This document describes a configuration example that is used in order to complete Central Web Authentication (CWA) on the Wireless LAN Controller (WLC).
It is superseded by the more complete Guest deployment guide available here : https://communities.cisco.com/docs/DOC-77590
There are no specific requirements for this document.
The information in this document is based on these software and hardware versions:
The first method of web authentication is local web authentication. In this case, the WLC redirects the HTTP traffic to an internal or external server where the user is prompted to authenticate. The WLC then fetches the credentials (sent back via an HTTP GET request in the case of an external server) and makes a RADIUS authentication. In the case of a guest user, an external server (such as Identity Services Engine (ISE) or NAC Guest Server (NGS)) is required because the portal provides features such as device registering and self-provisioning. The flow includes these steps:
This flow includes several redirections. The new approach is to use CWA. This method works with ISE (versions later than 1.1) and WLC (versions later than 7.2). The flow includes these steps:
The setup used is:
The WLC configuration is fairly straightforward. A trick is used (same as on switches) in order to obtain the dynamic authentication URL from the ISE (since it uses Change of Authorization (CoA), a session must be created and the session ID is part of the URL). The SSID is configured in order to use MAC filtering. The ISE is configured in order to return an access-accept even if the MAC address is not found, so that it sends the redirection URL for all users.
In addition to this, ISE Network Admission Control (NAC) and Authentication, Authorization, and Accounting (AAA) Override must be enabled. The ISE NAC allows the ISE to send a CoA request that indicates that the user is now authenticated and is able to access the network. It is also used for posture assessment, in which case the ISE changes the user profile based on the posture result.
Ensure that the RADIUS server has "Support for CoA" enabled, which is by default.
The final step is to create a redirect ACL. This ACL is referenced in the access-accept of the ISE and defines what traffic should be redirected (denied by the ACL) and what traffic should not be redirected (permitted by the ACL). Here you just prevent from redirection traffic towards the ISE. You might want to be more specific and only prevent traffic to/from the ISE on port 8443 (guest portal), but still redirect if a user tries to access the ISE on port 80/443.
Note: Earlier versions of WLC software such as 7.2 or 7.3 did not require you to specify Domain Name System (DNS), but later code versions require you to permit DNS traffic on that redirect ACL.
Configuration is now complete on the WLC.
On the ISE, the authorization profile must be created. Then, the authentication and authorization policies are configured. The WLC should already be configured as a network device.
In the authorization profile, enter the name of the ACL created earlier on the WLC.
Ensure that the ISE accepts all of the MAC authentications from the WLC and make sure it will pursue authentication even if the user is not found.
Under the Policy menu, click Authentication.
The next image shows an example of how to configure the authentication policy rule. In this example, a rule is configured that triggers when MAB is detected.
Note: Now there is a MAB authentication rule created on the ISE by default.
Configure the authorization policy. One important point to understand is that there are two authentications/authorizations:
Complete these steps in order to create the authorization rules as shown in the previous images:
Note: It is very important that this new rule comes before the Guest Redirection rule.
Note: In a multi controller environment the WLAN-ID should be the same across the WLCs. If one does not want to use the Airespace-Wlan-Id attribute as a condition, then it is better to match Wireless_MAB (Built-in condition) requests.
If you assign a VLAN, the final step is for the client PC to renew its IP address. This step is achieved by the guest portal for Windows clients. If you did not set a VLAN for the 2nd AUTH rule earlier, you can skip this step. This is not a recommended design as changing the client vlan after it already got an ip address will disrupt connectivity, some clients might wrongly react to it and it requires elevated Windows privileges to work fine.
If you assigned a VLAN, complete these steps in order to enable IP renewal:
Note: This option works only for Windows clients.
This setup can also work with the auto-anchor feature of the WLCs. The only catch is that since this web authentication method is Layer 2, you have to be aware that it will be the foreign WLC that does all of the RADIUS work. Only the foreign WLC contacts the ISE, and the redirection ACL must be present also on the foreign WLC. The foreign just needs to have the ACL name exist (Does not need ACL entries). The foreign WLC will send the ACL name to the anchor and it will be the anchor applying the redirection (and therefore needs the right ALC content).
