Cisco 9800 Wireless 2024 – Phase 13 – Part 3 – Proof of Concept – Captive Portal Infrastructure

By admin9800 Certificate, Cisco 9800 BYOD, Cisco 9800 Wireless Guest, Cisco ISE, Cisco ISE AAA

Cisco ISE Guest and BYOD Captive Portal Configuration

  • G0 – is used to access the DMZ admin portal on 10.0.66.36
  • G1 – is used to access the DMZ captive portal on 10.0.77.36

One of the security requirements is to use two interfaces on the Cisco ISE appliance. Interface G0 will be used to administer and manage the appliance and the sponsor portal. Interface G1 will be used by guest and BYOD users to access the captive portal login page.

interface GigabitEthernet 0
 ip address 10.0.66.36 255.255.255.192
 ipv6 enable
 ipv6 address autoconfig
!
interface GigabitEthernet 1
 ip address 10.0.77.36 255.255.255.192
 ipv6 enable
 ipv6 address autoconfig
!
ip route 0.0.0.0 0.0.0.0 gateway 10.0.77.23 
The route above will send traffic to the captive portal out interface GigabitEthernet 1

The fully qualified domain name (FQDN) of the captive portals must be defined in DNS. The sponsor and guest portals will be hosted on the DMZ ISE nodes.

Example:

C:\Users\>nslookup 10.0.66.36
Name: dmzpsn1.netprojekralac.com
Address: 10.0.66.36

C:\Users\>nslookup 10.0.77.36
Name: dmzwireless.netprojekralac.com
Address: 10.0.77.36

C:\Users\>nslookup sponsorportal.netprojekralac.com

Name: dmzpsn1.netprojekralac.com
Address: 10.0.66.36
Aliases: sponsorportal.netprojekralac.com

Configure ISE Sponsor portal on GigabitEthernet 0
Test the sponsor portal
Configure the redirect ACL on the Cisco 9800 WLC

Configure an ACL on the DMZ controller which will be sent to the client and trigger the captive portal.

  • Deny = deny the traffic from being redirected.
  • Permit = allow the traffic to be redirected.

Reference:

You need to deny traffic to your ISE PSNs nodes as well as deny DNS and permit all the rest. This redirect ACL is not a security ACL but a punt ACL that defines what traffic goes to the CPU (on permits) for further treatment (like redirection) and what traffic stays on the data plane (on deny) and avoids redirection (but is not dropped necessarily).

It is more ideal to restrict to the port 8443 which is typically the port used by the guest portal (although in some specific cases, other ports can be involved).

You also need to deny DNS traffic (potentially only towards your DNS server IPs) and DHCP and NTP in certain cases.

ip access-list extended WEBAUTH_REDIRECT_CWA
 20 deny tcp any host 10.0.0.36 eq 8443
 21 deny tcp any host 10.0.77.36 eq 8443
 40 deny tcp host 10.0.0.36 any eq 8443
 41 deny tcp host 10.0.77.36 any eq 8443
 49 deny ip any host 72.163.1.80
 50 deny ip any 72.163.0.0 0.0.255.255
 60 deny tcp any host 10.0.0.36 eq 8905
 61 deny tcp any host 10.0.77.36 eq 8905
 70 deny tcp any host 10.0.0.36 eq 8084
 71 deny tcp any host 10.0.77.36 eq 8084
 100 permit tcp any any eq www
 110 deny udp any host 10.0.206.21 eq domain
  • Ensure that the respective user VLANs are defined in DNS.
  • Ensure that the ISE VLANs, captive portal, and hostname is defined in DNS

    GigabitEthernet 1 must resolve the guest portal to the 10.0.77.36 address.

    visedmz/admin(config)#ip host 10.0.77.36 dmzwireless dmzwireless.netprojekralac.com

Host alias was modified. You must restart ISE for change to take effect.
Do you want to restart ISE now? (yes/no) yes

This command is used to add a static hostname-to-IP address mapping ETH1's network interface. Here's what it does step-by-step:

1. ip host: Indicates the command to create a static mapping.
2. 10.0.77.36: The IP address of the host.
3. dmzwireless: The short hostname for the device.
4. dmzwireless.netprojekralac.com: The Fully Qualified Domain Name (FQDN) for the device.
    Configure ISE Guest Captive Portal on GigabitEthernet 1
    Test the guest portal

    Leave a Reply

    Your email address will not be published. Required fields are marked *

    This site uses Akismet to reduce spam. Learn how your comment data is processed.