cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1916
Views
10
Helpful
4
Replies

CWA for Guest access - AD Auth with minimum re-atuthentication

atsukane
Level 3
Level 3

HI All,

I'm working on a new policy for Staff WLAN with external AD authentication.

My manager wants auth policy to be ideally once authenticated no need to re-authenticate unless changes are made to the account, e.g. password change.

I'm looking at Guest Type and only option here is setting the Maximum Access Time.

Our domain policy enforces users to have minimum of 16-character password, but password change is required one every 60 days. 

For this to work, do I set the Maximum account duration to 60 days and maybe enable account expiration notification (although I'm not sure whether the notification is only for internal accounts and doesn't work for external authentication)

Or is there anything that can be done in Authorization Profile with advanced attributes settings?

I understand that DHCP lease time and idle timeout e.g. if someone goes on holiday.

 

ANy suggestions is very much appriciated.

 

Thanks

 

 

1 Accepted Solution

Accepted Solutions

Yes, most mobile device supplicants support PEAP-MSCHAPv2 and will prompt the user for credentials.

There is no CWA redirect used for an 802.1x session and the ISE nodes can only have a single EAP certificate (which should be signed by an internal enterprise CA). If the CA chain is not being pushed to the mobile devices by an enrollment process, the user may be prompted to trust the certificate presented by the server. Some supplicants may also have issues with these untrusted certificates as vendors look to introduce more hardened security controls.

This is a common discussion I have with customers about the typical balance that has to be found for security vs. user experience.

You can learn more about options for BYOD enrollment in the ISE BYOD Prescriptive Deployment Guide

If the organisation is using Azure AD, you might also have a look at ISE BYOD Flow Using Azure AD. It still uses CWA, but the SAML SSO provides a better user experience.

View solution in original post

4 Replies 4

Greg Gibbs
Cisco Employee
Cisco Employee

Is there a reason you are not using 802.1x for the Staff WLAN?

The Guest CWA flow leverages an Open SSID which has various downsides including:

1. No encryption to secure the communication. Sensitive Staff communications can easily be compromised.

2. Authentication is manual and required for any new session

Any time the session is terminated on the WLC (including by session timeout), a new session is initiated and the user would be prompted to login. You could increase the session timeout, but keeping an unused session open for a longer period of time also introduces a risk that a threat actor could hijack that session on an Open SSID.

A better and more common approach is to use an 802.1x-secured SSID (like WPA2-Enterprise) for Staff. Most supplicants support PEAP-MSCHAPv2 and will prompt a user for credentials if the supplicant is not pre-configured for 802.1x via Group Policy, etc.

See Configure 802.1x Authentication with PEAP, ISE 2.1 and WLC 8.3  for an example (note that the example uses a self-signed certificate, which is not recommended for a Production environment)

atsukane
Level 3
Level 3

Hi @Greg Gibbs 

 

Thanks for your reply. 

Staff WLAN is essentially a Guest WLAN for employees using their own devices to access the WLAN.

The idea is to have two guest WLANs, one for employees with AD authentication and have more relaxed timeout/account duration, and another WLAN for external guests.  

The existing Guest WLAN has a shorter timeout which isn't very popular with the employees.

Since returning to the office, everyone uses their mobile devices to access WLAN and use their devices for Teams meeting etc, so having to reauthenticate every day is not ideal apparently.

 

Can 802.1x with PEAP be used for mobile devices?

If so, we use CA signed wild SAN certificate for portal, can we use the same wild SAN certificate?

 

Many thanks, 

Yes, most mobile device supplicants support PEAP-MSCHAPv2 and will prompt the user for credentials.

There is no CWA redirect used for an 802.1x session and the ISE nodes can only have a single EAP certificate (which should be signed by an internal enterprise CA). If the CA chain is not being pushed to the mobile devices by an enrollment process, the user may be prompted to trust the certificate presented by the server. Some supplicants may also have issues with these untrusted certificates as vendors look to introduce more hardened security controls.

This is a common discussion I have with customers about the typical balance that has to be found for security vs. user experience.

You can learn more about options for BYOD enrollment in the ISE BYOD Prescriptive Deployment Guide

If the organisation is using Azure AD, you might also have a look at ISE BYOD Flow Using Azure AD. It still uses CWA, but the SAML SSO provides a better user experience.

This is great, thank you @Greg Gibbs 

I'll have a good read of the refenced docs and test this, from your description I'm leaning towards SAML with AAD due to the use of Internal CA signed cert for 802.1X.

Thanks again