Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation

Who Me Too'd this topic

ISE - EAP-TLS and then webAuth?

Matthew Hines
Level 1
Level 1

‎03-29-2013 09:17 AM - edited ‎03-10-2019 08:14 PM

Hello everyone!

I have a little bit of a complex dilemma in an ISE deployment and I am trying to lean more on how it works technically. Long story short: I am trying to do both machine and user authentication / authorization (per requirements from our Security department) on a wireless network using iDevices (iPads, iPhones, iTouches) that are shared between users. Just an FYI, I know Apple devices are not intended for “multiple users”; hence, why it is a problem I am trying to solve with CWA.

Hardware:

Cisco ISE VM running 1.1.3.124

WLC 5508 running 7.4.100.0

AP 3602I running 7.4.100.0 / IOS 15.2(2)JB$

iPod Touch version 6.1.3(10B329)

Senario:

  • •- User Authenticates to SSID that is 802.1x WPA2 AES,
  • •- Machine is checked by having valid Cert issued by CA and given access to ISE CWA
  • •- User open’s their browser
  • •- WLC redirects them to ISE CWA
  • •- User provides credentials on the portal
  • •- User to CoA’d to full access network

authorization rules.PNG

Rules, NSP is a limited profiling access network. CWA is a limited access network with redirect to centeral web auth on ISE. Standard rule 2 & 3 (which are disabled in this screen shot) are the rules that prove the CWA works on an open SSID.

I have gotten the CWA to work great on an open SSID, however when the process involves EAP-TLS everything works but the redirect. The iPod is properly authorized to the CWA (which is the redirect permission), but when I open a browser the iPod just spins searching for the website; it is never redirected to the ISE. My question is, is this even possible? Is there a trick or order of sequence that needs to be changed? I have been told from a Cisco NCE that specializes in ISE that this “may” or “may not” work, but not given an explanation as to why or why not. And if it’s not possible, why not?

Thank you in advance!

--------------------------------------------------------------------------------

live auth.PNG

Example, now the user is authorized for CWA, but when a user opens the browser it just sits there spinning.

I checked the WLC “Clients>Details” (from the monitoring page) and I noticed something interesting:1st client detail.PNG

2nd client detail.PNG

1 person had this problem
Labels:
0 Helpful
Who Me Too'd this topic