Cisco Identity Services Engine

Document ID: 115732 Contributed by Nicolas Darchis, Cisco TAC Engineer. Jan 04, 2013

PDF Downloads Central Web Authentication on the WLC and ISE Configuration Example

Feedback

Introduction

This document describes the multiple methods to complete central web authentication on the Wireless LAN Controller (WLC).

Other Document in this Series

Central Web Authentication with a Switch and Identity Services Engine Configuration Example

Prerequisites

Requirements

There are no specific requirements for this document.

Components Used

The information in this document is based on these software and hardware versions:

• Cisco Identity Services Engine Software Release 1.1.1.268

• Cisco Wireless LAN Controller Software Release 7.2.110.0

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions

Refer to Cisco Technical Tips Conventions for more information on document conventions.

Configure

The first method is local web authentication. In this case, the WLC redirects the HTTP traffic to an internal or external server where the user is prompted to authenticate. The WLC then fetches the credentials (sent back via an HTTP GET request in the case of external server) and makes a RADIUS authentication. In the case of a guest user, an external server (such as Identity Service Engine (ISE) or NAC Guest Server (NGS)) is required as the portal provides features such as device registering and self-provisioning. The flow includes these steps:

1. The user associates to the web authentication SSID.

2. The user opens their browser.

3. The WLC redirects to the guest portal (such as ISE or NGS) as soon as a URL is entered.

4. The user authenticates on the portal.

5. The guest portal redirects back to the WLC with the credentials entered.

6. The WLC authenticates the guest user via RADIUS.

7. The WLC redirects back to the original URL.

This includes a lot of redirection. The new approach is to use central web authentication. This works with ISE (versions later than 1.1) and WLC (versions later than 7.2).The flow includes these steps:

1. The user associates to the web authentication SSID.

2. The user opens their browser.

3. The WLC redirects to the guest portal.

4. The user authenticates on the portal.

5. The ISE sends a RADIUS Change of Authorization (CoA - UDP Port 3799) to indicate to the controller that the user is valid, and eventually pushes RADIUS attributes such as the Access Control List (ACL).

6. The user is prompted to retry the original URL.

The setup used is as follows:

WLC Configuration

The WLC configuration is fairly straightforward. A "trick” is used (same as on switches) to obtain the dynamic authentication URL from the ISE (since it is using CoA, a session needs to be created and the session ID is part of the URL). The SSID is configured to use MAC filtering. The ISE is configured to return an access-accept even if the MAC address is not found, so that it sends the redirection URL for all users.

In addition to this, RADIUS Network Admission Control (NAC) and Authentication, Authorization, and Accounting (AAA) Override must be enabled. The RADIUS NAC allows the ISE to send a CoA request that indicates the user is now authenticated and is able to access the network. It is also used for posture assessment, in which case the ISE changes the user profile based on posture result.

Ensure that the RADIUS server has RFC3576 (CoA) enabled, which is by default.

The final step is to create a redirect ACL. This ACL is referenced in the access-accept of the ISE and defines what traffic should be redirected (denied by the ACL) and what traffic should not be redirected (permitted by the ACL). Basically, DNS and traffic to/from the ISE needs to be permitted.

Configuration is now complete on the WLC.

ISE Configuration

On the ISE, the authorization profile must be created. Then, authentication and authorization is configured. The WLC should already be configured as a network device.

In the authorization profile, enter the name of the ACL created earlier on the WLC.

Ensure the ISE accepts all the MAC authentications from the WLC and returns the profile.

Use the built-in wireless MAC Authentication Bypass (MAB) condition, which matches:

• Radius:Service-Type: Call Check (Mac Authorization use Call Check on WLC and Switches)

• Radius:NAS-Port-Type: Wireless - IEEE 802.11

Configure the authorization. One important thing to understand is that there are two authentications/authorizations:

• The first is when the user associates to the SSID and when the central web authentication profile is returned.

• The second is when the user authenticates on the web portal. This one matches the default rule (internal users) in this configuration (it can be configured to meet your requirements). It is important that the authorization part does not match the central web authentication profile again. Otherwise, there will be a redirection loop. The attribute "Network Access:UseCase Equals Guest Flow" can be used to match this second authentication. The result looks like this:

Verify

Once the user is associated to the SSID, the authorization is displayed in the ISE page.

The client details in the WLC show that the redirection URL and ACL are applied.

Now when any address is opened on the client, the browser is redirected to the ISE. Ensure Domain Name System (DNS) is set up correctly.

Network access is granted after the user accepts the policies.

As shown in the example ISE, the authentication, change of authorization, and profile applied is permitAccess.

On the controller, the Policy Manager state and RADIUS NAC state changes from "POSTURE_REQD" to "RUN".

Cisco Support Community - Featured Conversations

Related Information

• Technical Support & Documentation - Cisco Systems