Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
652
Views
0
Helpful
1
Replies

how to trigger a change of authorization from ISE 1.3 to WLC

Daniele Visaggio
Level 1
Level 1

‎03-16-2015 08:26 AM - edited ‎03-10-2019 10:33 PM

Hi all,

first off, the scenario:

 

client ----- AP ----- WLC ----- ISE 1.3 (acts as a radius server for the WLC)

                                      ----- External web server (captive portal html pages live here)/ SOAP middleware

                                      ----- External SOAP server

 

I need to setup the following authentication flow, given the said scenario:

 

1) client joins an open network without any network/internet access;

2) wlc redirect client to my middleware, which hosts a web server;

3) web server sends to the client an html page where the end-user fills in his/her badge number (think of it as a univocal string);

4) client hits "submit";

5) web server takes the end-user's input and give it to the middleware (they live on the same server);

6) middleware talks to "External SOAP server" and verify the badge number;

7) If "External SOAP server" says "OK", my middleware asks ISE to create a new user account (w/ password) via REST API. These credentials get returned to the middleware in the REST API response;

8) here is where I get lost: my middleware has now the user's password and I want to trigger a "change of authorization" command from ise to wlc in order to upgrade user's privileges and permit to him/her to surf the internet freely.

 

Is there an API call in ISE able to trigger a "change of authorization" in the WLC? I checked [ISE 1.3] - api_ref_book.pdf but I couldn't find a definitive answer. Maybe my flow is broken at some point.

 

How can I build this flow?

 

Thank you in advance,

 

Daniele

 

 

Labels:
0 Helpful
1 Reply 1

jan.nielsen
Level 7
Level 7

‎03-16-2015 06:34 PM

I have developed a system that works in mostly the same way as what you are doing, what i found was that CoA can't be used to just tell ise "this user is now ok"....you can tell ise to reauthenticate that user, but since you haven't done anything authentication related that ise knows about (i.e logged in using the guest portal in ise), that won't do anything.

 

I ended up using a dynamically generated iframe (hidden) on my own web portal, to connect the guest users browser to the ise guest portal, and then use the created user account to log them into the ise guest portal, this will look to ise as if it was the user logging in themselves via the guest portal, and ISE will handle the CoA itself.

 

Other solutions could be installing a radius server on your webserver, and managing accounts/lifetime for guests on your own system, and just have the WLC speak only to your system.

0 Helpful
Customers Also Viewed These Support Documents