The first method of web authentication is local web authentication. In this case, the WLC redirects the HTTP traffic to an internal or external server where the user is prompted to authenticate. The WLC then fetches the credentials (sent back via an HTTP GET request in the case of an external server) and makes a RADIUS authentication. In the case of a guest user, an external server (such as Identity Services Engine (ISE) or NAC Guest Server (NGS)) is required because the portal provides features such as device registering and self-provisioning. The flow includes these steps:
The user associates to the web authentication Service Set Identifier (SSID).
The user opens the browser.
The WLC redirects to the guest portal (such as ISE or NGS) as soon as a URL is entered.
The user authenticates on the portal.
The guest portal redirects back to the WLC with the credentials entered.
The WLC authenticates the guest user via RADIUS.
The WLC redirects back to the original URL.
This flow includes several redirections. The new approach is to use CWA. This method works with ISE (versions later than 1.1) and WLC (versions later than 7.2). The flow includes these steps:
The user associates to the web authentication SSID, which is in fact open+macfiltering and no layer 3 security.
The user opens the browser.
The WLC redirects to the guest portal.
The user authenticates on the portal.
The ISE sends a RADIUS Change of Authorization (CoA - UDP Port 1700) to indicate to the controller that the user is valid, and eventually pushes RADIUS attributes such as the Access Control List (ACL).
The user is prompted to retry the original URL.
The setup used is:
The WLC configuration is fairly straightforward. A trick is used (same as on switches) in order to obtain the dynamic authentication URL from the ISE (since it uses Change of Authorization (CoA), a session must be created and the session ID is part of the URL). The SSID is configured in order to use MAC filtering. The ISE is configured in order to return an access-accept even if the MAC address is not found, so that it sends the redirection URL for all users.
In addition to this, RADIUS Network Admission Control (NAC) and Authentication, Authorization, and Accounting (AAA) Override must be enabled. The RADIUS NAC allows the ISE to send a CoA request that indicates that the user is now authenticated and is able to access the network. It is also used for posture assessment, in which case the ISE changes the user profile based on the posture result.
Ensure that the RADIUS server has RFC3576 (CoA) enabled, which is by default.
The final step is to create a redirect ACL. This ACL is referenced in the access-accept of the ISE and defines what traffic should be redirected (denied by the ACL) and what traffic should not be redirected (permitted by the ACL). Here you just prevent from redirection traffic towards the ISE. You might want to be more specific and only prevent traffic to/from the ISE on port 8443 (guest portal), but still redirect if a user tries to access the ISE on port 80/443.
Note: Earlier versions of WLC software like 7.2 or 7.3 did not require you to specify DNS but newer code versions require you to permit DNS traffic on that redirect ACL.
Configuration is now complete on the WLC.
Create the Authorization Profile
On the ISE, the authorization profile must be created. Then, the authentication and authorization policies are configured. The WLC should already be configured as a network device.
In the authorization profile, enter the name of the ACL created earlier on the WLC.
Click Policy, and then click Policy Elements.
Expand Authorization, and then click Authorization profile.
Click the Add button in order to create a new authorization profile for central webauth.
In the Name field, enter a name for the profile. This example uses WLC_CWA.
Choose ACCESS_ACCEPT from the Access Type drop-down list.
Check the Web Redirection check box, and choose Centralized Web Auth from the drop-down list.
In the ACL field, enter the name of the ACL on the switch that defines the traffic to be redirected. This example uses cwa_redirect.
Choose Default from the Redirect drop-down list. (Choose something other than default if you use a custom portal other than the default.)
Create an Authentication Rule
Ensure that the ISE accepts all of the MAC authentications from the WLC and make sure it will pursue authentication even if the user is not found.
Under the Policy menu, click Authentication.
The next image shows an example of how to configure the authentication policy rule. In this example, a rule is configured that triggers when MAB is detected.
Enter a name for your authentication rule. This example uses MAB, which already exists by default on ISE Version 1.2.
Select the plus (+) icon in the If condition field.
Choose Compound condition, and then choose Wired_MAB OR Wireless_MAB.
Click the arrow located next to and ... in order to expand the rule further.
Click the + icon in the Identity Source field, and choose Internal endpoints.
Choose Continue from the If user not found drop-down list.
Create an Authorization Policy
Configure the authorization policy. One important point to understand is that there are two authentications/authorizations:
The first is when the user associates to the SSID and when the central web authentication profile is returned (unknown MAC address, so you must set the user for redirection).
The second is when the user authenticates on the web portal. This one matches the default rule (internal users) in this configuration (it can be configured in order to meet your requirements). It is important that the authorization part does not match the central web authentication profile again. Otherwise, there will be a redirection loop. The Network Access:UseCase Equals Guest Flow attribute can be used in order to match this second authentication. The result looks like this:
Note: In ISE Release 1.3, dependent upon the type of web authentication, the "Guest Flow" use case might not be hit anymore. The authorization rule would then have to contain the guest usergroup as the only possible condition.
Complete these steps in order to create the authorization rules as shown in the previous images:
Create a new rule, and enter a name. This example uses Guest Redirection.
Click the plus (+) icon in the condition field, and choose to create a new condition.
Expand the Expression drop-down list.
Choose Network Access, and expand it.
Click AuthenticationStatus, and choose the Equals operator.
Choose UnknownUser in the right-hand field.
On the General Authorization page, choose WLC_CWA (Authorization Profile) in the field to the right of the word then.
This step allows the ISE to continue even though the user (or the MAC address) is not known.
