Cisco ISE - CWA redirect in another way than cisco-av-pair?
Hello.
I'm trying to set up ISE as a CWA.
I have made all the rules in both Authenticatin and Authorization, and I also see the clients hitting the right rules. The Authorizaton rule redirects the client to a captive web portal within ISE like this: cisco-av-pair = url-redirect=https://ip:port/portal/gateway?sessionId=SessionIdValue&portal=etc.
But here is the problem: We use Aerohive as Accesspoints. And Aerohive does not support cisco-av-pair attributtes, since it's Cisco proprietary.
Therefore, even if ISE says everything is fine, it's not, because Aerohive does not understand what's been sent to it.
So the big question: Is there way to make the same redirect using standard radius attributes?
Thank you.
Unfortunately there isn't. I have done a project with ISE and Aerohive before and outside of basic 802.1x authentications, I was not able to deploy any of the other ISE features. There isn't an interoperability guide for ISE but just a compatibility one:
http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/compatibility/ise_sdt.html
If could be wrong here so if someone else has done this before pls chime in.
Thank you for rating helpful posts!
Similar Messages
-
Why are the ISE nodes needed to be defined in the web authentication redirect acl that is configured locally on the switch?
All the documentation that I've found states this. I've setup my 2yr old ISE environment this way and was advised in the beginning to do so. But after thinking the whole authentication process through and then testing out my theories I don't understand why the ISE nodes need to be defined in the switch redirect acl. I am now testing with a simple "redirect www & 443" acl and it is working as expected.
The client connects to the network and, for our environment, is requested to do dot1x until that times out and then it shifts to mab. At which point, I do not have an authz rule defined for my test machine and therefore matches my catch-all authz rule of CWA which sends a CWA DACL. The switch lays the acls on the interface in this order: 1. Redirect 2. DACL 3. PACL. In my DACL I have access to the ISE nodes allowed (just to be safe) and the redirection still works because my test machine is not sending any www/443 traffic to the ISE nodes that I'm aware of (CWA is 8443).
Can someone explain (in detail) why a client machine would send www/443 traffic to the ISE nodes and therefore need to be defined in the CWA redirect acl local to the switch.Poonam,
I appreciate the response. I understand the process and flow of CWA but I still don't see why the ISE nodes need to be defined (as deny statements or at all) in the redirect acl that is locally configured on the switch. Let me try to explain it better (sorry for the novel):
1. a default PACL is statically applied to an unused interface. For my environment our PACL is a simple "permit ip any any" which allows an open fallback in case communication to ISE fails.
2. A client plugs in and the switch begins talking dot1x to the client. During this time the PACL is the ONLY acl that is applied to the interface/client.
3. The client does not run dot1x and therefore the switch eventually fails over to mab. At this time, the CWA authz rule comes into effect and ISE sends the DACL to the switch via radius and also references which RACL (redirect acl) to use.
4. Not many people seem to understand this part....The switch then rebuilds the ACL that is applied to the interface/user. The switch creates an ACL that consists of ALL THREE ACLs. The first portion of this ACL is the RACL with permit statements (which are the deny RACL statements configured on the switch) and then redirect statements (which are the permit RACL statements configured on the switch) and then the DACL from ISE is the next portion of this new ACL and then the very last portion is the original static PACL that is configured on the port.
Again, I've tested this out over and over again on several different platforms (6500, 3700, 3800) and because, during the stage where the interface is in CWA state, the ACL that is applied to the interface is ALL THREE ACLs in the order of RACL>DACL>PACL....it doesn't seem to make sense that you need to define the ISE nodes in the RACL because all you need to define is what traffic you want to redirect. You define what traffic you want allowed in the DACL which is where you state access to the ISE nodes (either complete access or only 8443 access).
