Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3368
Views
15
Helpful
8
Replies

Wired Guest CWA with ISE

Go to solution
andrew.chappelle
Level 1
Level 1

‎02-11-2015 10:33 AM - edited ‎03-10-2019 10:26 PM

Having a heck of a time getting this to work.

First option is for the device to try and authenticate using Dot1X/EAP-TLS - for domain-connected devices only.

If that fails, they want the option to pop a CWA portal where they can enter either AD creds, or internal Guest user creds.

My challenge is the Policies and where to insert.

I'm using Policy Sets in ISE 1.2

Currently, I have these statements in the Default Policy Set:

Rule NameConditionsPermissions
Wired Guest Portal Authif Net Access:UseCase EQUALS Guest FlowPermit Access
Wired Guest Redirectif Wired_MABWired CWA

 

What i figured is if they fail the .1X, they'll drop down here to Wired MAB, and that will initiate a redirect and Guest Flow.

Couple problems:

First, it does seem to try; a show auth sess shows the proper redirect URL getting sent to the switchport.

Unfortunately, my browser pop gives me a certificate not recognized error, and if i try to continue anyways, it doesn't do anything. Wireless Guest, which I copied works fine.

Second challenge is that it forces the redirect whether i have the switch (NAD) in Monitor Mode or Low Impact Mode.  This is a problem because there are multiple sites, and we're cutting each over to Low Impact progressively.

 

Does anyone have any insight, or a document laying out in step by step terms implementing this?

thanks in advance.

 

 

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
nspasov
Cisco Employee
Cisco Employee
In response to andrew.chappelle

‎02-12-2015 05:56 PM

Hi Andrew! Yes, good job on fixing the portal issue!

And yes, the authorization rules are considered even in an open mode! And you are also correct that you will need to create different rules to account for NADs that are in production and for NADs that are in monitor mode. I have always liked using a separate Policy Set for Monitor Mode and a separate Policy Set for Production Mode. Then I used device location to match against these conditions. For each location I have two sub-groups: One for Monitor and one for Production. That way I can move a NAD from monitor mode to full production by simply changing its group.

Lastly, yes, your CWA rules should be at the bottom of your production authorization rules. 

 

Thank you for rating helpful posts!

View solution in original post

8 Replies 8

Go to solution
andrew.chappelle
Level 1
Level 1

‎02-11-2015 11:16 AM

Update.  Looks like the certificate issue is with Internet Explorer ?!?  Firefox redirects fine.

Still can't figure out why it does this even in Monitor Mode.

0 Helpful

Go to solution
nspasov
Cisco Employee
Cisco Employee
In response to andrew.chappelle

‎02-12-2015 01:33 AM

Hello Andrew-

Monitor mode allows devices/users to "proceed" even if they fail authentication. However, by proceed, I don't mean gaining access to the network. Instead, they are allowed to proceed from the authentication step to the authorization. Thus, you need to have a "catch_all" rule in your authorization section that is set to "Permit Access." to any devices that were not authorized by one of your regular rules. For more info check out the following TrustSec guides:

http://www.cisco.com/c/en/us/support/security/identity-services-engine/products-implementation-design-guides-list.html

 

Thank you for rating helpful posts!

Go to solution
andrew.chappelle
Level 1
Level 1
In response to nspasov

‎02-12-2015 01:12 PM

Thanks Neno,

So to clarify; even in Monitor Mode, AuthZ policies are still processed, and because my GuestFlow and Wired MAB rules are in AuthZ, they'll get used/processed no matter what?

How then do I apply it only to the NADs I want to progressively cut-over?  Do I have to add a condition that tests by Location and only match NADs in locations I'm cutting over?

I'm still not 100% sure I have the CWA AuthZ rules where I should, and i think i need to move them even further down the Default Policy set so that they're after any Whitelists I have for phones, printers, etc.

 

Good news is that the web portal does pop!  IE still doesn't like it - or the cert at least.

Andrew

 

0 Helpful

Go to solution
nspasov
Cisco Employee
Cisco Employee
In response to andrew.chappelle

‎02-12-2015 05:56 PM

Hi Andrew! Yes, good job on fixing the portal issue!

And yes, the authorization rules are considered even in an open mode! And you are also correct that you will need to create different rules to account for NADs that are in production and for NADs that are in monitor mode. I have always liked using a separate Policy Set for Monitor Mode and a separate Policy Set for Production Mode. Then I used device location to match against these conditions. For each location I have two sub-groups: One for Monitor and one for Production. That way I can move a NAD from monitor mode to full production by simply changing its group.

Lastly, yes, your CWA rules should be at the bottom of your production authorization rules. 

 

Thank you for rating helpful posts!

Go to solution
andrew.chappelle
Level 1
Level 1
In response to nspasov

‎02-13-2015 12:25 PM

Thanks Neno for all the advice and help!

Now I think I've broken something, because for some reason the clients don't hit my policy any more. I tried adding the Stage as a Condition rather than Location for simplicity?

 

0 Helpful

Go to solution
nspasov
Cisco Employee
Cisco Employee
In response to andrew.chappelle

‎02-16-2015 01:24 AM

I haven't used a custom NAD group before but don't see any problems using one for simplicity. However, we need to figure out if this is the cause of your break/fix issue. So, in your authentication logs, can you confirm if you are at least hitting the correct "Policy Set" but then NOT hitting the correct rule within the set? Or are you not even hitting the correct "Policy Set" ? If so which one are you hitting. 

It would be helpful if you posted screenshots of:

- The live authentication screen

- The detailed authentication screen for the failed authentication

 

Thank you for rating helpful posts!

Go to solution
andrew.chappelle
Level 1
Level 1
In response to nspasov

‎02-16-2015 11:35 AM

Hi Neno,

Thanks a lot for the repsonses, been a big help.

Well, the issue(s) have been resolved, and I've got everything working.

In the end the biggest issue was that the client supplicant (native windows) did not have a proper GPO - the Wired AutoConfig wasn't set to start/auto.  That made a difference.

Plus I reordered a few rules, to get everything flowing proper.

All in all, things are looking good to cutover into LowImpact mode for production; my policy set condition matches on stage only, and so far it seems to work.

Thanks againn for the replies!

Andrew

 

 

0 Helpful

Go to solution
nspasov
Cisco Employee
Cisco Employee
In response to andrew.chappelle

‎02-16-2015 11:43 AM

Glad that you got your issues resolved and that I was able to help! :)

Best regards, 

Neno

0 Helpful
Customers Also Viewed These Support Documents