- Cisco Catalyst 9120 with EWC, version 17.3.4<\/li>
- Cisco ISE 2.7 as the RADIUS-server<\/li><\/ul>\n\n\n\n
The CWA Process with FlexConnect<\/h2>\n\n\n\n
![\"\"](\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2021\/11\/diagram1-1-1024x475.jpg\")
<\/figure><\/div>\n\n\n\n- The client connects to an AP. We use local switching, but central Authentication here.<\/li>
- The WLAN is configured for MAC filtering, a RADIUS Access-Request with the Clients MAC address is sent to the RADIUS-Server.<\/li>
- The RADIUS server is not aware of this MAC address and sends an Access-Accept with the first Authorisation. This includes the redirect-URL and the redirect-ACL. Both are forwarded to the AP as the FlexConnect-AP will handle the redirection.<\/li>
- The client does an HTTP request. It has to be HTTP as HTTPS redirection will always give certificate-warnings. This can be a little bit tricky nowadays as many browsers default to HTTPS. If the build-in captive-portal detection of the OS does not work, the user can point the browser to a site like neverssl.com which only uses HTTP and no HTTPS. <\/li>
- The AP intercepts the HTTP-request based on the redirect-ACL and redirects the client to the redirect-URL.<\/li>
- The client opens a new connection to the server which implements the Central Web Authentication. In my use case it is hosted on the ISE.<\/li>
- The client interacts with the captive portal. In this example it will be a simple HotSpot-page with an AUP, but it could also ask for credentials or implement a self-registration.<\/li>
- When the client went through all necessary steps of CWA, the RADIUS-server sends a CoA to the EWC\/WLC with the request to reauthenticate.<\/li>
- The EWC sends another Access-Request, similar to what was done in step (2).<\/li>
- This time the RADIUS-server is aware of the MAC-address and sends back an Access-Accept which can include authorisation like an ACL, but no redirect-ACL and no redirect-URL. This information is again forwarded to the FlexConnect-AP<\/li>
- The client can now connect to the internet or wherever our authorisation allows the client to go to.<\/li><\/ol>\n\n\n\n
The Configuration<\/h2>\n\n\n\n
Here I will only show the config that is relevant for CWA.<\/p>\n\n\n\n
The WLAN<\/h3>\n\n\n\n
This is the config of my Hotspot-WLAN under Configuration -> Tags & Profiles -> WLAN:<\/p>\n\n\n\n
![\"\"](\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2021\/11\/CleanShot-2021-11-01-at-14.40.36@2x.png\")
<\/figure><\/div>\n\n\n\nMAC filtering is enabled, I have a “default” Authorisation-List of type “network” that points to the ISE. Layer 2 Security Mode could also be Open if wanted.<\/p>\n\n\n\n
![\"\"](\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2021\/11\/CleanShot-2021-11-01-at-14.41.12@2x.png\")
<\/figure><\/div>\n\n\n\nThe Authentication-List “default” is of type “dot1x” and also points to my ISE.<\/p>\n\n\n\n
The Policy-Profile<\/h3>\n\n\n\n
This is the config of my Policy-Profile “GUESTS” under Configuration -> Tags & Profiles -> Policy<\/p>\n\n\n\n
![\"\"](\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2021\/11\/CleanShot-2021-11-01-at-14.48.34@2x.png\")
<\/figure>\n\n\n\nThe GUEST-WLAN is statically bound to VLAN 1161, for my environment, the VLAN will not be changed later based on the Authorisation.<\/p>\n\n\n\n
![\"\"](\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2021\/11\/CleanShot-2021-11-01-at-14.50.19@2x.png\")
<\/figure><\/div>\n\n\n\nUnder Advanced -> AAA Policy we need to enable, “Allow AAA Override”, “NAC State” and define the “NAC Type” as “RADIUS”. The Accounting-List of type “identity” again points to my ISE.<\/p>\n\n\n\n
The Policy-Tag<\/h3>\n\n\n\n
This is not CWA-specific, the WLAN Profile and Policy Profile are added to the Policy-Tag (Configuration -> Tags & Profiles -> Tags -> Policy) which gets assigned to the APs.<\/p>\n\n\n\n
![\"\"](\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2021\/11\/CleanShot-2021-11-01-at-14.56.57@2x-1024x420.png\")
<\/figure><\/div>\n\n\n\nThe redirect-ACL<\/h3>\n\n\n\n
On step (3) of the Workflow, the RADIUS-server sends the name of the redirect-ACL. This ACL of type “IPv4 extended” is not downloaded from the RADIUS-server, it has to be configured on the EWC (Configuration -> Security -> ACL) and assigned to the APs:<\/p>\n\n\n\n
![\"\"](\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2021\/11\/CleanShot-2021-11-01-at-15.39.31@2x-1024x220.png\")
<\/figure><\/div>\n\n\n\nThe 9800\/EWC is based on IOS-XE, the logic of the redirect-ACL is that “deny” does not redirect and “permit” will redirect. In my example I configured:<\/p>\n\n\n\n
- no redirection for icmp<\/li>
- no redirection for traffic going to the ISE (10.255.192.141) on the portal-port (8445)<\/li>
- redirection for tcp\/80 (HTTP)<\/li><\/ul>\n\n\n\n
The Flex-Profile<\/h3>\n\n\n\n
With FlexConnect APs, the APs need to be aware of all used VLANs and ACLs. We assign these in the Flex-Profile Configuration -> Tags & Profiles -> Flex. The Flex-Profile is later added to the Site-Tag that is assigned to the AP.<\/p>\n\n\n\n
