cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3401
Views
4
Helpful
13
Replies

ISE NAC and WLC Layer 3 AAA

AndreaTornaghi
Level 1
Level 1

Hi,

I would implement a guest authentication configuring WLC using Web Auth Policy and an external web server.

My idea is that the clients are redirected on a custom web server and after some integrations the users will be authenticated from ISE that on WLC is configured as Radius server.

The authentication process seems to work fine but now I would implement also the authorization feature. In order that I can move the clients in dedicated VLAN in base of the user group defined on ISE.

From WLC I can see that it is not possibile to select ISE NAC under SSID advanced tab when web authentication is in use.

Is there someone that have already tested a solution like this one?

1 Accepted Solution

Accepted Solutions

Jason Kunst
Cisco Employee
Cisco Employee

Are you looking for a walled garden flow? Like seen on some airlines?

You come in and redirected to united airlines page and can browse their content but if you want to get out to internet you have to go through web auth portal?

View solution in original post

13 Replies 13

Jason Kunst
Cisco Employee
Cisco Employee

Are you looking for a walled garden flow? Like seen on some airlines?

You come in and redirected to united airlines page and can browse their content but if you want to get out to internet you have to go through web auth portal?

IF so it's not something we have integrated but please do get us your customer name (through sales team) and will add to the list

Hi Jason,

I need to do the authentication process using a custom web page and in base of the user type I should push a different VLAN to WLC.

I did some test and seems that using a Web Auth on WLC I can not do anything like this.

It seems that the only way is to use L2 MAC Filtering and an internal guest web page on ISE.

I believe the only way to do this would be using lwa or CWA to ise, CWA preferred method

Is it possible to use the CWA and an external web page on ISE?

I need to have a custom page with custom button and method.

You can customize ise guest pages using HTML JavaScript .JSON CSS

you cannot host web apps on use however

Ise guest page could have a link to an external page but cannot be hosted on an external page

You might have to create your own external portal which calls the ise guest API to process everything as an advanced customization

Can you explain in deeper detail what exactly the flow is!

Our web server is used for managing the end user interaction, like press a button or press another button in base of what you want, and it is creating a guest user on ISE by API.

In a second time this guest user is used from WLC for doing the authentication to ISE.

So, we need the web server for managing this type of request and in case we would add a button for doing an app redirection using an url schema.

I am not really sure what you are asking for can be done

You might look into doing lwa from WLC and authorization that way

I will think about some more perhaps we could chat as well, message me

Switch a VLAN and thus an IP subnet on the guest users typically doesn't work well since it requires the clients to release and renew the IP. Unless you have a 3rd party tool on installed on the endpoint such a ISE posture agent, most OS's will recognize that connectivity is lost, but won't try to renew the IP.

If your upstream gateway is an ASA firewall or another Cisco device, you can utilize TrustSec to assign different SGT's to guests without changing their IP address. Those tags can then be advertized to the perimeter device via SXP and you can utilize differentiated policies.

Using TrustSec could be a perfect solution in this way I can avoid any problems on IP renew process.

But from WLC point of view, is it not the same of assign a different VLAN in base of users group?

On WLC should I configure in advanced tab NAC State --> ISE NAC?

Because I can not enable this feature with an active Web Policy.

You can't change VLAN since that would require users to request a new IP address. That won't work well on many client OS's.

What you're asking is possible, but somewhat convoluted. Consider doing this directly in ISE portal.

Here's what you can do:

1. Create endpoint group to contain authorized guests. Let's say GuestEndpoints

2. Create AuthZ profile in ISE that redirect users to the static portal. I can't find an example handy, but essentially you need to manually set cisco-av-pair=url-redirect-acl=aclname, cisco-av-pair=url-redirect.

3. Create a rule in ISE to allow GuestEndpoints full access

4. Create a rule for all other mac address to redirect to that static URL from step #2.

5. Create an SSID on the WLC following the standard CWA configuration, Open, Mac Filtering, No L2/L3 configuration, AAA Override and ISE NAC.

When your custom app receives the redirect, you will only know the IP address of the guest and not his mac address. You have to look that up using monitoring api: Cisco Identity Services Engine API Reference Guide, Release 2.0 - Using API calls for Session Management [Cisco Identity…

Once the guest successfully authenticates to the custom app, you can use REST API to add his MAC address to GuestEndpoints. ISE will automatically issue a COA and apply the appropriate authorization profile.

Hope this helps

Many thanks Viktor for your idea!

I was thinking something like your proposal but I was focused to use an internal guest page with some change and not to use AVP for redirecting on an external web server.

I would test your solution in the next days maybe adding more than one GuestEndpoint group for managing different AuthZ result (TrustSec tag or dVLAN).

Hi Viktor,

After holiday I tried to do what we said in our previous messages but unfortunately the results are not what we expected.

I share some other details so maybe you can have some other great idea

All our steps are correct, so I'm able to redirect the client on the custom web page by AVP, create guest endpoint and guest user on ISE by API but I am not able to find any API that can do DoCoA process from an external server.

So when the guest user is created on ISE and user is on my own web page I'm not able to restart authentication process and matching Authentication policy that contains guest user and the second authZ policy.

In specific what I don't find is an API that can do the same action of the following POST that is configured on internal sponsor portal.

https://ISE_Guest_Portal:8443/portal/DoCoA.action

My idea is to use API for the following steps:

    - search client MAC Address

    - Create guest user by API on Sponsor Portal

    - search EndPoint ID using MAC address

    - guest user login on sponsor portal

https://ISE_Guest_Portal:8443/portal/LoginSubmit.action?from=LOGIN

     - Call dynamic CoA for auth endpoint and user

     - update endpoint and associate guest user to endpoint

     - Call CoA for redoing auth process.