ISE Guest Portal integration with H3C WX series controller from HPE

Arne Bier · ‎11-15-2018

This document provides the configuration required to allow a H3C Wireless controller to be integrated with ISE for the purpose of Central Web Authentication (Guest portals). Some historical background may be found in an earlier Community forum posting found here. Some years ago, this product did not support URL redirection or CoA, and this meant that it could not be integrated directly with ISE for Central Web Auth. The configurations below were supplied from a real world test but some understanding of the Comware product is required in order to interpret it exactly. If you are familiar with the Comware style of configuration then you'll know what you're looking for.

Test Controller Hardware: H3C WX5004

Test Controller Software: Comware Software, Version 5.20, Release 2509P51

Tested with ISE 2.4 patch 1 (but any ISE version will do)

ISE PSNs are behind a load balancer – the Virtual IP for the PSN’s is 10.10.10.10

Guest FQDN is guest.mycompany.com

Auth VLAN is VLAN 5

Guest VLAN is VLAN 8 (after guest has authenticated on ISE Guest Portal)

The portal free-rule is not 100% water proof – take it with a pinch of salt – it can be improved upon

The ACL 3001 is also not 100% - it can be improved

Please note that this product only supports ONE IP address for portal and CoA. In my case I point to a VIP, therefore I can still use many PSN's behind that load balancer VIP. But if you wanted to span this across more than one data centre, then you may need to devise a Global Load Balancer (e.g. F5 GTM) or something along those lines. HA is still possible, but the H3C does not make your life easy!

The salient/relevant config pieces are shown below (you may need to use the horizontal scroll bars at the bottom of this window to scroll across depending on your screen resolution. If you copy and past the text then you'll get it all)

#
 radius dynamic-author client trusted ip 10.10.10.10
#
#
 portal server ISE-PORTAL ip 10.10.10.10 port 8443 key cipher $c$3$PcVSv9uEi2mmgGOp5cDg/dskhKJHKJG^tYTR url https://guest.mycompany.com:8443/portal/g?p=GplpylYLW4Y5Vc4vLE6xYvRG5N server-type imc
 portal free-rule 1 source ip any destination ip 10.10.10.10 mask 255.255.255.255 tcp 8443
 portal free-rule 2 source ip any destination ip any udp 53
 portal free-rule 3 source interface GigabitEthernet1/0/1 destination any
 portal local-server http
#
 mac-authentication user-name-format mac-address with-hyphen
#
 acl number 3001
 description *** Guest Internet ACL ***
 rule 0 permit udp destination-port eq bootpc
 rule 5 permit udp destination-port eq bootps
 rule 10 permit udp destination-port eq dns
 rule 15 permit tcp destination-port eq dns
 rule 20 deny ip destination 10.0.0.0 0.255.255.255
 rule 25 deny ip destination 172.16.0.0 0.0.63.255
 rule 30 deny ip destination 192.168.0.0 0.0.255.255
 rule 35 permit ip
 rule 40 permit icmp
 
vlan 5
 description GUEST_AUTH_VLAN
 arp fast-reply enable
 igmp-snooping enable

vlan 8
 description GUEST_INTERNET_VLAN
 igmp-snooping enable

radius scheme ISE_VIP
 server-type extended
 primary authentication 10.10.10.10 key cipher $c$3$qYbRp6pq8WYRZD/wDVuCtOiD7f4E5yhEOSON
 primary accounting 10.10.10.10 key cipher $c$3$7okf10lpSYLBcE8/UyJzXoP1naa0nYz6qK5c
 key authentication cipher $c$3$hpBR47fHh3IqW1cqhCDr06YYvVI7/MH/HrgK
 key accounting cipher $c$3$hQoryn6Ex0zRTSGk2/Y06DFXYcQgRIUzbrYo
 user-name-format without-domain
 nas-ip 10.100.100.100
 accounting-on enable

domain ISE-GUEST-ALLOWED
 authentication default radius-scheme ISE_VIP
 authorization default radius-scheme ISE_VIP
 accounting default radius-scheme ISE_VIP
 access-limit disable
 state active
 idle-cut enable 60 10240
 self-service-url disable

 

domain ISE-GUEST-REDIRECT
 authentication portal radius-scheme ISE_VIP
 authorization portal radius-scheme ISE_VIP
 accounting portal radius-scheme ISE_VIP
 access-limit disable
 state active
 idle-cut enable 60 10240
 self-service-url disable

wlan service-template 1 clear
 ssid GUEST
 bind WLAN-ESS 1
 service-template enable

interface Vlan-interface5
 ip address 10.100.5.1 255.255.252.0
 portal server ISE-PORTAL method direct
 portal domain ISE-GUEST-REDIRECT

interface WLAN-ESS1
 port link-type hybrid
 undo port hybrid vlan 1
 port hybrid vlan 5 8 10 untagged
 port hybrid pvid vlan 5
 mac-vlan enable
 port-security port-mode mac-authentication
 mac-authentication guest-vlan 5
 mac-authentication domain ISE-GUEST-ALLOWED

The logic in ISE is very simple.

Add the H3C device to the Network Devices list and assign it the standard Device profile of HP Wireless (at least as found in ISE 2.2/3/4 etc.) - the key thing is that HPE/H3C supports very basic CoA.

Perform MAB authentication and in the Authorization rules always send an Access-Accept back in both cases

MAC Address not found in Internal Endpoints: return VLAN 5 to H3C to ensure guest is forced into portal redirection mode. No ACLs are returned here because the H3C automatically applied its portal free-rules
MAC Address found in Internal Endpoints: return VLAN 8 to H3C to ensure guest lands in Guest VLAN. Also return Filter-ID attribute containing the ACL that allows the guest to browse internet (and block RFC1918 etc.)

Jing Hong Li · ‎08-22-2019

Hi Arne,

Thank you for sharing your solution, It is very helpfull.

And, would you help to show me more about the ISE Authorization policy about this, especially the authorization profile.

Thank you very much.

Arne Bier · ‎08-25-2019

Hi @Jing Hong Li

I am glad you found this useful. I was doing this work for a customer and I am no longer on site. I can tell you though, that the ISE Authorization profile was the least complex thing. If I remember, I think in the "URL redirection" case, I had to send back an ACCESS-REJECT to the H3C to allow it to put the user into the "auth" VLAN. And in the other case, it was a simple Access-Accept. I found it very tricky to understand the admin guide of this product.