Web authentication on the wireless network can be done with the help of Cisco ISE server.

2 types of web authentification:

  • Local
    LWA (Local Web Authentication)
    two certificates required: onefor WLC and one for ISE
  • Central
    CWA (Central Web Authentication)
    only one certificate required (for ISE)

First type (LWA) – the WLC redirects HTTP traffic to an internal or external server, where the user is offered the option of entering the credentials. WLC then downloads these credentials (sent via the HTTP GET request, in the case of an external server) and tries RADIUS authentication. In the case of a guest user, an external server is required (eg ISE or NAC Guest Server (NGS)) because the portal provides options such as device registration and self-provisioning.

The LWA process follows the following steps:

  • The user is associated with an SSID that uses web authentication
  • The user opens his browser
  • WLC redirects it to the guest portal (eg ISE or NGS) as soon as a user enters a URL
  • The user is authenticated on the portal
  • The guest portal redirects the user back to the WLC-enabled credentials
  • WLC authenticates a guest user via RADIUS
  • WLC redirects back to the original URL.

This process involves many redirects. LWA also requires 2 certificates; one on the WLC, and the other on the ISE.

The new approach, which simplifies the authentication process, is with the help of central web authentication – CWA (running from ISE version 1.1 and WLC version 7.2 … so long ago).

In this case, only one certificate is required – on the Cisco ISE … because the controller only passes the authentication request.

The CWA process follows the following steps:

  • The user is associated with an SSID that uses web authentication
  • The user opens his browser
  • WLC redirects it to the guest portal
  • The user is authenticated on the portal
  • ISE sends the RADIUS CoA message (Change of Authorization – UDP Port 1700) to emphasize to the WLC that the user has entered credentials correctly and possibly sends RADIUS attributes such as Access Control List (ACL)
  • The user is reminded that it is necessary to re-enter the desired URL.

WLC configuration for LWA – FlexConnect mode (vWLC)

First of all, add RADIUS authentication and accounting servers to WLC…

WLC –> Security –> RADIUS –> Authentication

WLC –> Security –> RADIUS –> Accounting


Create new WLAN (BYOD), with the following security parameters…

WLAN L2 security: none

WLAN L3 security: Web Policy

It is necessary to create a redirectional ACL that will allow the flow of only specific traffic to the rest of the network (DNS, DHCP, and all to the ISE), and everything else will be block until the ISE notifies whether the user is authenticated. This ACL must be two-way!

WLC –> Security –> Access Control Lists…

Add RADIUS parameters to WLAN…

WLC –> WLAN –> Security –> AAA Servers…

Advanced options leave by default-u (Alow AAA Override is turned off). Eventualy, turn off “Enable Session Timeout” option…

Note: Since “AAA Override” is not used, WLC controls the client’s AAA parameters, and thus the duration of the session. If in any case it is necessary that the session of the client connected to the SSID does not expire, it is necessary to turn off the “Session Timeout” option.

When the client connects to the BYOD SSID, it will be redirected to the log-on page provided by WLC. Authentication is done on the ISE, which returns the WLC back to log information.

IMPORTANT!!! Do not forget to enter the name of WLC and ISE on the local DNS!!!

If everything is ok, the client can access the network.

Since both the WLC and ISE are representing to the client, one certificate for each device is required. This complicates the procedure, and also rises the cost (the certificates are not cheap at the annual level).

WLC configuration for CWA – FlexConnect mode (vWLC)

Create new WLAN (CWA), with the following security parameters…

WLAN L2 security: none + MAC Filtering

WLAN L3 security: Web Policy

It is necessary to create a redirectional ACL that will allow the flow of only specific traffic to the rest of the network (DNS, DHCP and all to the ISE), and everything else will be block until the ISE notifies whether the user is authenticated.

IMPORTANT!!! This standard ACL (which is used for LWA) is nowhere to be applied to the WLAN security policy, because L2 security “Open + MAC filtering” is used, and L3 security is “none” (ACL was applied to L3 security, web policy).

