Cisco ISE - CWA AD Authentication

mjensen323 · ‎12-05-2014

Hello,

I'm using a Cisco ISE on 1.3 and have a CWA portal setup for AD Auth. When a user connects to a particular SSID (from a WLC) that is setup for mac filtering, it redirects to a CWA via the Auth Policy. the CWA is disabled, they login, the device registers, etc.. and all is well. The next policy checks to see if the device is registered, and if so, bypasses the Auth. Which also works. However, any AD account can authenticate against the CWA, not the particular AD account I want. I don't know where to put the Auth Policy or what it looks like. Any help would be appreciated. I've tried a few combinations to no avail.

Below are my current Auth Policies, as I mention above. They work, but the CWA validates any AD credential, not the group I want. Should a NetworkAccess:UseCase=GuestFlow go between the 2 policies perhaps?

nspasov · ‎12-05-2014

In order to authenticate AD users in your guest flow you will need:

1. The Guest portal needs to reference an "Identity Source Sequence" that includes not only your internal users but also AD

2. You will need to create an authorization rule that sits above your "CWA" rule that has the following checks:

If AD1:ExternalGroups equals desired_AD_group then desidred_permissoins

Thank you for rating helpful posts!

mvolk · ‎01-12-2015

Hi,

i have a question to the desidred_permissions in this case!

Which permission is needed, only the access accept in the minimum?

I have the situation that i must combind the wired an wireless CWA for guest an AD Users.

regards

Marc

nspasov · ‎01-12-2015

Hi Marc, what I meant by "desired_permissions" is what your environment/situation calls for. With that being said, returning back only "access_accept" with your "authorization profile" would work but at the same time it will give the authorized users/devices full access. So unless you have an ACL to Firewall off the guest users, you would need to return some additional attributes when trying to restrict/limit guest users/devices.

For instance, I like to use Policy Sets and dedicate a policy set per SSID and then either a general Policy Set for Wired or one Policy Set for Corporate Wired and one for Guest Wired. If you don't use policy sets, then you should create one "authorization rule for Guest_Wired and one for Guest_Wireless.

For the Guest_Wired, you will need to return "access_accept" and then a "DACL Name" that you can create locally in ISE.

For the Guest_Wireless, you will need to return "access_accept" and then a "Airspace ACL Name" That ACL is not a DACL (WLCs do not support DACLs). Instead, that is an ACL that you configure locally on the WLC, thus, the name must match on both ends and it is case sensitive!

Both the DACL and the "Airspace ACL" would contain rules that fit your environment/security requirements. Typically though you would have:

1. Permit DNS- Needed for DNS resolution

2. Permit access to ISE - Needed for the guest pages to properly load)

3. Deny any private/RFC 1918 addresses - Blocks guests from accessing internal hosts

4. Permit everything else - Needed for general internet browsing

I hope this helps!

Thank you for rating helpful posts!

mvolk · ‎01-14-2015

Hi Neno,

thanks for your quick answer.

I have today an other ISE setup with only wierless guests over an anchor setup with Authc over the AD.

It works fine with the Users in the WLAN-Guest AD group but when I use an AD User that are not a member of the WLAN-Guest AD group i would be redirected to the CWA Portal page. Ok, but i become no message.

The User that i have used to try this is a memer of other groups eq a admin user to login in the ISE with his AD account.

Any idea to become a message or redirect to an splash page!?

I have try today the redirect to a HotSpot portal page over an Authz rule with an "non equal" group match and some other rules, but i have no possitive result.

Thanks an best regards

Marc

nspasov · ‎01-19-2015

Marc, I am sorry as I somehow missed your reply!

Please help me understand your issue. Based on your last reply, are you saying that:

1. Users in the WLAN-Guest AD group get redirected to the guest portal and are able to successfully authenticate?

2. Users that are NOT in the WLAN-Guest AD group are NOT being redirected to the guest portal?

Also, please post a screen shot of your authentication and authorization policies here.

Thank you for rating helpful posts!

mvolk · ‎01-23-2015

Hi Neno,

the answers to better understand my issues to your questions are inline.

1. Users in the WLAN-Guest AD group get redirected to the guest portal and are able to successfully authenticate? > Yes

2. Users that are NOT in the WLAN-Guest AD group are NOT being redirected to the guest Portal? Yes back to the Login page but I must explain this in other words; The Redirect process of any user or device works good. When a AD-User that is not a member of the WLAN-Guest AD Group connect to the Guest Portal, he don´t become a message in the browser from the ISE, that he have no Access why he is not am member of the WLAN-Guest AD Group.

The browser shows short in the tab Header that he would be Authenticated but he comes back to the Login Page what is OK.

My only issue in this case is that I become no message for the non WLAN-Guest AD Group Membership users.

Screen shots of my Authc and Authz i post later!

Today in an other case with wired guest I have a equal Scenario, but here I have a Problem that the Client browser not show the Redirect URL. When i put the URL via copy-paste in the browser i become the ISE Login page and have also an successfull Login. Did you have any idea to resolve this issue? At the Moment I mean that there is a Bug why i have the last IOS and the Redirect ACL is from the deployment guide for ISE and CWA wired guest.

Thank you!

nspasov · ‎01-26-2015

Hi Marc. Please post the screen shots of your authentication/authorization policies. Also, please post your switch config (for the wired guest issue)

Thank you for rating helpful posts!

mvolk · ‎01-30-2015

Hi Neno,

1st here the Switch config with deleted lines an the Authc/Authz for the CWA wired issue.

The issue with the WLAN-Guest AD Group is a other ISE deployment!

I post the Infos in a other reply.

Thank you!

nspasov · ‎02-15-2015

Marc-

Very sorry for my super delayed reply but I got very busy the last two weeks and then your replies got burried in my e-mail :( With that being said, I hope you were either able to resolve your issues and if not I hope you find my answers helpful.

So for the wired redirection issue: Please change your redirect ACL on the switch to deny DNS and then try again. Also, make sure that the redirect ACL is correctly referenced in the ISE CWA policy:

ip access-list extended cwa_redirect
  deny   ip any host 10.64.202.94
  deny   ip any host 10.64.202.95
  deny   ip any host 10.64.202.96
  deny udp any any eq domain
  permit tcp any any eq www
  permit tcp any any eq 443

Right now, you are permitting DNS which means that you will re-direct DNS requests to ISE along with HTTP and HTTPS. However, the host needs DNS to resolve ISE's FQDN so the DNS traffic should not be redirected to ISE.

Thank you for rating helpful posts!

mvolk · ‎01-30-2015

Hi Neno,

here are the Authc/Authz for my issue with the WLAN-Guest AD Group.

Thank you!

Regards

Marc

nspasov · ‎02-16-2015

Ok for this second issue. I have a couple of suggestions:

Suggestions:

- In your authentication policy, change the identity store for the MAB to "Internal Endpoints" and make sure that the option for "If User Not found" from "Reject" to "Continue"

- In the guest portal for make sure that you have an "Identity Source Sequence" that checks both the "Internal Users" database and the external "AD1" database. In addition, make sure that the sequence (towards the bottom) you have checked the option that says "Treat as if the user was not found and proceed to the next store in the sequence"

Let me know if those changes make a difference

Thank you for rating helpful posts!