Solved: Guest User caching ISE LWA

Philip91 · ‎08-08-2018

Hello all,

i am very fimilar with cisco WLC and ISE CWA but my customer requested installing an ISE based guest network with forti wlan. Forti mentioned that they don´t support CWA and CoA so i am looking at LWA.

I know how to cache guest access with CWA (register MAC and write a authorization rule for the MAC group)

My general question is:

Does any have an idea if it is possible to chache the guest accounts with LWA when no "sleeping client" feature is available in the wireless infrastructure.

My worry is that the wireless infrastructure intercept the http request anyway so i don´t have the chance to NOT redirect an already authenticated guest.

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116217-configure-ISE-00.html :

LWA Process with the ISE Guest Portal

The browser tries to fetch a web page.
The WLC intercepts the HTTP(S) request and redirects it to the ISE.
Several key pieces of information are stored in that HTTP redirect header. Here is an example of the redirect URL:
https://mlatosieise.wlaaan.com:8443/portal/PortalSetup.action?portal=27963fb0-e96e-11e4-a30a-005056bf01c9#&ui-state=dialog?switch_url=https://1.1.1.1/login.html&ap_mac=b8:be:bf:14:41:90&client_mac=28:cf:e9:13:47:cb&wlan=mlatosie_LWA&redirect=yahoo.co...
From the example URL, you can see that the user tried to reach "yahoo.com." The URL also contains information about the Wireless Local Area Network (WLAN) name (mlatosie_LWA), and the client and access point (AP) MAC addresses. In the example URL, 1.1.1.1 is the WLC, and mlatosieise.wlaaan.com is the ISE server.
The user is presented with the ISE guest login page and enters the username and password.
The ISE performs authentication against its configured identity sequence.
The browser redirects again. This time, it submits credentials to the WLC. The browser provides the username and password that the user entered in the ISE without any additional interaction from the user. Here is an example GET request to the WLC.
GET /login.html?redirect_url=http://yahoo.com/&username=mlatosie%40cisco.com&password=ityh&buttonClicked=4&err_flag=0
Again, the original URL (yahoo.com), the username (mlatosie@cisco.com), and the password (ityh) are all included.

Note: Although the URL is visible here, the actual request is submitted over Secure Sockets Layer (SSL), which is indicated by HTTPS, and is hard to intercept.
The WLC uses RADIUS in order to authenticate that username and password against the ISE and allows access.
The user is redirected to the specified portal. Refer to the "Configure external ISE as the webauth URL" section of this document for more information.

Any idea/advise??

Many thanks

Philip

Jason Kunst · ‎08-08-2018

I don't think there is anything we can do from our side for that. Did you ask the vendor since they are providing the Web Auth portal?

There is no way to register the endpoint mac because we are not controlling the session

You could also perhaps use the walled garden approach?
https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/admin_guide/b_ise_admin_guide_22/b_ise_admin_guide_22_chapter_01000.html#concept_CDD87F6FE3A54351B27FF35316A23DA3
URL Redirect Mechanism and Auth VLAN

View solution in original post

Jason Kunst · ‎08-08-2018

I don't think there is anything we can do from our side for that. Did you ask the vendor since they are providing the Web Auth portal?

There is no way to register the endpoint mac because we are not controlling the session

You could also perhaps use the walled garden approach?
https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/admin_guide/b_ise_admin_guide_22/b_ise_admin_guide_22_chapter_01000.html#concept_CDD87F6FE3A54351B27FF35316A23DA3
URL Redirect Mechanism and Auth VLAN