Let me give you this example. Say I have the following confgured:
CONFIGURED SWITCH INTERFACE ACL (PACL)
ip access-list standard ACL-ALLOW
permit ip any any
CONFIGURED SWITCH REDIRECT ACL (RACL)
ip access-list extended ACL-WEBAUTH-REDIRECT
permit tcp any any eq www 443
CONFIGURED ISE DOWNLOADABLE ACL (DACL)
permit tcp any host <psn01> eq 8443
permit udp any host <dns01> eq 53
deny ip any any
Then the process would look like this:
1. During dot1x negotiation the acl that is used is this:
permit ip any any <<<<<PACL
2. Once CWA is in effect then the acl looks like this:
redirect tcp host <host ip> any eq www 443 <<<<<<RACL
permit tcp host <host ip> host <psn01 ip> eq 8443 <<<<<<DACL
permit udp host <host ip> host <dns01 ip> eq 53 <<<<<<DACL
deny ip any any <<<<<<DACL
permit ip any any <<<<<<PACL -
HI
i am trying to implement guest portal and i have configure the ISE and switch to redirect guests and i see the whole process goes will when i issue
show authentication session interface GigabitEthernet1/0/11
Interface: GigabitEthernet1/0/11
MAC Address: 1078.d2fc.698c
IP Address: 192.168.0.59
User-Name: 10-78-D2-FC-69-8C
Status: Authz Success
Domain: DATA
Oper host mode: multi-domain
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: 81
ACS ACL: xACSACLx-IP-TEST-WEBAUTH-DACL-519b76ec
URL Redirect ACL: ACL-WEBAUTH-REDIRECT
URL Redirect: https://HDOFFISEP01.mycompany.com:8443/guestportal/gateway?sessionId=0A0A6518000000010006F2B5&action=cwa
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0A0A6518000000010006F2B5
Acct Session ID: 0x00000003
Handle: 0x0D000001
Runnable methods list:
Method State
mab Authc Success
dot1x Not run
my problem that the web browser does NOT direct automtically to the portal but it does manually when i copy the URL from the switch, any idea ?
switch configuration
boot-start-marker
boot-end-marker
logging monitor informational
enable secret 5 $1$PO2h$G1BUFwkbkA8ywc89FhBso/
username cisco privilege 15 password 0 cisco
username ise-rad-alive password 0 CICSOISEalive123
aaa new-model
aaa authentication login local local
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa authorization auth-proxy default group radius
aaa accounting auth-proxy default start-stop group radius
aaa accounting dot1x default start-stop group radius
aaa server radius dynamic-author
client 10.10.20.13 server-key myshared
client 10.10.20.14 server-key myshared
aaa session-id common
switch 1 provision ws-c2960s-24ps-l
ip dhcp snooping vlan 1-2000
no ip dhcp snooping information option
ip dhcp snooping
ip domain-name mycompany.com
ip name-server 192.168.10.40
ip device tracking probe use-svi
ip device tracking
ip admission name Webauth proxy http inactivity-time 60
vtp mode transparent
epm logging
dot1x system-auth-control
fallback profile Webauth
ip access-group ACL-WEBAUTH-REDIRECT in
ip admission Webauth
spanning-tree mode pvst
spanning-tree extend system-id
interface GigabitEthernet1/0/11
switchport mode access
switchport voice vlan 93
ip access-group ACL-ALLOW in
authentication event fail action next-method
authentication event server dead action reinitialize vlan 777
authentication event server dead action authorize voice
authentication host-mode multi-domain
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
mab
dot1x pae authenticator
spanning-tree portfast
interface Vlan1
no ip address
shutdown
interface Vlan80
ip address 10.10.101.24 255.255.255.0
ip default-gateway 10.10.101.1
ip http server
ip http secure-server
ip access-list extended ACL-AGENT-REDIRECT
remark explicitly prevent DNS from being redirected to address a bug
deny udp any any eq domain
remark redirect HTTP traffic only
permit tcp any any eq www
remark all other traffic will be implicitly denied from the redirection
ip access-list extended ACL-ALLOW
permit ip any any
ip access-list extended ACL-DEFAULT
remark DHCP
permit udp any eq bootpc any eq bootps
remark DNS
permit udp any any eq domain
remark Ping
permit icmp any any
remark PXE / TFTP
permit udp any any eq tftp
remark Drop all the rest
deny ip any any log
ip access-list extended ACL-WEBAUTH-REDIRECT
deny ip any host 10.10.20.13
