CCIExPERTSecurity: Central Web Authentication with Profiling

Central Web Authentication on Cisco Catalyst Switch (3560 or 3750-X - 12.2(55) SE.X) and Cisco ISE version 1.2

A guest would be someone who needs temporary and restricted access to your network. This is usually a visitor or someone on contract base. The guests are usually limited to Internet access. Guest sponsor is an employee that has the rights to create guest accounts, Sponsor typically create and distribute guest username/passwords to their guests or visitors. This is a common function of the front-desk receptionist who already has the job of checking in visitors or guests. As visitors arrive, the receptionist checks them in and provides them with guest access while they are there if required.

Guest services are provided via a web authentication (auth) method that requires the guest use a browser to connect. ISE has two deployment modes available: Central Web AuthC and Local Web AuthC.

Local Web Authentication V/S Central Web Authentication

1. In Local Web Auth (LWA) web pages are delivered by the network admission device (Switch/WLC) where else in Central Web Auth (CWA) Web pages are redirected to ISE and delivered by ISE centrally.
2. In Local Web Auth (LWA) the authentication is achieved from the NAD where else in case of Central Web Auth (CWA) the authentication is handled by Authentication Server (RADIUS-Server).
3. Local web authentication does not support or allow Change of authorization (CoA). Central Web authentication allows and supports CoA, Posture assessment and profiling service for guests.
4. Authorization Enforcement uses only ACLs, VLAN assignments not supported in case of Local Web Authentication, Central Web Authentication supports ACLs and VLANs for Authorization
enforcement.
5. Local Web Authentication each device has its own web portal files, customization etc. In case of Central Web Authentication web portal related settings are done within ISE i.e. centrally.

Lab: Implement Wired Central Web Authentication for Guests

Activity Objective

In this activity, you will configure and deploy Central Web AuthC for enterprise Guests. Central Web AuthC can provide access to users from devices which do not have an 802.1X supplicant You will configure the MAB authentication policy to continue if the user is not found in the local user database. You will modify the authorization policy to enable WebAuthC for Enterprise Guests.

Lab objectives:

Implement Central Web Authentication on a switch

Configure ISE authentication and Authorization for Web Authentication

Task 1: Configure Switch for Central Web Authentication

In this task, you will prepare the SW6 to support Central Web Authentication. You will enable CoA on the switch, configure an ACL to specify traffic for redirection to the web authentication portal, enable the HTTP and HTTPS services on the switch, and configure interface G1/0/20 (where the Guest-PC attaches) for dynamic authentication and authorization.

Activity Procedure

Complete the following steps:

Step 1 On the switch, enable the Change of Authorization (CoA) feature, specifying that it is a client to ISE. CoA will allow ISE to send an updated authorization policy to the switch when ISE recognizes a change in status. In this case, the initial policy will be to implement redirection of web traffic to ISE's Web Authentication portal. After a user successfully authenticates to ISE, ISE can use CoA to send the appropriate, user-specific profile to the switch. Use the same key that is used for RADIUS peering (radius-key).

aaa server radius dynamic-author

client 10.11.11.130 server-key 0 cisco123 (same key used in radius-server)

exit

Step 2 Configure an ACL that will be used to classify the traffic that will be redirected to Web Authentication.

This ACL should permit all HTTP (TCP/80) and HTTPS traffic (TCP/443). All web traffic should be redirected to the Web Authentication portal.

We will soon refer to this ACL in an authorization profile on Cisco ISE.

ip access-list extended WEBAUTH-REDIRECT-ACL

permit tcp any any eq www

permit tcp any any eq 443

permit tcp any any eq 8443

exit

Step 3 Generate an RSA key pair with modulus 1024, and enable HTTP and HTTPS service. The RSA key pair is needed to support HTTPS connections. The switch must run the HTTP and HTTPS services to be able to redirect users to Central Web AuthC running on the Cisco ISE.

ip domain-name ccieacademy.com

crypto key generate rsa general-keys modul 1024

ip http server

ip http secure-server

Step 4 This lab exercise will use the Guest-PC to demonstrate the functioning of Web Authentication. The Guest-PC is connected to interface G1/0/20 on the SW6.

interface G1/0/20

switchport access vlan 50

switchport mode access

authentication event fail action next-method

authentication event server alive action reinitialize

authentication host-mode multi-auth

authentication order mab dot1x

authentication priority mab dot1x

authentication port-control auto

authentication periodic

authentication timer reauthenticate server

authentication timer inactivity 1000

authentication violation restrict

mab

dot1x pae authenticator

spanning-tree portfast

spanning-tree bpduguard enable

exit

Task 2 Configure ISE Authentication for Web Authentication

In this task, you will configure the MAB authentication policy to continue if the user is not found in the local user database. You will also tune the default guest portal settings: disable the self-provisioning flow.

