- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
CPPM with Cisco WLC - Howto craft a working RADIUS_CoA Enforcement Profile
CPPM with Cisco WLC - Howto craft a working RADIUS_CoA Enforcement Profile
04-12-2014 07:42 AM
Hello!
Does someone here know how a RADIUS_CoA Enforcement Profile for a Cisco WLC must look like? I want to have Central Web Authentication similar to how it is done with the Cisco ISE.
I'm almost finished to get this working. The client can associate to the Guest network and gets an IP address. CPPM puts the client in the WEBAUTH_REQD state and sets the "Redirect URL" together with the "AAA Override ACL Name." Redirect to the Clearpass Guest portal page works fine and i can enter the guest account informations. Everything looks fine in Access Tracker but unfortunately the CoA Request is not working. Debug on the WLC shows the following error:
*radiusRFC3576TransportThread: Apr 12 14:34:55.447: Invalid attributes received in 'RFC-3576 CoA-Request' from 192.168.111.20
RADIUS_CoA works when i use the Change Status function in the Access Tracker i can terminate the client session with the RADIUS CoA Type [Cisco - Termminate Session].
What has to be sent to the WLC in order to put a client from WEBAUTH_REQD into the RUN state?
Regards Carson
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: CPPM with Cisco WLC - Howto craft a working RADIUS_CoA Enforcement Profile
Re: CPPM with Cisco WLC - Howto craft a working RADIUS_CoA Enforcement Profile
04-12-2014 04:36 PM
Hello!
So i have set up an ISE and checked with Wiresharks whats going on. The ISE sends a CoA-Request with Calling-Station-Id and 3 Cisco-AVPairs:
Radius:Cisco Cisco-AVPair = subscriber:command=reauthenticate
Radius:Cisco Cisco-AVPair = subscriber:reauthenticate-type=last
Radius:Cisco Cisco-AVPair = audit-session-id=0a6fa8c00000000301c04953
The first two are static so it's no problem to write them into the Enforcement Profile. The last one is a tricky one how can I send the audit-session-id back to the WLC? CPPM knows the audit-session-id because I can see it in the Access Tracker -> Request Details -> RADIUS Request Data
Is there a variable available similar to %{Connection:Client-Mac-Address-Colon} for the clients MAC address which i could put into the enforcement profile?
Regards Carson
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: CPPM with Cisco WLC - Howto craft a working RADIUS_CoA Enforcement Profile
Re: CPPM with Cisco WLC - Howto craft a working RADIUS_CoA Enforcement Profile
04-12-2014 10:06 PM
In your redirect are you adding...
url-redirect=https://IP.ADDRESS.OF.CPG/guest/YOUR_PAGE_NAME.php?mac=%{Connection:Client-Mac-Address-Colon}
Troy
--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.
--Problem Solved? Click "Accepted Solution" in a post.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: CPPM with Cisco WLC - Howto craft a working RADIUS_CoA Enforcement Profile
Re: CPPM with Cisco WLC - Howto craft a working RADIUS_CoA Enforcement Profile
04-13-2014 02:32 AM
Hello!
What's the point to send the Redirect-Url again in the RADIUS_CoA Request? This already happened in the first RADIUS response.
Here is my workflow:
- Client associates to WLC
- WLC sends MAC-Auth Request to CPPM
- CPPM sends Access-Accept to WLC with url-redirect and url-redirect-acl because of unknown MAC
- Client opens browser and tries to access a website
- WLC intercepts and sends HTTP-Redirect to CPG
- Browser opens the CPG portal page
- User enters the guest account informations
- CPG checks the guest account with CPPM
- CPPM sends RADIUS_CoA Request to WLC with subscriber:command=reauthenticate, subscriber:reauthenticate-type=last and audit-session-id
- WLC sends MAC-Auth Request to CPPM again triggered by the RADIUS_CoA
- CPPM sends Access-Accept to WLC with Airespace-ACL-Name because MAC is now known
It works up to the step 9. Here the audit-session-id must be sent but i dont know what to write in the enforcement profile.
