cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4346
Views
9
Helpful
16
Replies

H3C WX Series and Central Web Auth

Arne Bier
VIP
VIP

Hi

Anyone had experience with integrating ISE Central Web Auth with H3C WX series wireless controllers (e.g. H3C WX5004 and H3C WX5002V2)?

I had a look at ISE Third-Party NAD Profiles and Configs but that product is not listed there.

I have a suspicion that they don't handle URL redirection.  I find their documentation is a bit tricky to understand.

3 Accepted Solutions

Accepted Solutions

Jason Kunst
Cisco Employee
Cisco Employee

Arne if they don’t then you can use the ISE auth vlan dhcp dns feature

View solution in original post

Arne Bier
VIP
VIP

@Jason Kunst and @smashash

After a whole day of hacking around on the H3C WX 5004, we got it working :-)

 

The trick was to NOT send ACCESS-REJECT as suggested by HPE - but rather, to send ACCESS-ACCEPT.  Grrrrrr!!!!

This of course causes a session to be built in ISE that is then later used for the COA function (a very crucial part of the equation).

The second trick was to always perform dynamic VLAN override - ISE needs to send back the auth VLAN in the "MAC unknown in ISE" flow.  And in the "MAC known in ISE" flow we send back the Guest VLAN.

Booom!  Works.  I can even send an ACL to the controller via the Radius Filter-ID attribute.

 

We're also running some ancient version of Comware for those who are interested - Release 2509P51

 

View solution in original post

Hi @Jason Kunst

I finally got around to writing up my solution to this question in a new article here.

 

View solution in original post

16 Replies 16

Jason Kunst
Cisco Employee
Cisco Employee

Arne if they don’t then you can use the ISE auth vlan dhcp dns feature

I did work with another account team, to prove out the WX5002 under ISE 2.0 (before Auth VLAN feature.  Most flows were successfully validated including some enhancements to ensure proper working with BYOD.  Since this testing conducted outside of Cisco QA and before we started posting to community, the NAD profile and config were never collected for posting.  From my notes, default HP Wireless profile was used.

Hi Craig

I started testing ISE Guest integration with an H3C WX5004 today and we used the H3C's CLI config snippet posted on the community forum.  It's somewhat useful and we have a half working solution so far.  I am wondering how you got the CoA working?  Does the H3C understand CoA?

And then how do you tell it which ACL's to apply (e.g. Portal ACL vs Guest Authenticated ACL)?

regards

Arne

Mixed feedback on the CoA support.  One report for WX5002 was that it did not, but then had another team validate the same platform with CWA and other web-enabled flows with CoA.  So there may be changes based on version deployed or hw revs.  Ultimately would need validation with your specific product and version.

The sample config posted shows that the H3C supports static URL.  In that case, you set the portal to be the one generated in the ISE Authorization Profile for 3rd-party redirect. The URL redirect type is set in NAD Profile.

Here is example for posted H3C config:  HP-H3C-A5500-NAD-Config

#

portal server iseportal ip 10.10.13.188 port 8443 url https://10.10.13.188:8443/portal/gateway?portal=a6b8fa70-fc3e-11e4-a67c-005056bf2f0a&action=cwa

#

portal free-rule 10 source ip any destination ip any

#

In the above example, the actual redirect URL was listed.  However, we provide option to set a "normalized URL" to reduce the length of entry.  Example:

     https://iseHost:8443/portal/g?p=6Rqz8dJ91WOjPibM6BAP5JQPEb

Once user redirected to PSN, it will be redirected again to more detailed example shown in config snippet.

Craig

Hi,

The following H3C WLAN  devices are supporting RADIUS CoA.

Software version:

  • WX2500E-CMW520-E3703P61 (WX2540E)
  • WAC360-CMW520-E3703P61 (WAC360 series)
  • WX5004-CMW520-R2509P61 (WX5000 series)
  • WX3500E-CMW520-R3709P61 (WX3500E series)
  • WX6103-CMW520- R2509P61 (WX6000 series)
  • WX5500E-CMW520-R2609P61 (WX5500E series)
  • WX3000-CMW520-R3509P61 (WX3000E series)

HPE (H3C) 830 WLAN also.

