Central Web Authentication on the WLC and ISE Configuration Example

Posted on Posted in CWA ISE

Configure

The first method of web authentication is local web authentication. In this case, the WLC redirects the HTTP traffic to an internal or external server where the user is prompted to authenticate. The WLC then fetches the credentials (sent back via an HTTP GET request in the case of an external server) and makes a RADIUS authentication. In the case of a guest user, an external server (such as Identity Services Engine (ISE) or NAC Guest Server (NGS)) is required because the portal provides features such as device registering and self-provisioning. The flow includes these steps:

  1. The user associates to the web authentication Service Set Identifier (SSID).
  2. The user opens the browser.
  3. The WLC redirects to the guest portal (such as ISE or NGS) as soon as a URL is entered.
  4. The user authenticates on the portal.
  5. The guest portal redirects back to the WLC with the credentials entered.
  6. The WLC authenticates the guest user via RADIUS.
  7. The WLC redirects back to the original URL.

This flow includes several redirections. The new approach is to use CWA. This method works with ISE (versions later than 1.1) and WLC (versions later than 7.2). The flow includes these steps:

  1. The user associates to the web authentication SSID, which is in fact open+macfiltering and no layer 3 security.
  2. The user opens the browser.
  3. The WLC redirects to the guest portal.
  4. The user authenticates on the portal.
  5. The ISE sends a RADIUS Change of Authorization (CoA – UDP Port 1700) to indicate to the controller that the user is valid, and eventually pushes RADIUS attributes such as the Access Control List (ACL).
  6. The user is prompted to retry the original URL.

The setup used is:

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.