Re: ISE 1.04 and WLC 7.2 - CWA Config?

Gustavo Novais · ‎02-15-2012

Hello, I'm currently deploying a POC for Central WebAuthentication with the new 7.2 Wireless Lan Controller code.

I'm aware of the differences between LWA and CWA in Catalyst Switches, but I'm having trouble grasping how to configure the CWA on the WLC for wireless guests with open web auth.

For LWA I did get:

1- User opens browser

2- WLC redirects user to ISE Guest page

3- ISE Guest page sends username/password to WLC,

4- WLC does a RADIUS PAP request to ISE in order to authenticate user.

5- ISE authenticates (or not) and send Access-Accept to WLC

6- WLC lets user go through.

For CWA the way I see it, it should be:

1- User opens browser

2- WLC redirects user to ISE Guest page

3- ISE Guest page processes username/password internally

4- ISE authenticates (or not) and sends Access-Accept to WLC

5- WLC lets user go through.

The way I see it, we should define a WLAN's L3 security policy as webauth, with no L2 security, but the question is how to configure the controller so that the ISE doesn't just serve as an external web server and the WLC is not waiting for a username/password from this external webserver, as would LWA work, but instead just gets an Access-Accept from the ISE.

For the moment LWA is more intuitive given the WLC philosophy of operation. I'm not really seeing how/where to configure 7.2 code to just expect an access-accept from ISE.

Can anybody enlighten me on how this should be configured/work?

Any insight is very much appreciated.

Thanks

Gustavo Novais

Gustavo Novais · ‎02-16-2012

Hello,

Just to post my discoveries in case they are useful to someone.

after spending a day looking for ideas on Cisco.com, I found out that the web page of the WLC config guide doesn't show a table that is shown on the PDF version, which made me "click"

In fact, CWA on the WLC 7.2 is done via a "simulated" mac address validation towards the Radius server (ISE), as such, for guest, one needs to have mac address filtering enabled (only to not be found), RADIUS NAC enabled and point towards the ISE server.

Then, on the ISE server we select CWA (as we would for a switch) and point to a redirect acl that the controller will interpret as a preauth access-list. This ACL needs to allow traffic to/from the ISE, DNS, DHCP, etc.

a client that will authenticate will be redirected to the url posted by the ISE, and be faced with whatever guest portal options configured.

After this, the ISE sends a CoA (with a new ACL if desired) in order to pass the client from Posture_pending to RUN.

Unfortunate points about CWA: we STILL need to bang our heads against WLC ACLs, and there's a bunch of stuff that is not supported (Anchor, FlexAuth, etc...)

Hope this helps someone.

Gustavo Novais

Seppi · ‎02-16-2012

Hi Gustavo

One additional hint, which is rather important:

CUWN Release 7.2 introduces CWA for the Wireless - however, supported is this only in conjunction with ISE-Version 1.1!

Regards

Seppi

Gustavo Novais · ‎02-16-2012

Hi Seppi, thank you for your input.

At this moment it is only for PoC, I know ISE 1.1 will be out the 7th March, but I really need to gain some hands-on with this. CWA solves a few issues that a customer has asked us, namely in what regards external web server redundancy.

Any hopes of support regarding FlexAuth support for ISE? 7.2 also introduced FlexAuth ACL's...

Regards

G

yong khang NG · ‎03-26-2012

hi all,

Cisco had ship ISE 1.1 on last week 19th March. From Cisco side proclaim ISE 1.1 now officially support wireless CWA running on code 7.2.

Anyone test it out? Can share the outcome of POC.

(I am in the middle downloading now)

Thanks

Noel

yong khang NG · ‎04-02-2012

Hi All,

Managed to get ISE CWA working on wireless environment. Platform is ISE 1.1, WLC 7.2 and endpoint is window 7

Concept was using Central Web Authentication with a Switch and Identity Services Engine Configuration Example, which can found on cisco.com. Simply just turn the way round applying wireless case instead of the wired.

Sad thing is the authZ rules not supporting on iPhone/iPad and Android device, need hero on this!

Noel

Nicolas Darchis · ‎04-02-2012

Sorry for not replying earlier to this.

Another limitation of CWA on wireless is that you cannot use encryption (no dot1x/wpa2) so you really need a open SSID + mac filtering.

Nicolas

Gustavo Novais · ‎04-02-2012

Hello,

I managed to get the authz rules working with iDevices (version 1.04, not yet 1.1) Is your profiling configuration correct?

How are you intercepting traffic from the iDevices, to profile them?

Note that if you are doing only 802.1x with iDevices, you might have trouble identifying their user agent, as no web connection is directed to the ISE, and dhcp class identifier will work only if your iPad has a host name that contains iPad.

A trick I used inspired from a techwise tv episode was to try to posture assess (of course not supported yet ) the iPad on a first run, so that it would be redirected to a disclaimer page, and send its user agent info from safari to the ISE profiler. Then the profiler kicks in and coa's the iPad with its profile information, allowing it access.

Can you elaborate further on what you mean?

Gustavo

Sent from Cisco Technical Support iPad App

yong khang NG · ‎04-02-2012

Hi gustavo,

Thanks for your feedback.

My deployment case was: public user connect to the SSID, then it will redirect to guest portal, after key-in the right username/password, check the AUP, then they are good to go.

I didn't do anything on profiler condition etc. What do you mean iDevices here?

Can you guide me on this? thanks

Noel

Gustavo Novais · ‎04-02-2012

Hi,

It looks like your use case doesn't really need any profiling ( except eventually for some statistics gathering) as you are just interested in guest access, independently of the device public users are using.

By iDevice I mean everything iPad,iPod,iPhone, iThing...

Gustavo

Sent from Cisco Technical Support iPad App

yong khang NG · ‎04-03-2012

Hi Gustavo,

yup, somehow my authZ rule identity group were using "ANY" in the first place. I try switch built in Apple-Device identity group and it also not redirect me to guest portal...

attached my topology, at-a-glance

Any comment are welcome, hopefully with any guidance or reference material then it would be glad !

Noel

Gustavo Novais · ‎04-03-2012

Hello,

It looks like you are redirecting on the wrong rule. You only know that a user belongs to guest after it has been redirected to the portal and authenticated.

I would place the redirection authz profile on the guest flow, and the access accept into the proper vlan into the case where you know the user is a guest group member.

Anyway, I do not really see the case for profiling in your case... Anybody that logs into your network (ssid guest) should be redirected to the guest portal, right?

My .02

Gustavo

Sent from Cisco Technical Support iPad

yong khang NG · ‎04-04-2012

Hi Gustavo,

can you please elaborate more on the the authZ rule that apply on network access....guestflow? I put the redirect WEBAUTH ACL apply to the authZ profile, it do redirect me the guest portal.

My question:

what is the next authZ rule should i built to handle the CoA session after the guest perform the authentication?

My previous attachment works fine on CWA, in wireless environment, but only work on window based machine.

Can please guide more, or snapshot your success authZ rules, authZ profile for me to reference?

Million thanks

Noel

Brian Schultz · ‎05-17-2012

Gustavo,

Can you explain exactly how you enabled CWA on the WLC? If I select RADIUS NAC, then I get an error that it can't be enabled with WebAuth.

Thanks,

Brian

Nicolas Darchis · ‎05-17-2012

Brian, for CWA you should not enable webauth.

The idea is to have the SSID open with mac filtering. And the radius server will return the redirection URL if needed. So you need radius NAC enabled and webauth disabled.