Security

Hello!

So i have set up an ISE and checked with Wiresharks whats going on. The ISE sends a CoA-Request with Calling-Station-Id and 3 Cisco-AVPairs:

Radius:Cisco    Cisco-AVPair    =    subscriber:command=reauthenticate
Radius:Cisco    Cisco-AVPair    =    subscriber:reauthenticate-type=last
Radius:Cisco    Cisco-AVPair    =    audit-session-id=0a6fa8c00000000301c04953

The first two are static so it's no problem to write them into the Enforcement Profile. The last one is a tricky one how can I send the audit-session-id back to the WLC? CPPM knows the audit-session-id because I can see it in the Access Tracker -> Request Details -> RADIUS Request Data

Is there a variable available similar to %{Connection:Client-Mac-Address-Colon} for the clients MAC address which i could put into the enforcement profile?

 Regards Carson

In your redirect are you adding...

url-redirect=https://IP.ADDRESS.OF.CPG/guest/YOUR_PAGE_NAME.php?mac=%{Connection:Client-Mac-Address-Colon}

Hello!

What's the point to send the Redirect-Url again in the RADIUS_CoA Request? This already happened in the first RADIUS response.

Here is my workflow:

1. Client associates to WLC
2. WLC sends MAC-Auth Request to CPPM
3. CPPM sends Access-Accept to WLC with url-redirect and url-redirect-acl because of unknown MAC
4. Client opens browser and tries to access a website
5. WLC intercepts and sends HTTP-Redirect to CPG
6. Browser opens the CPG portal page
7. User enters the guest account informations
8. CPG checks the guest account with CPPM
9. CPPM sends RADIUS_CoA Request to WLC with subscriber:command=reauthenticate, subscriber:reauthenticate-type=last and audit-session-id
10. WLC sends MAC-Auth Request to CPPM again triggered by the RADIUS_CoA
11. CPPM sends Access-Accept to WLC with Airespace-ACL-Name because MAC is now known

It works up to the step 9. Here the audit-session-id must be sent but i dont know what to write in the enforcement profile.

Regards Carson

Hello,

I was having the same problem until I switched the WLC NAD port on CPPM to 1700. As soon as that was done, CoA started working. You don't need to add the audit session ID (the calling station ID is just what is needed, nor the reauthenticate last)

let me just add for reference all that I did in an attached PDF, it may help someone... If anyone has a better way of doing this I'm all hears (I'm really starting to put my hands in CPPM, so I'm probably still doing lots of mistakes...)

Enjoy and comment!

Flow is:

Endpoint associates, tries MAC Auth and generates RADIUS request to CPPM - 1st pass on mac auth service (allow all mac)

On CPPM endpoint is unknown - gets returned an access-acept plus an URL redirect

Person using endpoint goes to web browser and gets redirected to CPPM portal and authenticates

This authentication is processed in CPPM via a webauth service that will:

Map a role to the endpoint

Generate a coa for the controller to reauthenticate the user (new mac auth - 2nd pass)

This 2nd pass will then be catched by the same mac auth service, but this time (during 5 minutes after accounting start) the endpoint will have roles in its policy cache. These roles will be matched and the appropriate RADIUS attributes will be returned (specific dacl's for instance)

When user disconnects:

Controller will need to time out the endpoint, then send accounting stop to CPPM. CPPM will keep endpoint policy cache in during 5 minutes and then purge it. Next time user associates ---> start all over again.

g9ais,

Can you paste the config for your ACL here? I've found that the various guides isn't always the right way to configure the redirect ACL so it's interresting to see how you've done it.

I'm looking for real life examples, as my experience differs a bit from the guides.

I've done this on Cisco 5760 (IOS XE) and the guides said this should be the ACL:

        deny udp any eqbootpsany

        deny udp any anyeqbootpc  

        deny udp any eqbootpcany

   # above 3 rules block DHCP

        deny udp any anyeq domain

        deny tcp any anyeq domain

  # block DNS

        deny ip any host 192.168.154.119     # block access to ISE server

        deny ip any host 192.168.150.25       # block access to DHCP/DNS servers

        permit tcp any anyeq www   # permit www and/or 443

Atleast - it didn't work with IOS XE 3.3.1, but now it's upgraded to 3.3.3 and then the ACL had to be changed to reflect the same as mentioned above. So - thats why I'm looking at how people are implementing the ACL.