deny ip any host 10.10.20.14
deny ip any host 192.168.10.43
deny ip any host 192.168.10.40
deny ip any host 192.168.10.41
deny ip any host 192.168.10.42
remark explicitly prevent DNS from being redirected to accommodate certain switches
deny udp any any eq domain
remark redirect all applicable traffic to the ISE Server
permit tcp any any eq www
permit tcp any any eq 443
ip radius source-interface Vlan80
logging origin-id ip
logging source-interface Vlan80
logging host 10.10.20.11 transport udp port 20514
logging host 10.10.20.12 transport udp port 20514
radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 5 tries 3
radius-server host 10.10.20.13 auth-port 1812 acct-port 1813 key myshared
radius-server host 10.10.20.14 auth-port 1812 acct-port 1813 key myshared
radius-server vsa send accounting
radius-server vsa send authenticationVerify that the redirection URL specified in Cisco ISE via Cisco-av pair "URL Redirect" is correct
CWA Redirection URL: https://ip:8443/guestportal/gateway?sessionId=SessionIdValue&action=cwa
802.1X Redirection URL: url-redirect=https://ip:8443/guestportal/gateway?sessionId=SessionIdValue&action=cpp -
Cisco ISE - CWA AD Authentication
Hello,
I'm using a Cisco ISE on 1.3 and have a CWA portal setup for AD Auth. When a user connects to a particular SSID (from a WLC) that is setup for mac filtering, it redirects to a CWA via the Auth Policy. the CWA is disabled, they login, the device registers, etc.. and all is well. The next policy checks to see if the device is registered, and if so, bypasses the Auth. Which also works. However, any AD account can authenticate against the CWA, not the particular AD account I want. I don't know where to put the Auth Policy or what it looks like. Any help would be appreciated. I've tried a few combinations to no avail.
Below are my current Auth Policies, as I mention above. They work, but the CWA validates any AD credential, not the group I want. Should a NetworkAccess:UseCase=GuestFlow go between the 2 policies perhaps?Hi Marc, what I meant by "desired_permissions" is what your environment/situation calls for. With that being said, returning back only "access_accept" with your "authorization profile" would work but at the same time it will give the authorized users/devices full access. So unless you have an ACL to Firewall off the guest users, you would need to return some additional attributes when trying to restrict/limit guest users/devices.
For instance, I like to use Policy Sets and dedicate a policy set per SSID and then either a general Policy Set for Wired or one Policy Set for Corporate Wired and one for Guest Wired. If you don't use policy sets, then you should create one "authorization rule for Guest_Wired and one for Guest_Wireless.
For the Guest_Wired, you will need to return "access_accept" and then a "DACL Name" that you can create locally in ISE.
For the Guest_Wireless, you will need to return "access_accept" and then a "Airspace ACL Name" That ACL is not a DACL (WLCs do not support DACLs). Instead, that is an ACL that you configure locally on the WLC, thus, the name must match on both ends and it is case sensitive!
Both the DACL and the "Airspace ACL" would contain rules that fit your environment/security requirements. Typically though you would have:
1. Permit DNS- Needed for DNS resolution
2. Permit access to ISE - Needed for the guest pages to properly load)
3. Deny any private/RFC 1918 addresses - Blocks guests from accessing internal hosts
4. Permit everything else - Needed for general internet browsing
I hope this helps!
Thank you for rating helpful posts! -
Good Day,
I have Cisco ISE 1.2 with Cisco 2960 NAD.
I configured the authorization for the employee successfully, but my issue is with the guest users the link is not redirected.
Please advise what I have put in the authentication policy default rule?? deny access ?
And on the switch I should put the guest connect to a specific ports or I have to configure specific VLAN in the authorization profile?
Appreciate your support,In your authorization policy you are giving your Wired-Guest the same result as Wired-Webauth.