Unknown users are now presented with the Login page. However, once they enter their credentials, that is an authentication that succeeds if the client credentials are valid despite what you configured in the authentication/authorization policy. As of ISE Versions 1.1 and 1.2, portal authentications do not follow the authentication/authorization rules and succeed if valid. Thus, there is no need to create a rule that permits access upon successful portal login.
Click the Actions button located at the end of the Guest Redirection rule, and choose to insert a new rule before it.
Note: It is very important that this new rule comes before the Guest Redirection rule.
Enter a name for the new rule. This example uses Guest Portal Auth.
In the condition field, click the plus (+) icon, and choose to create a new condition.
Choose Network Access, and click UseCase.
Choose Equals as the operator.
Choose GuestFlow as the right operand. (See the note, listed before these steps, in regards to ISE Release 1.3 on this condition.)
On the authorization page, click the plus (+) icon (located next to then) in order to choose a result for your rule.
You can choose a Permit Access option or create a custom profile in order to return the VLAN or attributes that you like. Note that on top of If GuestFlow, you can add more conditions in order to return various authz profiles based on the user group. As mentioned in Step 7, this Guest Portal Auth rule matches upon the second MAC address authentication initiated after the successful portal login and after ISE sent a CoA in order to reauthenticate the client. The difference with this second authentication is that, instead of coming to ISE with simply its MAC address, ISE remembers the username given in the portal. You can make this authorization rule take into account the credentials entered a few milliseconds before in the guest portal.
Note: If profiling Functions are enabled, endpoints could be inserted automatically in the database, in which case the unknown user condition does not match. In this case, it is better to match Wireless_MAB (Built-in condition) requests. If you use MAC Authentication on your controller, you can either use endpoint groups for more specific authorization, or add a condition that matches the guest SSID.
Enable the IP Renewal (Optional)
If you assign a VLAN, the final step is for the client PC to renew its IP address. This step is achieved by the guest portal for Windows clients. If you did not set a VLAN for the 2nd AUTH rule earlier, you can skip this step.
If you assigned a VLAN, complete these steps in order to enable IP renewal:
Click Administration, and then click Guest Management.
Expand Guest, and then expand Multi-Portal Configuration.
Click DefaultGuestPortal or the name of a custom portal you created.
Click the VLAN DHCP Release check box.
Note: This option works only for Windows clients.
This setup can also work with the auto-anchor feature of the WLCs. The only catch is that since this web authentication method is Layer 2, you have to be aware that it will be the foreign WLC that does all of the RADIUS work. Only the foreign WLC contacts the ISE, and the redirection ACL must be present also on the foreign WLC.
Just like in other scenarios, the foreign WLC quickly shows the client to be in the RUN state, which is not entirely true. It simply means that traffic is sent to the anchor from there. The real client state can be seen on the anchor where it should display CENTRAL_WEBAUTH_REQD.
Note: The anchor-foreign setup with Central Web Authentication (CWA) only works in Releases 7.3 or later.
Note: Due to Cisco bug ID CSCuo56780 (even in versions that include fixes), you cannot run accounting on both anchor and foreign because it causes the profiling to become inaccurate due to a potential lack of IP-to-MAC binding. It also creates many issues with the session ID for guest portals. If you desire to configure accounting, then configure it on the foreign controller.
Once the user is associated to the SSID, the authorization is displayed in the ISE page.
The client details in the WLC show that the redirection URL and ACL are applied.
Now when any address is opened on the client, the browser is redirected to the ISE. Ensure that the Domain Name System (DNS) is set up correctly.
Network access is granted after the user accepts the policies.
As shown in the example ISE, the authentication, change of authorization, and profile applied is permitAccess.
The previous screenshot is taken from ISE Version 1.1.x where each single authentication step shows clearly.
The next screenshot is taken from ISE Version 1.2 where ISE summarizes several authentications performed by the same client in one line. Although more practical in real life, the Version 1.1.x screenshot shows more clearly what exactly happens for the sake of clarity in this example.
On the controller, the Policy Manager state and RADIUS NAC state changes from POSTURE_REQD to RUN.
Note: In Release 7.3 or later, the state is not called POSTURE_REQD anymore, but is now called CENTRAL_WEBAUTH_REQD.
Complete these steps in order to troubleshoot or isolate a CWA problem:
Enter the debug client <mac address of client> command on the controller and monitor in order to determine whether the client reaches the CENTRAL_WEBAUTH_REQD state. A common problem is observed when the ISE returns a redirect ACL that does not exist (or is not properly input) on the WLC. If this is the case, then the client is deauthenticated once the CENTRAL_WEBAUTH_REQD state is reached, which causes the process to begin again.
If the correct client state can be reached, then navigate to monitor > clients on the WLC web GUI and verify that the correct redirect ACL and URL are applied for the client.
Verify that the correct DNS is used. The client should have the ability to resolve internet websites and the ISE hostname. You can verify this via nslookup.
Verify that all authentications steps occur on the ISE:
The MAC authentication should occur first, to which CWA attributes are returned.
The portal login authentication occurs.
The dynamic authorization occurs.
The final authentication is a MAC authentication that shows the portal username on the ISE, to which the final authorization results are returned (such as the final VLAN and ACL).
Special Considerations for Anchoring Scenarios
Consider these Cisco bug IDs that limit the efficiency of the CWA process in a mobility scenario (especially when accounting is configured):
CSCuo56780 - ISE RADIUS Service Denial of Service Vulnerability
CSCul83594 - Session-id is not synchronized across mobility, if the network is open