Activity Procedure

Complete the following steps:

Step 1 Examine and tune the default guest portal settings:

a. Go to Administration > Web Portal Management > Settings > Guest > Multi-Portal Configurations > Default Guest Portal.

b. Click the Operation tab. Disable Enable Self-Provisioning Flow and Enable require Guest user to change password at Expiration and first login then click Save.

c. Click the Authentication tab. Examine which identity store sequence is used by default. You should see that the Guest_Portal_Sequence is the default selection. When web traffic is later redirected to WebAuth, this source sequence defines the user databases to consult.

Step 2 In the previous task, you configured 802.1X and MAB on interface G1/0/20. There has been some authentication activity since it was configured.

Examine the failed access attempts through the Gigabitethernet1/0/20 interface:

a. Go to Operations > Authentications and view the access attempts.

b. Click the details button and examine the failure reason. Examine the steps that are listed on the right side of the details report. MAB fails when the Guest-PC MAC address is not found in the internal endpoints database, and the authorization profile named Deny Access is applied. The DenyAccess profile leads to a RADIUS Access-Reject.

Task 3: Configure ISE Authorization to Enforce Traffic Redirection

You will start this task by creating a new dACL which will control access prior to web authentication. You will create an authorization profile, named Central-WEBAUTH, that references the dACL and enforces traffic redirection to the WebAuthC portal. Authorization profiles need to be referenced by authorization policy rules. You will configure an authorization rule that pushes the Central-WEBAUTH authorization profile after a MAB failure. This state is recognized with the condition NetworkAccess:UseCase=Host Lookup. You will finish by verifying the behavior from the Guest-PC. As you configured in the previous step, when MAB fails, the process continues.

The result is passed to the authorization process which will match the authorization rule for web authentication. The NAD is instructed to implement redirection of HTTP and HTTPS traffic to the ISE web authentication portal.

Activity Procedure
Complete the following steps:

Step 1 Create a new dACL named Pre-WebAuth-ACL which permits basic networking services and communications with the policy service features in ISE.

a. In ISE, navigate to Policy > Policy Elements > Results, Authorization > Downloadable ACLs.

b. Click Add.

c. Enter Pre-WebAuth-ACL in the Name field.

d. Define the ACL entries as follows:

e. Expand the Check DACL Syntax option. If it does not report that the DACL syntax is valid, recheck your work.

f. Click Submit

Step 2 Create a new authorization profile (Policy > Policy Elements > Results, Authorization > Authorization Profiles > Add).

Configure these attributes:

a. Name: Central-WEBAUTHC

b. Access Type: ACCESS_ACCEPT

c. dACL: Pre-WebAuth-ACL

Note: This ACL controls traffic allowed prior to successful authentication of the user by WebAuth.

d. Web Redirection: Centralized, ACL: WEBAUTH-REDIRECT-ACL, Redirect: Default

Note: This ACL does not block traffic. It specifies which of the allowed traffic is redirected to the web authentication portal.

Note: Make sure that the redirect ACL name matches exactly the ACL configured on the switch.

e. Click Submit.

Note: The goal is to push this authorization profile to the authenticating interface on the NAD when the endpoint doesn't have a supplicant (hence, 802.1X fails) and the endpoint MAC address is not in ISE's internal endpoint database (hence MAB fails). In the previous task, you configured the MAB authentication rule to continue when the user (MAC address) was not found. In the next step, you will configure an authorization policy rule that will apply this authorization profile under those circumstances. With this authorization profile pushed to the NAD, when the user on the endpoint opens a browser and generates some web traffic, the traffic will be redirected to Web Authentication.

Step 3 In the authorization policy (Policy > Authorization), add an additional rule (GLOBAL-WEBAUTH) before the last rule (Default). It will use be used to enforce traffic redirection to Web Authentication.

a. Click the drop down menu arrow near the Edit link of the Default rule and choose Insert New Rule Above.

b. Change the name from Standard Rule 1 to GLOBAL-WEBAUTH. In the Conditions field, select Create New Condition (Advanced Option).

c. Define the Expression as follows: Attribute: Network Access: Use Case, Operator: Equals, Value: Host Lookup.

d. In the Permissions field, choose Standard > Central-WEBAUTHC

e. Click Save.

f. In the Guest-PC Open Network and Sharing and navigate to Change adapter settings.

g. Double click on the Guest NIC and click Authentication tab and uncheck the Enable IEEE 802.1X authentication checkbox and Click ok and close all the windows.