First time through you don't know he's a guest so he hits Wired-Webauth and gets redirected. Second time through, you have him in guest flow, so you know he's an authenticated guest, he hits Wired-Guest, but you send him the same permissions "Web_Auth". Create a profile that you want to give to your authenticated guests - Guest_Allowed for instance. -
ISE CWA Redirect URL customization
Hi,
Just wanted to know if we can change the redirect url. By default it starts with the hostname of ISE. I will have four PSN nodes and want that url is actually the Load Balancer Url rather than ISE node. Since ISE isintegrated with AD domain.local so public certificate would not be possible. We are planning to install publecrt cert with differnt domain name likke domain.com. If some one has done it before please let me know
Thanks
AijazHello,
I went through your query and have found a link which I think would surely help you to solve your query:-
http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bead09.shtml -
Hi
If in a CWA authorization profile the IP address option is used for the redirection, how will this impact on redundancy ? For instance in my implementation with 2 ISE appliances, on the Primary Admin Node the CWA profile is configured with an IP address of x.x.x.110 which is the address of the Primary ISE appliance. When the primary appliance fails how will the secondary appliance handle the above cause the x.x.x.110 ip address will then be unavailable and the new ip should be x.x.x.109....?If you check that box and set an IP address manually then all CWA requests will go to that IP/Host Name. If you want to have redundancy then you should leave that box unchecked. Doing that will allow ISE to use the FQDN of the Radius server that is currently serving that SSID.
I hope this helps!
Thank you for rating helpful posts! -
ISE CWA redirection problem for Apple devices
Hi,
I'm testing some guest scenarios (CWA) in my lab using ISE1.3 and WLC2504 (7.6.130).
I have noticed that redirection to ISE portal doesn't work for apple devices (iOS 7 and later).All other devices like laptops,androids etc work fine.
Seems that the workaround on WLC that bypasses the CNA on iDevices doesn't work in my case.The device tries to open the ISE portal and shows just a blank page (attached photo)
The problem doesn't appear for devices with iOS 6 but only for newer versions.
I've also tried with version 8.0 on WLC without success.
Any advise?
Regards.Captive portal/wispr support for apple ios7
CSCuj18674
Description
Symptom:
When attempting to access the Guest Portal with an Apple iOS 7 device while the WLC "Captive Portal Bypass" feature is enabled, the web sheet on the device still appears, preventing the user from continuing the flow.
Conditions:
The Apple device is running Apple iOS 7.
Workaround:
In the ACL on the WLC used for captive portal redirection and exemption of special traffic for the Guest Portal, add exemptions for the IP resources that resolve from "www.appleiphonecell.com" and "captive.apple.com" FQDNs.
IMPORTANT NOTE: These IP addresses are associated with the FQDNs of "www.appleiphonecell.com" and "captive.apple.com" and are subject to change by the entities hosting those domains. If the IP addresses do change, the ACL would need to reflect that. -
I made a mistake configuring the domain-name on my ISE appliance. I issued to the no ip domain-name and then added the domain-name I'd like to show up. It seems to have partially worked, as the FQDN on the appliance is now correct but the redirect URL on my wireless LAN controller is still redirecting to the old domain.
EX: WLC redirect: ise1.xyz.net
ISE FQDN: ise1.abc.net
Any ideas on how to change that?Although you have changed the domain-name on the ISE appliance but still the output on WLC shows the older domain for url redirect.The reason behind is that the domain name(FQDN) which is present as the common name(CN) on the certificate of the server is still the old-domain name.
-
Howto hide a folder (another way than just adding ".")
hello guys!
i often play poker at europoker.net. while playing it creates a folder in my home directory called "OngameNetwork".
When i delete it or hide it, next time i login it will create a new one. so my question is, how can i hide a folder without adding a dot at the beginning/renaming it? i want a system-wide solution, that means ls on console and file-dialogs should not see the folder.
is that possible?
thanks, mfg iggy
Last edited by iggy (2008-01-26 14:26:37)I don't know of any way of doing this. But if it's just that one that bugs you, create another user (say "pokeruser") just for playing that poker, and run the poker application with "su pokeruser -c <appname>". That should run it as pokeruser, and so creating that dir inside pokeruser's home dir.
