Security

Hello!

 

Does someone here know how a RADIUS_CoA Enforcement Profile for a Cisco WLC must look like? I want to have Central Web Authentication similar to how it is done with the Cisco ISE.

 

I'm almost finished to get this working. The client can associate to the Guest network and gets an IP address. CPPM puts the client in the WEBAUTH_REQD state and sets the "Redirect URL" together with the "AAA Override ACL Name." Redirect to the Clearpass Guest portal page works fine and i can enter the guest account informations. Everything looks fine in Access Tracker but  unfortunately the CoA Request is not working. Debug on the WLC shows the following error:

 

*radiusRFC3576TransportThread: Apr 12 14:34:55.447: Invalid attributes received in 'RFC-3576 CoA-Request' from 192.168.111.20

RADIUS_CoA works when i use the Change Status function in the Access Tracker i can terminate the client session with the RADIUS CoA Type [Cisco - Termminate Session].

 

What has to be sent to the WLC in order to put a client from WEBAUTH_REQD into the RUN state?

 

Regards Carson

Hello!

 

So i have set up an ISE and checked with Wiresharks whats going on. The ISE sends a CoA-Request with Calling-Station-Id and 3 Cisco-AVPairs:

 

Radius:Cisco    Cisco-AVPair    =    subscriber:command=reauthenticate
Radius:Cisco    Cisco-AVPair    =    subscriber:reauthenticate-type=last
Radius:Cisco    Cisco-AVPair    =    audit-session-id=0a6fa8c00000000301c04953

 

The first two are static so it's no problem to write them into the Enforcement Profile. The last one is a tricky one how can I send the audit-session-id back to the WLC? CPPM knows the audit-session-id because I can see it in the Access Tracker -> Request Details -> RADIUS Request Data

 

Is there a variable available similar to %{Connection:Client-Mac-Address-Colon} for the clients MAC address which i could put into the enforcement profile?

 

 Regards Carson

In your redirect are you adding...

 

url-redirect=https://IP.ADDRESS.OF.CPG/guest/YOUR_PAGE_NAME.php?mac=%{Connection:Client-Mac-Address-Colon}

Hello!

 

What's the point to send the Redirect-Url again in the RADIUS_CoA Request? This already happened in the first RADIUS response.

 

Here is my workflow:

 

1. Client associates to WLC
2. WLC sends MAC-Auth Request to CPPM
3. CPPM sends Access-Accept to WLC with url-redirect and url-redirect-acl because of unknown MAC
4. Client opens browser and tries to access a website
5. WLC intercepts and sends HTTP-Redirect to CPG
6. Browser opens the CPG portal page
7. User enters the guest account informations
8. CPG checks the guest account with CPPM
9. CPPM sends RADIUS_CoA Request to WLC with subscriber:command=reauthenticate, subscriber:reauthenticate-type=last and audit-session-id
10. WLC sends MAC-Auth Request to CPPM again triggered by the RADIUS_CoA
11. CPPM sends Access-Accept to WLC with Airespace-ACL-Name because MAC is now known

It works up to the step 9. Here the audit-session-id must be sent but i dont know what to write in the enforcement profile.

 

 

Regards Carson

Hello,

I was having the same problem until I switched the WLC NAD port on CPPM to 1700. As soon as that was done, CoA started working. You don't need to add the audit session ID (the calling station ID is just what is needed, nor the reauthenticate last)

let me just add for reference all that I did in an attached PDF, it may help someone... If anyone has a better way of doing this I'm all hears (I'm really starting to put my hands in CPPM, so I'm probably still doing lots of mistakes...)

Enjoy and comment!

 

 

Flow is:

Endpoint associates, tries MAC Auth and generates RADIUS request to CPPM - 1st pass on mac auth service (allow all mac)

On CPPM endpoint is unknown - gets returned an access-acept plus an URL redirect

Person using endpoint goes to web browser and gets redirected to CPPM portal and authenticates

This authentication is processed in CPPM via a webauth service that will:

Map a role to the endpoint

Generate a coa for the controller to reauthenticate the user (new mac auth - 2nd pass)

This 2nd pass will then be catched by the same mac auth service, but this time (during 5 minutes after accounting start) the endpoint will have roles in its policy cache. These roles will be matched and the appropriate RADIUS attributes will be returned (specific dacl's for instance)

 

When user disconnects:

Controller will need to time out the endpoint, then send accounting stop to CPPM. CPPM will keep endpoint policy cache in during 5 minutes and then purge it. Next time user associates ---> start all over again.

 

 

g9ais,

 

Can you paste the config for your ACL here? I've found that the various guides isn't always the right way to configure the redirect ACL so it's interresting to see how you've done it.

 

 

Hello,

Basically for the WLC (5508, 2504, etc) the acl has to permit the traffic that is NOT meant to be redirected - DNS, ICMP, port 443 towards CPPM and deny the rest.
If we're talking about a IOS switch the acl has to deny the traffic that is NOT meant to be redirected...
You should be able to find all the info you need on the BYOD CVD's at Cisco website.


Regards

Gustavo

I'm looking for real life examples, as my experience differs a bit from the guides.

I've done this on Cisco 5760 (IOS XE) and the guides said this should be the ACL:

 

        deny udp any eqbootpsany

        deny udp any anyeqbootpc  

        deny udp any eqbootpcany

   # above 3 rules block DHCP

        deny udp any anyeq domain

        deny tcp any anyeq domain

  # block DNS

        deny ip any host 192.168.154.119     # block access to ISE server

        deny ip any host 192.168.150.25       # block access to DHCP/DNS servers

        permit tcp any anyeq www   # permit www and/or 443

 

 

Atleast - it didn't work with IOS XE 3.3.1, but now it's upgraded to 3.3.3 and then the ACL had to be changed to reflect the same as mentioned above. So - thats why I'm looking at how people are implementing the ACL.