Activity Verification

Step 1 View the access attempts in Cisco ISE. In the Operations > Authentications menu you will see a successful authentication of the Guest-PC MAC address. The authentication method is MAB, the authentication protocol is Lookup, and the authorization profile is Central-WEBAUTH. After the event of applying this policy you should see the event documenting the download of the Pre-WebAuth-ACL.

Step 2 Click the details link for event where the Central-WEBAUTH authorization profile is applied. Examine the steps documented on the right hand side of the details report. The steps should be similar to what is shown below.

Step 3 Examine the authentication and authorization of the client on the switch. You should see that the ISE sent to the switch the Pre-WebAuth-ACL dACL, the name of URL Redirect ACL and the redirect URL. The redirect URL includes the common session ID, visible in the output.

SW6#

*Mar 1 02:05:00.329: %AUTHMGR-5-START: Starting 'mab' for client

(0022.4d6a.6fc2) on Interface Gi1/0/20 AuditSessionID

0A0B0B060000000100701997

*Mar 1 02:05:00.338: %MAB-5-FAIL: Authentication failed for client (0022.4d6a.6fc2) on Interface Gi1/0/20 AuditSessionID 0A0B0B060000000100701997

*Mar 1 02:05:00.338: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'mab' for client (0022.4d6a.6fc2) on Interface Gi1/0/20 AuditSessionID 0A0B0B060 000000100701997

*Mar 1 02:05:00.338: %AUTHMGR-7-FAILOVER: Failing over from 'mab' for client (0022.4d6a.6fc2) on Interface Gi1/0/20 AuditSessionID 0A0B0B060000000100701997

*Mar 1 02:05:00.346: %AUTHMGR-5-START: Starting 'dot1x' for client (0022.4d6a.6fc2) on Interface Gi1/0/20 AuditSessionID 0A0B0B060000000100701997

*Mar 1 02:05:48.966: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/20, changed state to down

*Mar 1 02:05:50.971: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/20, changed state to up

*Mar 1 02:05:52.154: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/20, changed state to down

*Mar 1 02:05:53.161: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/20, changed state to down

*Mar 1 02:05:54.369: %AUTHMGR-5-START: Starting 'mab' for client (0022.4d6a.6fc2) on Interface Gi1/0/20 AuditSessionID 0A0B0B0600000003007344DC

*Mar 1 02:05:54.419: %MAB-5-SUCCESS: Authentication successful for client (0022.4d6a.6fc2) on Interface Gi1/0/20 AuditSessionID 0A0B0B0600000003007344DC

*Mar 1 02:05:54.419: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (0022.4d6a.6fc2) on Interface Gi1/0/20 AuditSessionID 0A0B0B0600000 003007344DC

*Mar 1 02:05:54.427: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC 0022.4d6a.6fc2| AuditSessionID 0A0B0B0600000003007344DC| AUTHTYPE DOT1X| EVENT APPLY

*Mar 1 02:05:54.452: %EPM-6-AUTH_ACL: POLICY Auth-Default-ACL| EVENT Auth-Default-ACL Attached Successfully

*Mar 1 02:05:54.461: %EPM-6-AAA: POLICY xACSACLx-IP-Pre-WebAuth-ACL-5614b4fe| EVENT DOWNLOAD-REQUEST

*Mar 1 02:05:54.754: %EPM-6-AAA: POLICY xACSACLx-IP-Pre-WebAuth-ACL-5614b4fe| EVENT DOWNLOAD-SUCCESS

*Mar 1 02:05:54.754: %EPM-6-IPEVENT: IP 0.0.0.0| MAC 0022.4d6a.6fc2| AuditSessionID 0A0B0B0600000003007344DC| AUTHTYPE DOT1X| EVENT IP-WAIT

*Mar 1 02:05:55.459: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0022.4d6a.6fc2) on Interface Gi1/0/20 AuditSessionID 0A0B0B0600000003007344DC

*Mar 1 02:05:56.139: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/20, changed state to up

*Mar 1 02:05:57.145: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/20, changed state to up

*Mar 1 02:06:01.147: %EPM-6-IPEVENT: IP 172.50.10.1| MAC 0022.4d6a.6fc2| AuditSessionID 0A0B0B0600000003007344DC| AUTHTYPE DOT1X| EVENT IP-ASSIGNMENT