-
I have a situation where DNS cannot be used for redirecting on CWA, so I have had to create a auth profile that has manual entries in it that redirects the guest to the IP address of the guest portal, rather than the DNS name.
The attribute is configured with the following:
cisco-av-pair = url-redirect=https://x.x.x.x:8443/guestportal/Login.action
cisco-av-pair = url-redirect-acl=cwa
The redirection works, and the guest is prompted with a login screen, but as soon as they are authenticated they receive a error page stating that the resource is not found, with the resource being /guestportal.
The URL that it is trying to reach is https://x.x.x.x:8443/guestportal/guest/redir.html
Has anyone managed to configure CWA to use the IP address rather than the DNS name, and go around this issue?Hi
You can configure custom portal to perform Client Provisioning and Posture. If you select this option, the guest login flow performs a CWA and the guest portal will be redirected to Client Provisioning after performing AUP and change password checks. In this case, the posture subsystem performs a CoA to the NAD to re-authenticate the client connection once the posture has been assessed.
If Vlan Dhcp Release is selected under Multi-Portal Configurations, posture will perform the client side IP release and renew operation. Check the Vlan Dhcp Release option to refresh Windows clients IP address after VLAN change in both wired or wireless environments for Guest with posture.
This affects the CWA user login flow when the network access during the final authorization switches the guest VLAN to a new VLAN. In this case, the old IP of the guest needs to be released before the VLAN change and a new guest IP needs to be requested through DHCP once the new VLAN access is in place. The Cisco ISE server redirects the guest browser to download an applet to perform the IP release renew operation. -
Hi all,
Would like to find out on patching process on inline posture node.
My topology is one ISE appliance node type is Admin/Policy Service Node; while another unit is inline posture node.
Both appliance have the identical software versiona and patch, namely 1.1.3.124, patch 2
I would like to update it to patch version 4.
My question:
01. If i apply the patch on the Admin/Polic Service Node using GUI patch maangement, will this also apply the patch to Inline Posture node?
02. Or should i use console into Inline Posture node and using CLI way to update the patch? Anything i should mention in this process, example: stop application etc?
Please advice, million thanks
NoelResolved Issues in Cisco ISE Version 1.1.0.665—Cumulative Patch 4
Lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release 1.1.0.665 cumulative patch 4.
You must deploy this patch on Cisco Identity Services Engine Maintenance Release 1.1.0.665 (with or without patch 1, 2, and 3 applied), otherwise the patch install will fail and Cisco ISE will return an error message stating, "This patch is intended to be installed on ISE 1.1.0.665."
To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1, log into the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy of the patch file to your local machine. Then refer to the "Installing a Software Patch" section of the "Administering Cisco ISE" chapter of the Cisco Identity Services Engine User Guide, Release 1.1. for instructions on how to apply the patch to your system.
If you experience problems installing the patch, please contact Cisco Technical Assistance Center.
Cisco ISE Patch Version 1.1.0.665—Patch 4 Resolved Caveats
Caveat
Description
CSCui22841
Apache Struts2 command execution vulnerability
Cisco ISE includes a version of Apache Struts that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2013-2251. This fix addresses the potential impact on this product.
Managing Software Patches
You can install patches on ISE servers in your deployment from the primary administration node. ISE patches are usually cumulative; however, any restrictions on the patch installation will be described in the README file that will be included with the patch. Cisco ISE allows you to perform patch installation and rollback from either the command-line interface (CLI) or GUI.
Standalone Deployment
When you install or roll back a patch from a standalone or primary administration node, ISE restarts the
Application. You might have to wait for a few minutes before you can log back in.
Distributed Deployment
When you install or roll back a patch from the primary administration node that is part of a distributed deployment, Cisco ISE installs the patch on the primary and all the secondary nodes in the deployment. If the patch installation is successful on the primary node, Cisco ISE then proceeds to the secondary nodes. If it fails on the primary node, the installation is aborted. However, if the installation fails on any of the secondary nodes for any reason, it still continues with the next secondary node in your deployment.
Installing a Software Patch.