Just like in other scenarios, the foreign WLC quickly shows the client to be in the RUN state, which is not entirely true. It simply means that traffic is sent to the anchor from there. The real client state can be seen on the anchor where it should display CENTRAL_WEBAUTH_REQD.
Here is the flow in an anchor-foreign setup:
The firewall ports which are required to allow communication between the WLC and ISE are:
Note: The anchor-foreign setup with Central Web Authentication (CWA) only works in Releases 7.3 or later.
Note: Due to Cisco bug ID CSCul83594 , you cannot run accounting on both anchor and foreign because it causes the profiling to become inaccurate due to a potential lack of IP-to-MAC binding. It also creates many issues with the session ID for guest portals. If you desire to configure accounting, then configure it on the foreign controller. Note that this should not be the case anymore starting 8.6 WLC software where the session id will be shared between anchor and foreign controllers and accounting will then be possible to enable on both.
Use this section in order to confirm that your configuration works properly.
The client details in the WLC show that the redirection URL and ACL are applied.
In the WLC client and AAA all debug, you can see access accept with the redirect URL and ACL sent from the ISE.
*radiusTransportThread: 5c:c5:d4:b1:09:95 Access-Accept received from RADIUS server 10.48.39.161 *radiusTransportThread: AVP[04] Cisco / Url-Redirect-Acl.................cwa_redirect (12 bytes)
*radiusTransportThread: AVP[05] Cisco / Url-Redirect.....................DATA (177 bytes)
*apfReceiveTask: 5c:c5:d4:b1:09:95 Redirect URL received for client from RADIUS.
Client will be moved to WebAuth_Reqd state to facilitate redirection. Skip web-auth Flag = 0
*apfReceiveTask: 5c:c5:d4:b1:09:95 AAA Override Url-Redirect-Acl 'cwa_redirect'
The same thing can also be verified in the ISE. Choose Operations > Radius livelogs. Click the detail for that MAC.
You can see that for the first authentication (MAC filtering) ISE returns the AuthZ profile WLC_CWA as it hits the authentication rule MAB and authz policy Guest Redirection.
When the credentials are entered, ISE authenticates the client and sends the CoA.
On the WLC this can be seen in AAA all debugs.
*radiusCoASupportTransportThread: audit session ID recieved in CoA = 0a30279c0000003b58887c51 *radiusCoASupportTransportThread: Received a 'CoA-Request' from 10.48.39.161
*radiusCoASupportTransportThread: CoA - Received IP Address : 10.48.39.156 *radiusCoASupportTransportThread: 5c:c5:d4:b1:09:95 Calling-Station-Id ---> 5c:c5:d4:b1:09:95
*radiusCoASupportTransportThread: Handling a valid 'CoA-Request' regarding station 5c:c5:d4:b1:09:95
*radiusCoASupportTransportThread: 5c:c5:d4:b1:09:95 Reauthenticating station 5c:c5:d4:b1:09:95
*radiusCoASupportTransportThread: Sent a 'CoA-Ack' to 10.48.39.161
After this the client is reauthenticated and granted access to the network.
Note: In Release 7.2 or earlier, the state CENTRAL_WEB_AUTH was called POSTURE_REQD.
Note that the type of CoA returned by ISE evolved across versions. ISE 2.0 will request the WLC to re-run the authentication rather than plainly disconnect the client.
Example of ISE 2.0 CoA request :
The WLC will then not send a disassociation frame to the client and will run a radius authentication again and apply the new result transparently to the client.
However, things are still different if a PSK is in use. Since 8.3, the WLC supports setting a WPA pre-shared key on a CWA SSID. In that kind of situation, upon reception of the same CoA from ISE as above, the WLC will have to trigger a new WPA key exchange again. Therefore in case of PSK, the WLC will have to send a disassociate frame to the client which will have to reconnect. In classical non-PSK scenarios, the WLC will not send a disassociate frame to the client and will simply apply the new authorization result. However an "association response" will be still sent ot the client although no "association request" was ever received from the client, which might seem curious when analyzing sniffer traces.
Complete these steps in order to troubleshoot or isolate a CWA problem:
Consider these Cisco bug IDs that limit the efficiency of the CWA process in a mobility scenario (especially when accounting is configured):