SW6#sh authentication sessions int g1/0/20

Interface: GigabitEthernet1/0/20

MAC Address: 0022.4d6a.6fc2

IP Address: 172.50.10.1

User-Name: 00-22-4D-6A-6F-C2

Status: Authz Success

Domain: DATA

Security Policy: Should Secure

Security Status: Unsecure

Oper host mode: multi-auth

Oper control dir: both

Authorized By: Authentication Server

Vlan Group: N/A

ACS ACL: xACSACLx-IP-Pre-WebAuth-ACL-5614b4fe

URL Redirect ACL: WEBAUTH-REDIRECT-ACL

URL Redirect: https://ISE.ccieacademy.com:8443/guestportal/gateway?sessionId=0A0B0B0600000005009082BE&action=cwa

Session timeout: N/A

Idle timeout: 1000s (local), Remaining: 986s

Common Session ID: 0A0B0B0600000005009082BE

Acct Session ID: 0x0000000A

Handle: 0x06000005

Runnable methods list:

Method State

mab Authc Success

dot1x Not run

Step 4 The Web Authentication policy is in place on interface G1/0/20 for the Guest-PC which is connected to this interface. Submit a connection request from Internet Explorer on the Guest-PC.

a. Connect to the Guest-PC. If needed, log in as administrator with the password Cisc0123.

b. Open Internet Explorer and connect to the SW6 http server (http://10.11.11.6/). You should be redirected to the guest portal.

Note: The specification of any valid HTTP URL would suffice. In fact, with most browsers today, entering any string into the URL entry field leads to a search engine query for that string. In such cases, the search engine query would still be intercepted and a connection to the web authentication portal would result.

c. Before authenticating, examine the redirection URL. Note that the URL ends with the session ID.

Note: The common session ID is what keeps ISE and the switch in sync with operations. The session ID embedded in the URL is identical to the common session ID that was documented on the switch. Because it is carried in the URL, the ISE web portal can identify that the user is trying to authenticate for this particular session ID amongst any other WebAuth sessions that may be running in parallel.

Step 5 Authenticate to the guest portal as test-guest1 with the password Cisc0123. Accept the AUP.

Step 6 You should be notified of a success and instructed to retry the original request.

Step 7 Attempt to connect to (http://10.11.11.6) again. This will take you to the guest portal again, because you have not yet configured an authorization rule for Guest authenticated via WebAuth. This will be completed in the next task.

Step 8 Before configuring an authorization rule for Guests authenticated via WebAuth, examine the status of ISE's live authentications at Operations > Authentications. You should see that after the application of the – Central-WEBAUTH profile that the user test-guest1 did indeed pass Guest Authentication.

But then authorization failed. There were no authorization policies that matched the guest authenticated user, so the default rule applied. Then the Central-WEBAUTH profile was again applied.

Task 4: Configure ISE Authorization Rule for Employees Authenticated via WebAuth

In this task, you will add an authorization policy rule for Guests to authenticate via WebAuth.

This rule will need to be placed above the current WebAuth rule. The rule will require that the user is in the Guest group in Internal Identity Store. This condition is met when a user has successfully authenticated via WebAuth, and the switch port is set again for a new MAB.

Activity Procedure
Complete the following steps:

Step 1 Create a new dACL named Pre-WebAuth-ACL which permits basic networking services and communications with the policy service features in ISE.

a. In ISE, navigate to Policy > Policy Elements > Results, Authorization > Downloadable ACLs.

b. Click Add.

c. Enter CWA-Guest-ACL in the Name field.

d. Define the ACL entries as follows:

e. Expand the Check DACL Syntax option. If it does not report that the DACL syntax is valid, recheck your work.

f. Click Submit.

Step 2 Create a new authorization profile (Policy > Policy Elements > Results, Authorization > Authorization Profiles > Add).

Configure these attributes:

a. Name: Global-CWA

b. Access Type: ACCESS_ACCEPT

c. dACL: CWA-Guest-ACL

d. VLAN Tag: 50

Step 3 Add a new rule, named CWA For Guests, to the authorization policy to define the access privileges for Guests authenticating via WebAuth.

a. In ISE, navigate to Policy > Authorization.

b. Place the rule directly after the Global-Pre-WEBAUTH Access rule. Click the arrow near the Edit button of the Global-Pre-WEBAUTH Access rule and choose Insert New Rule Below.

c. Change the name from Standard Rule 1 to CWA For Guests.

d. In the Conditions field, select Identity Group name as Guest

e. In the Permissions field of the new authorization rule, choose Standard >Global-CWA.

f. Click Done and Save the changes

Activity Verification

Step 2 Examine the authentication and authorization of the client on the switch. You should see that the ISE sent to the switch the Pre-WebAuth-ACL dACL, the name of URL Redirect ACL and the redirect URL. The redirect URL includes the common session ID, visible in the output.