Regards Carson
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: CPPM with Cisco WLC - Howto craft a working RADIUS_CoA Enforcement Profile
Re: CPPM with Cisco WLC - Howto craft a working RADIUS_CoA Enforcement Profile
05-02-2014 09:17 AM
Hello,
I was having the same problem until I switched the WLC NAD port on CPPM to 1700. As soon as that was done, CoA started working. You don't need to add the audit session ID (the calling station ID is just what is needed, nor the reauthenticate last)
let me just add for reference all that I did in an attached PDF, it may help someone... If anyone has a better way of doing this I'm all hears (I'm really starting to put my hands in CPPM, so I'm probably still doing lots of mistakes...)
Enjoy and comment!
Flow is:
Endpoint associates, tries MAC Auth and generates RADIUS request to CPPM - 1st pass on mac auth service (allow all mac)
On CPPM endpoint is unknown - gets returned an access-acept plus an URL redirect
Person using endpoint goes to web browser and gets redirected to CPPM portal and authenticates
This authentication is processed in CPPM via a webauth service that will:
Map a role to the endpoint
Generate a coa for the controller to reauthenticate the user (new mac auth - 2nd pass)
This 2nd pass will then be catched by the same mac auth service, but this time (during 5 minutes after accounting start) the endpoint will have roles in its policy cache. These roles will be matched and the appropriate RADIUS attributes will be returned (specific dacl's for instance)
When user disconnects:
Controller will need to time out the endpoint, then send accounting stop to CPPM. CPPM will keep endpoint policy cache in during 5 minutes and then purge it. Next time user associates ---> start all over again.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: CPPM with Cisco WLC - Howto craft a working RADIUS_CoA Enforcement Profile
Re: CPPM with Cisco WLC - Howto craft a working RADIUS_CoA Enforcement Profile
05-08-2014 05:08 AM
g9ais,
Can you paste the config for your ACL here? I've found that the various guides isn't always the right way to configure the redirect ACL so it's interresting to see how you've done it.
Regards
John Solberg
-ACMX #316 :: ACCX #902 :: ACSA
Aruba Partner Ambassador
Intelecom/NetNordic - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: CPPM with Cisco WLC - Howto craft a working RADIUS_CoA Enforcement Profile
Re: CPPM with Cisco WLC - Howto craft a working RADIUS_CoA Enforcement Profile
05-08-2014 07:03 AM
Basically for the WLC (5508, 2504, etc) the acl has to permit the traffic that is NOT meant to be redirected - DNS, ICMP, port 443 towards CPPM and deny the rest.
If we're talking about a IOS switch the acl has to deny the traffic that is NOT meant to be redirected...
You should be able to find all the info you need on the BYOD CVD's at Cisco website.
Regards
Gustavo
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: CPPM with Cisco WLC - Howto craft a working RADIUS_CoA Enforcement Profile
Re: CPPM with Cisco WLC - Howto craft a working RADIUS_CoA Enforcement Profile
05-08-2014 07:14 AM
I'm looking for real life examples, as my experience differs a bit from the guides.
I've done this on Cisco 5760 (IOS XE) and the guides said this should be the ACL:
deny udp any eqbootpsany
deny udp any anyeqbootpc
deny udp any eqbootpcany
# above 3 rules block DHCP
deny udp any anyeq domain
deny tcp any anyeq domain
# block DNS
deny ip any host 192.168.154.119 # block access to ISE server
deny ip any host 192.168.150.25 # block access to DHCP/DNS servers
permit tcp any anyeq www # permit www and/or 443
Atleast - it didn't work with IOS XE 3.3.1, but now it's upgraded to 3.3.3 and then the ACL had to be changed to reflect the same as mentioned above. So - thats why I'm looking at how people are implementing the ACL.
Regards
John Solberg
-ACMX #316 :: ACCX #902 :: ACSA
Aruba Partner Ambassador
Intelecom/NetNordic - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator