cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1397
Views
1
Helpful
9
Replies

External web auth policy with Extreme Networks Wifi controller.

jpujol
Cisco Employee
Cisco Employee

I’m trying to provide a web auth solution for a customer using currently Extreme Networks APs (controller based).

They are using a redirect method the Extreme controller (like external web auth redirect on our airespace controllers).

example :

http://10.10.21.42/net_auth.php?X-Amz-Date=20140729T151045Z&bssid=00026fe9b560&dest=1.2.3.4%2Fnews.com&hwc_ip=10.10.

21.6&hwc_port=443&mac=001302d0f54e&token=T7vb1LdUZmsuY0q9V60Iww!!&wlan=1

The mandatory part is the token field (token=T7vb1LdUZmsuY0q9V60Iww!!), which should be returned to the wifi controller when the user is authorized ; ISE should send an URL with username/password AND the token towards the controller to let it authenticate thru radius then (more or less the same way we did it on Airespace).

Can we keep track of the token variable and send it back to the controller ?

If the URL was kept untouched, I was thinking of retrieving the token from the URL by using a javascript script, put it into an optional portal variable, and send it back in the success authentication reply …

Do you think it’s do-able ?

Or any other integration between Extreme Networks Wifi controllers and ISE for Guest services ?

Thx,

Jean-François Pujol,  CISSP, CSSI

Security & Wireless specialist SE

1 Accepted Solution

Accepted Solutions

howon
Cisco Employee
Cisco Employee

No it is not possible with current ISE versions. Are there any other webauth method that Extreme wireless can do? Our WLC has few other options when doing webauth of which are External WebAuth, URL-redirect(CWA), and LWA. If they have something like our LWA, that may be an option.

View solution in original post

9 Replies 9

howon
Cisco Employee
Cisco Employee

No it is not possible with current ISE versions. Are there any other webauth method that Extreme wireless can do? Our WLC has few other options when doing webauth of which are External WebAuth, URL-redirect(CWA), and LWA. If they have something like our LWA, that may be an option.

vibobrov
Cisco Employee
Cisco Employee

Adding a couple of folks @chyps @jakunst.

With 2.0, it is possible for ISE to parse out parameters for a session. That can be configured done with a device profile.

When we get that session in ISE, we can parse out the token parameter and store it in a cookie.

We can then place javascript code on the success page to redirect the user to a crafted URL containing the token.

Viktor if you have example to share would be nice, not sure how this would be done, also your attach didn't work, trying again chyps

As noted, ISE 2.x can provide CWA support with access devices that

1) support CoA

2) support URL redirect where:

     a) URL redirect is dynamic, i.e. sent as a RADIUS authorization or

     b) URL redirect is static, i.e. where NAD redirects and can populate MAC or IP address in URL.

In 2.1 we will support option to provide redirect directly from PSN without NAD involvement, but we have not QA tested with wireless yet. 

LWA to ISE as portal likely will not work as we return credentials in specific manner to NAD.

Any other customization suggested would not be TAC supported, but certainly we have had some interesting uses cases handled via custom scripting. Support would be up to partner or Cisco AS if engaged.

Craig

I don't have the exact example for this use case, but used something similar for automatic DRW in 1.2 pre-Hotspot days.

In the initial page, here are the functions to parse out the URL parameters and save into a cookie:

Reaplce session id with token

function setCookie(cookieName,cookieValue) {

document.cookie = cookieName+"="+escape(cookieValue);

}

function getParameterByName(name)

{

  name = name.replace(/[\[]/, "\\\[").replace(/[\]]/, "\\\]");

  var regexS = "[\\?&]" + name + "=([^&#]*)";

  var regex = new RegExp(regexS);

  var results = regex.exec(window.location.search);

  if(results == null)

    return "";

  else

    return decodeURIComponent(results[1].replace(/\+/g, " "));

}

//gets the session ID from the and saves it in a cookie

function saveSessionId()

{

  var sessionId = getParameterByName('sessionId');

  setCookie('guestSessionId',sessionId);

}

On the success page, you would set window.location variable to the new value:

   function getCookie(c_name)

  {

   var i,x,y,ARRcookies=document.cookie.split(";");

   for (i=0;i<ARRcookies.length;i++)

   {

   x=ARRcookies[i].substr(0,ARRcookies[i].indexOf("="));

   y=ARRcookies[i].substr(ARRcookies[i].indexOf("=")+1);

   x=x.replace(/^\s+|\s+$/g,"");

   if (x==c_name)

     {

     return unescape(y);

     }

   }

  }

var sessionId = getCookie('guestSessionId');

window.location="https://mycontroller.company.com/login?token="+sessionId

Thinking about this so more, this can't possibly be the mechanism of authorizing the users. It would allow one to just grab the URL from the browser and craft another URL with the authorization token in it.

We need to get more details on how the authentication flow works with this vendor.

Hi Viktor,

Here an exemple of what ISE should return to the controler; the token was set and added to the redirection URL

https:///ext_approval.php?token=OakRQ7uFYOH5E8dVD4PgvQ!!&wlan=1&username=argon32&password=6Z*_aL40q!&dest=www.google.com

The documentation is attached, if you want to have a look …

• Composing the Redirection Response to Send the Browser back to the Controller, p98

I’m trying to use the example you share ;

Thx,

Jean-Francois

Reading the guide, this is not a straight forward passing of the token. The guide talks about using a shared key to generate a hash of the return URL, page 96.

This is all doable in javascript. These hashing functions are readily available as open source on the internet

On the login page, you would intercept the login button and store values of username, password and token into cookies.

On the success page, you would read those cookies and craft the value for window.location using the hash function.

Or are we using Case 1 on page 98 where the controller is pointing to ISE as RADIUS.

You first need to consider what you're really gaining out of ISE in this setup.

Could you not simply host the login page be hosted on the controller itself and let it pass credentials to ISE via RADIUS?

Hi Jean,

 

Did you succeed in configure guest authentication with Extreme Networks Wifi controller? I don't understand how you can use ISE guest portal without using RADIUS... I also didn't find the document referred in the post.

 

Thanks

AM

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: