Hello, i would like to know if it's possible to make https redirection in a WLC with CWA and ISE?

Hello,

Yes that is possible with WLC 8.0 and later. You need to configure 

config network web-auth https-redirect enable

And that the Redirect ACL is adjusted.

More Info here:

https://supportforums.cisco.com/document/12398536/understanding-https-redirect-over-web-auth

And

http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/115951-web-auth-wlc-guide-00.html#anc7

Hello Bastien.

Thanks for your soon reply, i tested the command, but our client complains about the certificate error with the https redirection.

On the link you provide says that it's unavoidable, but just to confirm, is there any posible way to fix the certificate error? otherwise we gonna have to unmount the ise guest solution because of that.

Hello Carlos,

This is not technically possible. When a device intercept SSL Connection, it has to use its own certificate which is self signed, and event it would be a CA Signed one, would not match destination website, so you will always get a SSL Warning when you want to intercept SSL connection.

So there is just a Radius communication between foreign and ISE ?

I thought with CWA the Anchor WLC handles the Radius Authentication ?

If no is there any communication between ISE and Anchor WLCs ?

Greetings

Philip

Hi Philip,

Foreign handles Radius, and Anchor web redirection, so it doesn't really communicate with ISE, but it rewrites HTTP Packet and traffic will go out of the anchor, with IP address of guest client.

You can check this document which is a bit more updated and complete:

http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html#anc11

Hello, Bastien,

Perhaps you can help me with understanding the Authentication Process in more detail for CWA. The setup involves:

Anchor WLC in the Outside network.
Anchor WLC owning the Guest WLAN.
Foreign WLC in the Inside network.
ISE in the Inside network.
ISE using MAB.
Sponsor Portal on ISE.
Client credentials on ISE.

1) Client connects to SSID (Layer 1).
2) Client uses DHCP.
*3) (Anchor?)(Foreign?) WLC intercepts DHCP request, and forwards MAC of client to ISE.
*4) ISE uses MAB and sends the result back to the (Foreign? Anchor?) WLC.
*5) (Anchor?)(Foreign?) WLC now relases the DHCP information to the client (assuming the WLC is the DHCP server. Might work differently for DHCP relay?).
6) Client opens a browser and enters http://www.cisco.com into the URL box.
*7) Client machine performs a DNS request -- this traffic is NOT redirected to the ISE, right?
*8) (Real) DNS server replies with the DNS-response.
*9) Client attempts TCP handshake with cisco.com over TCP/80.
*10) TCP handshake succeeds (directly with cisco.com web server).
*11) Client sends a HTTP/GET request to cisco.com.
*12) (Anchor?)(Foreign?) WLC intercepts HTTP/GET, and redirects client to ISE portal.
13) Client starts a TCP handshake with ISE over port 8443 (default).
14) After success, the client sends an HTTP/GET request for the Sponsor Portal web page.
15) ISE responds with the web portal, specifically the login page.
16) Client enters credentials into Portal.
*17) Since the ISE is the owner of the client credentials, no RADIUS comms are sent (yet). ISE authenticates the client locally, right?
*18) Upon successful authentication with the ISE, the ISE sends a CoA over RADIUS communication to the (Anchor?)(Foreign?) WLC, and also sends the policy ACL configured for client network access control.
*19a) The (Anchor?)(Foreign?) WLC updates the client attributes with the CoA and new ACL to apply (at this point, no longer using the redirect ACL).
19b) The ISE sends the client to the "success" page after login.
20) Client is now fully authenticated and can do whatever he wants, within the permissions of the Policy ACL of course.

In particular, the items marked with (*) are unclear for me, as I cannot find that kind of detailed documentation anywhere.

Any help/clarification on this is appreciated.

Hello Zehel,

Here is the flow:
-1 Client associates to SSID. The Foreign WLC will make MAC Authentication at this time. ISE will reply with access-accept containing URL Redirect and the redirection ACL

-2 Foreign WLC sends Mobility Announce to the Anchor and client gets Anchored to the anchor in WEBAUTH_REQD state

-3 Client does DHCP and get IP address. Unless explicitely denied, DHCP and DNS are allowed through redirect ACL

-4 Client makes HTTP Request. Foreign forwards it to anchor. 

-5 Anchor verify if this HTTP request can be allowed or redirected, normally it will be redirected to ISE. Anchor impersonate the destination server and sends HTTP 302 redirection to ISE Address.

-6 Client access ISE URL that contains unique session

-7 After successful login, ISE sends CoA to foreign

-8 Mobility announce is made by foreign to let anchor know client should be in run state

-9 Traffic is still forwarded from foreign to anchor, and goes out of anchor wlc

Hope this is clear.

Bastien, thanks for the quick response!

Yes -- that clears up pretty much most of my questions. Just 1 more if I may about the TCP 3-way handshake:

Between your steps #3 and #4 (between the DNS resolution and the HTTP GET request), does the WLC also intercept the TCP handshake for the initial HTTP session? I was inspecting our firewall logs, and never did see the 3-way handshake between client<>website, so I presume the WLC also intercepts the 3-way handshake by impersonating the website's real IP.

Yes, WLC intercept TCP Sessions.

Catalyst switches does the same if they have an SVI, otherwise they intercept and forward the request to the gateway:

http://www.cisco.com/c/dam/en/us/products/collateral/ios-nx-os-software/identity-based-networking-services/app_note_c27-577494.doc/_jcr_content/renditions/app_note_c27-577494-03.jpg

Hello Bastien,

many thanks for that great threat which makes live really easier and more clear ;-)

Can you tell me something about guest session caching ? How is it working? Is it made by just saving the mac address or can i also use some kind of cookie to do it ? Do i have to configure or change anything on ISE to enable it ? I am using 1.4

Greetings

Philip

You are welcome :) If it prevent to open couple of TAC case this is win/win.

Regarding your question though I am not sure what you mean. ISE creates a unique session ID for each authentication being guest, dot1x, ... 

This session ID is encoded in Radius state attribute for dot1x, or in the URL for guest authentication.

When guest is roaming, WLC reuses the state attribute in MAB requests, and ISE also correlates with mac address.

You´re right ;-) That´s definitely win/win.

I think more in direction of how long is a guest user session cache until he gets redirected to the webportal again ?

Greetings

Philip

Basically ISE will terminate the session when it receives accounting stop (with maximum duration of 1 week), or 1 hour after session start if no accounting is received.

WLC will send accounting stop in various scenarios (non exhaustive):

-Session-timeout / idle-timeout values 

-Client disconnection (user log off, screen power off of smartphone) only if client MFP enabled and supported by client

-Inter WLC Roaming (see CSCue50944 Sev6 - CWA Mobility Roam Fails to Foreign  with MAC Filtering BYOD)

-...

So there how can i prevent my guests from logging in more then once per day ?

I heard something abou using cookies when creating the guest page via Online Portal Generator ?

I mean this cannot be the result  to login everytime again when unlock the iphone !?

Greetings

Philip