It is therefore necessary to create an Flex Connect ACL that will be used by each AP from the Flex Connect group, and when authenticated to Cisco ISE. ACL for Flex Connect is identical to an ordinary ACL, it only has a different name. This ACL must be two-way!

WLC –> Wireless –> FlexConnect ACLs…

This ACL now needs to be added to the Flex Connect AP Group…

WLC –> Wireless –> FlexConnect –> default-flex-group –> ACL Mapping –> Policies…

IMPORTANT!!! In case you add ACL to “AAA VLAN-ACL mapping” or “WLAN-ACL mapping” that ACL is permanently applied to VLAN (or WLAN) and as such disables any traffic, except for DNS, DHCP and ISE server.

By placing an ACL on the policy, ACL is only used when the client is authenticated. After successful client authentication, the ISE returns the parameters to the WLC telling it to completely pass on the client to the network. Therefore, it is necessary to include the “Alow AAA Override” parameter, because the ISE is the one that defines where the client can go through the network.

RADIUS parameters are already added, so they should now be selected from the drop down menu.

WLC –> WLAN –> Security –> AAA Servers…

In Advanced options turn on Alow AAA Override and NAC State

Note: Since “AAA Override” is used, ISE controls the client’s AAA parameters, and thus the duration of the session. If it is necessary that the session of the client connected to the SSID does not expire, it is important to include and set the “Reauthentication” parameter on the ISE itself…

ISE –> Policy –> Policy Elements –> Authorization –> Authorization Profiles…

The final attribute details sent to the WLC, after successful user authentication…

When a client connects to a CWA SSID, it will be redirected to the logging page provided by ISE. Authentication is also performed on the ISE, which returns log information back to the WLC.

IMPORTANT!!! Do not forget to enter the name of WLC and ISE on the local DNS!!!

If everything is ok, the client can access the network.

Since only the ISE is representing to the client (WLC only submits the request), only one certificate is required (ISE), which simplifies the procedure, and is also cheaper.

Mobility Express configuration for CWA

From ME version 8.7 there is a CWA option, which is configured under a WLAN. However – IT DOESN’T WORK !!!… and it should be automatic. It needs a little adjustment.

Also, it does not work under the newer version 8.8.111. In this version, you do not even see the dynamic ACL generated by the ME (CWA ACL Rule Name). This name is to be entered in the ISE.

It is necessary to create a WLAN with a “Central Web Auth” security type, as well as a defined RADIUS authentication and authentication server…

The “Captive Network Assistant” option allows that the login page is automatically shown to the client after accessing the SSID, and automatically disappear when the credentials are successfully entered.

There is dynamic ACL in ME version 8.7 (Pre Auth ACLs), but it is impossible to add any item through the GUI…

In that case, here comes the CLI!!!

Log on to ME via SSH and enter the configuration mode (config).

Allow DNS over UDP (UDP is protocol 17, and port is 53)…

flexconnect acl rule add me_cwa_acl_redirect_1 1
flexconnect acl rule action me_cwa_acl_redirect_1 1 permit
flexconnect acl rule source address me_cwa_acl_redirect_1 1 0.0.0.0 0.0.0.0
flexconnect acl rule destination address me_cwa_acl_redirect_1 1 0.0.0.0 0.0.0.0
flexconnect acl rule protocol me_cwa_acl_redirect_1 1 17
flexconnect acl rule source port range me_cwa_acl_redirect_1 1 53 53
flexconnect acl rule destination port range me_cwa_acl_redirect_1 1 0 65535
flexconnect acl rule dscp me_cwa_acl_redirect_1 1 any
flexconnect acl rule add me_cwa_acl_redirect_1 2
flexconnect acl rule action me_cwa_acl_redirect_1 2 permit
flexconnect acl rule source address me_cwa_acl_redirect_1 2 0.0.0.0 0.0.0.0
flexconnect acl rule destination address me_cwa_acl_redirect_1 2 0.0.0.0 0.0.0.0
flexconnect acl rule protocol me_cwa_acl_redirect_1 2 17
flexconnect acl rule source port range me_cwa_acl_redirect_1 2 0 65535
flexconnect acl rule destination port range me_cwa_acl_redirect_1 2 53 53
flexconnect acl rule dscp me_cwa_acl_redirect_1 2 any

Allow DHCP over UDP-a (UDP is protocol 17, and port is 67) …

flexconnect acl rule add me_cwa_acl_redirect_1 3
flexconnect acl rule action me_cwa_acl_redirect_1 3 permit
flexconnect acl rule source address me_cwa_acl_redirect_1 3 0.0.0.0 0.0.0.0
flexconnect acl rule destination address me_cwa_acl_redirect_1 3 0.0.0.0 0.0.0.0
flexconnect acl rule protocol me_cwa_acl_redirect_1 3 17
flexconnect acl rule source port range me_cwa_acl_redirect_1 3 67 67
flexconnect acl rule destination port range me_cwa_acl_redirect_1 3 0 65535
flexconnect acl rule dscp me_cwa_acl_redirect_1 3 any
flexconnect acl rule add me_cwa_acl_redirect_1 4
flexconnect acl rule action me_cwa_acl_redirect_1 4 permit
flexconnect acl rule source address me_cwa_acl_redirect_1 4 0.0.0.0 0.0.0.0
flexconnect acl rule destination address me_cwa_acl_redirect_1 4 0.0.0.0 0.0.0.0
flexconnect acl rule protocol me_cwa_acl_redirect_1 4 17
flexconnect acl rule source port range me_cwa_acl_redirect_1 4 0 65535
flexconnect acl rule destination port range me_cwa_acl_redirect_1 4 67 67
flexconnect acl rule dscp me_cwa_acl_redirect_1 4 any

Allow access to ISE, any protocol, to any port…

flexconnect acl rule add me_cwa_acl_redirect_1 5
flexconnect acl rule action me_cwa_acl_redirect_1 5 permit
flexconnect acl rule source address me_cwa_acl_redirect_1 5 192.168.40.40 255.255.255.255
flexconnect acl rule destination address me_cwa_acl_redirect_1 5 0.0.0.0 0.0.0.0
flexconnect acl rule protocol me_cwa_acl_redirect_1 5 any
flexconnect acl rule source port range me_cwa_acl_redirect_1 5 0 65535
flexconnect acl rule destination port range me_cwa_acl_redirect_1 5 0 65535
flexconnect acl rule dscp me_cwa_acl_redirect_1 5 any
flexconnect acl rule add me_cwa_acl_redirect_1 6
flexconnect acl rule action me_cwa_acl_redirect_1 6 permit
flexconnect acl rule source address me_cwa_acl_redirect_1 6 0.0.0.0 0.0.0.0
flexconnect acl rule destination address me_cwa_acl_redirect_1 6 192.168.40.40 255.255.255.255
flexconnect acl rule protocol me_cwa_acl_redirect_1 6 any
flexconnect acl rule source port range me_cwa_acl_redirect_1 6 0 65535
flexconnect acl rule destination port range me_cwa_acl_redirect_1 6 0 65535
flexconnect acl rule dscp me_cwa_acl_redirect_1 6 any

Deny everything else…

flexconnect acl rule add me_cwa_acl_redirect_1 7
flexconnect acl rule action me_cwa_acl_redirect_1 7 deny

ACL…

show flexconnect acl detailed me_cwa_acl_redirect_1

If you need to delete an ACL…

flexconnect acl rule delete me_cwa_acl_redirect_1 7

What’s left – ISE needs to be configured to make the client successfully authenticated.

LWA and CWA for Cisco WLC and Mobility Express
Tagged on: