WebAuth setup with third-party wireless controller (mac endpoint not being registered)

jpujol · ‎12-05-2016

Trying to help a customer who has a legacy Extreme wireless controller.

The MAB / Webauth setup doesn't work as expected with ISE.

ISE delivers guest credentials then authenticates correctly the guest user on the guest portal, but the end user's MAC isn't stored as expected into the device identity group.

Does the registration of the MAC dependent on the wireless controller ability to manage an audit-session-id or to support CoA ?

Any paper explaining the way ISE works with a third party switch / wireless controller for webauth ?

Thanks,

jean-francois

Jason Kunst · ‎12-05-2016

Lots of questions here

You’re trying to do this with LWA or CWA?

If you’re receiving the MAC address via MAB I would expect it to work. You see the MAC address on ISE?

RADIUS accounting packets are being sent to ISE?

Do you have the credentialed portal guest device registration setup to automatically register?

If doing CWA you will need COA to change state from webauth to permit access. Have you considered that there would be no support of that without COA? Perhaps it supports SNMP COA but not RADIUS?

If you’re trying CWA have you considered LWA (even though we won’t register the device)

What version of ISE? Perhaps with 2.1 there might be better integration for this scenario?

https://communities.cisco.com/docs/DOC-64547

jpujol · ‎12-06-2016

Setup with CWA, ISE 2.0 patch 3, the MAC address is seen by ISE and the operation live logs shows the authentication success with the user's credentials and the MAC device address as expected. The extreme controller doesn't support Radius CoA, but a javascript code within the success page does the job.

The problem lies in the fact the device MAC isn't stored in the End Point identity Registered device group, and the next MAB authentication request from the Extreme controller fails, so the user is redirected to the portal registration page again.

The TAC (#681330077) is a little bit lost and suggests it may be linked to the CoA missing capability.

However, I do not see any CoA issue there ; do you know if CoA success is mandatory to get the MAC stored in the Registered device group ?

thx,

jean-francois

Jason Kunst · ‎12-06-2016

So you're embedding a special javascript on the ISE success page? You are putting the ISE CWA page statically on the wireless controller as there is no dynamic redirection correct?

Jason Kunst · ‎12-06-2016

I got word back from engineering that the registration doesn't depend on a successful CoA. I have asked for more info but it would be good to pursue through the TAC for further debug at this point. I will update if I have any more info

Is same setup working fine with a Cisco WLC?

jpujol · ‎12-06-2016

Yes, the portal for the WLC (CWA as well is working fine). So, it's not clear why the process doesn't go to the end ... I'll with the TAC. Thanks !

Jason Kunst · ‎12-06-2016

Another comment from a team member

You have embedded javascript in the success page to trigger CoA to Extreme switch. I would ask if the final connection or “ack” of success page is required to complete registration. In other words, does registration happen before or after success page? I wonder of custom script in final page interferes with process. The other question is whether registration is triggered on RADIUS Accounting Start. I have seen some 3^rd-party switches lack some basic fields in RADIUS auth and accounting which can interfere with typical ISE processing.