To configure the CoA client  on NAD:

"radius dynamic-author client trusted ip < ISE ip-address>"

"undo radius dynamic-author client trusted"    to remove it

Default behavior is:

The device does not trust the DAE packets sent by any IP addresses.

To configure the CoA port  on NAD:

"radius dynamic-author port"  to specify the UDP port for listening for and receiving DAE packets.

Default value: UDP port number is 3799.

To validate if your device supports CoA you should try  this command on device "radius dynamic-author client trusted ip < ISE ip-address>"

Hi @smashash and @Jason Kunst

 

I have revisited this topic and I noticed something that I'd like confirmation on please.  

The HPE wireless controller that I am working with is supported, but after speaking to HPE and Aruba engineers, they tell me that I have to use an auth-vlan mechanism on the HPE controller. And when I implemented this as they directed, I can't get it to work because I never see the CoA from ISE.

 

Here is what happens

1) HPE Controller sends MAC address to ISE

2) ISE does lookup and doesn't find it - ISE sends Access-Reject to HPE controller (this is the crux of it)

3) HPE gets Access-Reject and places user in auth-vlan and kicks off a URL redirection (which points to ISE)

4) User logs into ISE portal successfull - getsuccess page because credentials match.

5) .....*BOOOOOM* - ISE doesn't send a CoA because it doesn't have a session for this portal login .... since ISE sent an Access-Reject.   

 

CoA only seems possible if ISE has an active session as a result of a positive MAB auth.  Is this true?  I mean, if I send an Access-Reject to a NAS, I don't expect an Accounting Start to come back as a result!!!  That would be weird.

 

If Craig were still around I would have asked him this, but he mentioned in earlier responses in this thread that the ISE 2.0 config was never captured.  Pity.  

 

 

Hi Arne,

That is correct. it requires active session in ISE to send CoA.

 

Have you tried the Auth-VLAN (Guest-VLAN)  solution for 3rdparty NADs?

more info:

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-21/200604-Configure-Third-Party-NAD-Redirection-on.html

 

@smashash - thanks for the link - @Jason Kunst my customer has started evaluating this but it's not a trivial matter, since we have around 900 locations, each needing its own DHCP scope.  The PSN's are centrally located in two DC's. 

And then the operational overhead - try adding 900 scopes into an ISE GUI!!!  And then we don't only have one PSN - we have 4. This config doesn't replicate across PSN's.  How does one manage the DHCP leases?  Is there management and monitoring for this in ISE?

 

The subnet can only reside on one psn so there would be no replication or config sync needed right?

Have to research the other question but likely no way to monitor from what you see now


Ise manages actives sessions in order to send COA

Why not use ise auth vlan instead?

Arne Bier
VIP
VIP

@Jason Kunst and @smashash

After a whole day of hacking around on the H3C WX 5004, we got it working :-)

 

The trick was to NOT send ACCESS-REJECT as suggested by HPE - but rather, to send ACCESS-ACCEPT.  Grrrrrr!!!!

This of course causes a session to be built in ISE that is then later used for the COA function (a very crucial part of the equation).

The second trick was to always perform dynamic VLAN override - ISE needs to send back the auth VLAN in the "MAC unknown in ISE" flow.  And in the "MAC known in ISE" flow we send back the Guest VLAN.

Booom!  Works.  I can even send an ACL to the controller via the Radius Filter-ID attribute.

 

We're also running some ancient version of Comware for those who are interested - Release 2509P51

 

Nice! Good job!


Nice work Arne can you put in a new document to share the clean assessment?

Sure thing.  Is there any particular format/template or location for this document?  I was planning to put the document under Cisco Community > Technology and Support > Security > Identity Services Engine (ISE)

Give me a few days and it will be done.

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: