Viktor if you have example to share would be nice, not sure how this would be done, also your attach didn't work, trying again chyps

As noted, ISE 2.x can provide CWA support with access devices that

1) support CoA

2) support URL redirect where:

     a) URL redirect is dynamic, i.e. sent as a RADIUS authorization or

     b) URL redirect is static, i.e. where NAD redirects and can populate MAC or IP address in URL.

In 2.1 we will support option to provide redirect directly from PSN without NAD involvement, but we have not QA tested with wireless yet. 

LWA to ISE as portal likely will not work as we return credentials in specific manner to NAD.

Any other customization suggested would not be TAC supported, but certainly we have had some interesting uses cases handled via custom scripting. Support would be up to partner or Cisco AS if engaged.

Craig

I don't have the exact example for this use case, but used something similar for automatic DRW in 1.2 pre-Hotspot days.

In the initial page, here are the functions to parse out the URL parameters and save into a cookie:

Reaplce session id with token

function setCookie(cookieName,cookieValue) {

document.cookie = cookieName+"="+escape(cookieValue);

}

function getParameterByName(name)

{

  name = name.replace(/[\[]/, "\\\[").replace(/[\]]/, "\\\]");

  var regexS = "[\\?&]" + name + "=([^&#]*)";

  var regex = new RegExp(regexS);

  var results = regex.exec(window.location.search);

  if(results == null)

    return "";

  else

    return decodeURIComponent(results[1].replace(/\+/g, " "));

}

//gets the session ID from the and saves it in a cookie

function saveSessionId()

{

  var sessionId = getParameterByName('sessionId');

  setCookie('guestSessionId',sessionId);

}

On the success page, you would set window.location variable to the new value:

   function getCookie(c_name)

  {

   var i,x,y,ARRcookies=document.cookie.split(";");

   for (i=0;i<ARRcookies.length;i++)

   {

   x=ARRcookies[i].substr(0,ARRcookies[i].indexOf("="));

   y=ARRcookies[i].substr(ARRcookies[i].indexOf("=")+1);

   x=x.replace(/^\s+|\s+$/g,"");

   if (x==c_name)

     {

     return unescape(y);

     }

   }

  }

var sessionId = getCookie('guestSessionId');

window.location="https://mycontroller.company.com/login?token="+sessionId

Thinking about this so more, this can't possibly be the mechanism of authorizing the users. It would allow one to just grab the URL from the browser and craft another URL with the authorization token in it.

We need to get more details on how the authentication flow works with this vendor.

Hi Viktor,

Here an exemple of what ISE should return to the controler; the token was set and added to the redirection URL

https:///ext_approval.php?token=OakRQ7uFYOH5E8dVD4PgvQ!!&wlan=1&username=argon32&password=6Z*_aL40q!&dest=www.google.com

The documentation is attached, if you want to have a look …

• Composing the Redirection Response to Send the Browser back to the Controller, p98

I’m trying to use the example you share ;

Thx,

Jean-Francois

Reading the guide, this is not a straight forward passing of the token. The guide talks about using a shared key to generate a hash of the return URL, page 96.

This is all doable in javascript. These hashing functions are readily available as open source on the internet

On the login page, you would intercept the login button and store values of username, password and token into cookies.

On the success page, you would read those cookies and craft the value for window.location using the hash function.

Or are we using Case 1 on page 98 where the controller is pointing to ISE as RADIUS.

You first need to consider what you're really gaining out of ISE in this setup.

Could you not simply host the login page be hosted on the controller itself and let it pass credentials to ISE via RADIUS?

Hi Jean,

Did you succeed in configure guest authentication with Extreme Networks Wifi controller? I don't understand how you can use ISE guest portal without using RADIUS... I also didn't find the document referred in the post.

Thanks

AM