Please check the below link for step by step installation.
http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_admin.pdf -
Hi,
we are using two ISE nodes for guest authentication (CWA) in our wireless network. We have an inside interface (eth0) on the ISE and a public interface (eth1), accessable for the wireless clients.
At the moment i make a redirect to the ip address of the primary ISE:
For backup purposes, this is not a good idea. So I tried to configure an ip host 10.x.x.x FQDN with the ip address of eth1 and the FQDN of eth1 and removed the static host parameter in the common tasks of the CWA configuration page.
But then the wireless guests will be redirected to the FQDN of eth0, which is the wrong IP and not reachable for him.
What am i doing wrong?
ISE Version is 1.2.1 and i restarted the services after configuring the ip host part.Hi
You can configure custom portal to perform Client Provisioning and Posture. If you select this option, the guest login flow performs a CWA and the guest portal will be redirected to Client Provisioning after performing AUP and change password checks. In this case, the posture subsystem performs a CoA to the NAD to re-authenticate the client connection once the posture has been assessed.
If Vlan Dhcp Release is selected under Multi-Portal Configurations, posture will perform the client side IP release and renew operation. Check the Vlan Dhcp Release option to refresh Windows clients IP address after VLAN change in both wired or wireless environments for Guest with posture.
This affects the CWA user login flow when the network access during the final authorization switches the guest VLAN to a new VLAN. In this case, the old IP of the guest needs to be released before the VLAN change and a new guest IP needs to be requested through DHCP once the new VLAN access is in place. The Cisco ISE server redirects the guest browser to download an applet to perform the IP release renew operation. -
Cisco ISE 1.2 and Cisco ACS 5.4 patch 6 and support for snmp version 3
does anyone know if cisco ISE version 1.2 patch 8 and Cisco ACS 5.4 patch 6 support snmp version 3?
ciscoISE/admin(config)# snmp-server ?
community Set community string
contact Text for mib object sysContact
host Specify hosts to receive SNMP notifications
location Text for mib object sysLocation
ciscoISE/admin(config)# snmp-server
Ciscoacs/admin(config)# snmp-server ?
community Set community string
contact Text for mib object sysContact
host Specify hosts to receive SNMP notifications
location Text for mib object sysLocation
Ciscoacs/admin(config)# snmp-serverNo support SNMP v3 on ISE v1.2 and 1.3 except for profilling
http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/cli_ref_guide/ise_cli/ise_cli_app_a.html#12768
http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/cli_ref_guide/b_ise_CLIReferenceGuide/b_ise_CLIReferenceGuide_chapter_0100.html#ID-1364-00000d30 -
Cisco ip phones authenticate 802.1x with cisco ise 1.3
Dear all,
I want to configure cisco ise 1.3 with 802.1x , to authenticate cisco ip phones ( CUCM 10.5.2 ) with LSC certificate.
How I have to configure cisco ise authentication rules for 802.1x with cisco ip phones? Are there any configuration examples ?
Thanksfollowing are ISE 802.1x sample authentication rules..you can change the protocol (Policy -> policy elements - > results -> authentication and you can select the proctocal)
Maybe you are looking for
-
Dear All, Would like to enquiry what should i set in the Authorization in order to show the column Quantity and Sales in the Sales Analysis Report? Now i can only show 0 in the Quantity column and Sales column. Thank you very much and looking forward
-
Is there any limit on how many records a cursor can hold?
Hi Everyone, This is Amit here. I want to know whether there is any limit on how many records a cursor can hold. I have a program in which i am creating a cursor and passing it to another procedure as an input parameter. But the count of cursor query
-
URGENT - HANDLING SOUNDS IN JWS
Hi I am done an application with runs fine in Java Web start. I have used some sound files in that which playing using JMF. I have jared all the sound files and which downloading properly in client machine. But i am getting the following Exception wh
-
I have the most recent update.
-
Apreciating the Entity Object;
Hi to all; From Steve Muench, Apreciating the Entity Object; On the Publish panel, you define events that your entity object will use to notify others of changes in its state. how to work with them? we have some sample code ? Very thanks;