doing a new way to do this integration:

  1. We removed the authentication process from the BlueCoat Proxies;
  2. BlueCoat Proxies are trusting in the 802.1x authentication results;
  3. After authentication had been success with the communication between authenticator devices (wlc or switches), the authorization server is defined in the wlc or switches in the Free RADIUS servers.  Why?  Easy, because it was the only RADIUS server that we found a way to spread the authorization request to a group of destinations, in our case a Cisco ISE Servers and Blue Coat Proxies at the same time.
  4. In the Cisco ISE, it is a standard authorization process;
  5. In the Blue Coat Proxies is more complicated:
    1. A RADIUS session monitor was enabled to listend the packets sent by the Free RADIUS Servers;
    2. A LDAP Authentication definition was created to be able to, in the authorization process, search a user or device group with the information listened by the RADIUS session monitor;
    3. A Policy Substitution was created to prepair the search using as input, the information that comes from session monitor and it will become in a LDAP search in the Active Directory (our credential database);
  6. The authentication process is based on EAP-TLS (digital certificates)

After many adjustments in all environment involved, Active Directory, PKI, Workstations, Mobiles Devices, wlc, switches and MDM and months of hard work, it is working fine  :-)

 

Claudio

The picture below is a standard EAP-TLS.  I am writing a detailed answer soon:

 EAP-TLS HND-SHK.jpg

Hi all,

I received a email from David Varro, he is asking for more detail in the solution, then I will publish here to share information with all here, ok?

Let me try to described the resume, but step-by-step:

1) The user/device request access to the network switch or wireless controller. The port status is EAP-logoff
2) The Cisco ISE request the user/device credentials for the network device. It can be user/password(PEAP) or digital certificate(EAP-TLS).
3) The user/device send to the network device, the credentials for authentication(PEAP/EAP-TLS)
4) The Cisco ISE send a LDAP request with the credentials for the Active Directory Domain Controllers
5) The Domain Controller send a LDAP answer authentication results to the Cisco ISE
6) The Cisco ISE send the authentication results to network device.
7) If authentication result was positive, then the network access port will be enabled, else the network port will remain in EAP-logoff
8) After authentication process finished, the network device begins the authorization process;
9) As the Cisco Wireless Controller has a limitation that only one server can be configure as authorization server, we configured a FreeRADIUS Server as a "man-in-the-middle" in the RADIUS service. I mean, in the Cisco wlc, FreeRADIUS is the authoriation server. In the network switches we can configure more than one server to receive at same time the authorization requests.
10) The FreeRADIUS receive from wlc the authorization requests, the we have a server group define with the Cisco ISE and BlueCoat Proxies and both receive the same request. In the end of the day, FreeRADIUS is only a forwarder.
11) In the Cisco ISE, the authorization processe run in the same way that if we had only a direct communication between the wlc and ISE. In the Proxies, the RADIUS authorization will be received by session monitor.
12) In the Blue Coat Proxy, you need to do some changes:
12.1) the Standard RADIUS dictionary need to be updated because the 802.11 (wireless) is not there. After this change you will be able to see in the session monitor table the request that they comes from wired and wireless network.
12.2) Create the LDAP realm to talk with the Domain Controller about the authorization(search for users and groups)
12.3) Create a Police Substitution to replace the information that comes from Digital Certificate, like username, in a LDAP Search

Well this way, BlueCoat Proxy will trust in 802.1x authentication and only authorization process need to be done to analize if user/device access request for Internet Content will be allowed (authoriation process)