cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

904
Views
0
Helpful
0
Replies
Beginner

ISE - EAP-TLS and then webAuth?

Hello everyone!

I have a little bit of a complex dilemma in an ISE deployment and I am trying to lean more on how it works technically. Long story short: I am trying to do both machine and user authentication / authorization (per requirements from our Security department) on a wireless network using iDevices (iPads, iPhones, iTouches) that are shared between users. Just an FYI, I know Apple devices are not intended for “multiple users”; hence, why it is a problem I am trying to solve with CWA.

Hardware:

Cisco ISE VM running 1.1.3.124

WLC 5508 running 7.4.100.0

AP 3602I running 7.4.100.0 / IOS 15.2(2)JB$

iPod Touch version 6.1.3(10B329)

Senario:

  • •- User Authenticates to SSID that is 802.1x WPA2 AES,
  • •- Machine is checked by having valid Cert issued by CA and given access to ISE CWA
  • •- User open’s their browser
  • •- WLC redirects them to ISE CWA
  • •- User provides credentials on the portal
  • •- User to CoA’d to full access network

authorization rules.PNG

Rules, NSP is a limited profiling access network. CWA is a limited access network with redirect to centeral web auth on ISE. Standard rule 2 & 3 (which are disabled in this screen shot) are the rules that prove the CWA works on an open SSID.

I have gotten the CWA to work great on an open SSID, however when the process involves EAP-TLS everything works but the redirect. The iPod is properly authorized to the CWA (which is the redirect permission), but when I open a browser the iPod just spins searching for the website; it is never redirected to the ISE. My question is, is this even possible? Is there a trick or order of sequence that needs to be changed? I have been told from a Cisco NCE that specializes in ISE that this “may” or “may not” work, but not given an explanation as to why or why not. And if it’s not possible, why not?

Thank you in advance!

--------------------------------------------------------------------------------

live auth.PNG

Example, now the user is authorized for CWA, but when a user opens the browser it just sits there spinning.

I checked the WLC “Clients>Details” (from the monitoring page) and I noticed something interesting:1st client detail.PNG

2nd client detail.PNG