![\"\"](\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2021\/11\/CleanShot-2021-11-01-at-15.45.00@2x.png\")
<\/figure><\/div>\n\n\n\nUnder “VLAN” all VLANs that are used on this AP are configured. I have one for the Guests, and two for Users.<\/p>\n\n\n\n
![\"\"](\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2021\/11\/CleanShot-2021-11-01-at-15.45.33@2x-1024x472.png\")
<\/figure><\/div>\n\n\n\n“Policy ACL” lists all ACLs the AP needs. ACL_GUEST will later be assigned from the RADIUS-server and controls on the AP which traffic is allowed. ACL_WEBAUTH_REDIRECT is the previously configured redirect-ACL. As this ACL is used for CWA-redirection it needs the option “Central Web Auth”.<\/p>\n\n\n\n
The ISE config<\/h2>\n\n\n\n
We need two rules in the Authorisation Policy:<\/p>\n\n\n\n
![\"\"](\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2021\/11\/CleanShot-2021-11-01-at-15.54.25@2x-1024x289.png\")
<\/figure><\/div>\n\n\n\nI also match on the SSID-names and not only on the Endpoint Identity Group or MAB; this is a LAB-setup that includes additional config for different SSIDs with different functionality.<\/p>\n\n\n\n
Guest-Hotspot is used in step (3) of the workflow and references the Authorisation Profile WLAN-Hotspot with the following attributes:<\/p>\n\n\n\n
![\"\"](\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2021\/11\/CleanShot-2021-11-01-at-15.56.00@2x-1024x111.png\")
<\/figure>\n\n\n\nGuest-Access is used in step (10) of the workflow and references the Authorisation Profile Guest-Access with the following attributes:<\/p>\n\n\n\n
![\"\"](\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2021\/11\/CleanShot-2021-11-01-at-15.59.52@2x-1024x102.png\")
<\/figure>\n\n\n\nTesting the setup<\/h2>\n\n\n\n
When connecting to the SSID, the ISE applies the first authorisation:<\/p>\n\n\n\n
![\"\"](\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2021\/11\/CleanShot-2021-11-01-at-16.10.10@2x-1024x433.png\")
<\/figure><\/div>\n\n\n\n![\"\"](\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2021\/11\/CleanShot-2021-11-01-at-16.10.38@2x-1024x388.png\")
<\/figure><\/div>\n\n\n\nThe EWC sees the client and uses the received Authorisation:<\/p>\n\n\n\n
![\"\"](\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2021\/11\/CleanShot-2021-11-01-at-16.11.14@2x-1024x131.png\")
<\/figure><\/div>\n\n\n\n![\"\"](\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2021\/11\/CleanShot-2021-11-01-at-16.13.05@2x-1024x435.png\")
<\/figure><\/div>\n\n\n\nNext, the client is redirected to the ISE portal.<\/p>\n\n\n\n
<\/p>\n\n\n\n
After accepting the AUP, the Server issues a CoA and sends the next Authorisation:<\/p>\n\n\n\n
![\"\"](\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2021\/11\/CleanShot-2021-11-01-at-16.15.02@2x-1024x423.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2021\/11\/CleanShot-2021-11-01-at-16.16.25@2x-1024x478.png\")
<\/figure>\n\n\n\nEWC switches to Run-State and applies the new authorisation:<\/p>\n\n\n\n
![\"\"](\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2021\/11\/CleanShot-2021-11-01-at-16.17.23@2x-1024x139.png\")
<\/figure><\/div>\n\n\n\n![\"\"](\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2021\/11\/CleanShot-2021-11-01-at-16.18.43@2x-1024x371.png\")
<\/figure><\/div>\n\n\n\nProblems, Pitfalls, things to mention<\/h2>\n\n\n\n
The redirection-ACL (1):<\/h3>\n\n\n\n
This is the redirection ACL on the EWC:<\/p>\n\n\n\n
ewc#sh ip access-lists
Extended IP access list ACL_WEBAUTH_REDIRECT
1 deny icmp any any echo
11 deny tcp any host 10.255.192.141 eq 8445
12 deny tcp host 10.255.192.141 eq 8445 any
30 permit tcp any any eq www<\/kbd><\/p>\n\n\n\nThis is the redirection ACL on the AP:<\/p>\n\n\n\n
ap1-c9120#sh ip access-lists
Extended IP access list ACL_WEBAUTH_REDIRECT
1 permit icmp any any
2 permit tcp any range 0 65535 10.255.192.141 0.0.0.0 eq 8445
3 permit tcp 10.255.192.141 0.0.0.0 eq 8445 any range 0 65535
4 deny tcp any range 0 65535 any eq 80<\/kbd><\/p>\n\n\n\nAs already mentioned, “permit\/deny” on the EWC uses the IOS-logic. But the AP operates in a legacy way and needs deny and permit reversed. The option “Central Web Auth” in the Flex-Profile takes care of this.<\/p>\n\n\n\n
The redirection-ACL (2):<\/h3>\n\n\n\n
Many examples for redirection ACLs include explicit statements for DNS and some also for DHCP. In my tests this was not needed.<\/p>\n\n\n\n
Other examples state that the ACL only needs to include the direction from the client to the network and that the reverse gets automatically added when the ACL is used in the Flex-Profile. This did not work for me and I needed to add lines for both directions (11 and 12 in the EWC ACL).<\/p>\n\n\n\n
Downloadable ACLs (DACLs)<\/h3>\n\n\n\n
![\"\"](\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2021\/11\/CleanShot-2021-11-02-at-15.34.25.png\")
<\/figure><\/div>\n\n\n\n