Cisco ISE as External Authenticaton

  • 1
  • Question
  • Updated 2 years ago
  • Answered
Hi.
I'm trying to set up a Guest Portal using Cisco ISE as CWA.
I have made a SSID in Hivemanager, with "Enable Captive Web portal" checked, and in the Network Policy, I have set up Cisco ISE as both Radius server and CWP: External Authentication.

And the redirection works fine, and the guest logon works fine.
Cisco ISE also logs the user as authenticated.
But there is an authentication loop. After a successful guest login, I get thrown back to the login page again and again, no matter what URL I type in the browser.

It's like the Aerohive AP never gets an "OK" message from Cisco ISE.

According to Cisco, that messsage is given by sending a CoA to the AP.

What am I missing? I have already checked the box that says Permit Dynamic Change of Authorization Messages (RFC 3576) under AAA Client Settings.

Has anyone tried this, and made it work?

Thanks.
Photo of gaasdal

gaasdal

  • 26 Posts
  • 1 Reply Like

Posted 4 years ago

  • 1
Photo of Eastman Rivai

Eastman Rivai, Official Rep

  • 146 Posts
  • 17 Reply Likes
You may need to check authorisation rule on the ISE and see if the account you used Can you also do debug auth all and check if the AP receive access accept message from the ISE?

If you enable cwp on the AP, the ISE would just need to act as a radus server. Is it what you are trying to do?
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
CoA implementations are notorious for not inter-operating well due to them often expecting different sets of attributes and supporting different things.

The way to debug this is to get a capture of the RADIUS traffic on the wire so that you can observe which attributes are being sent in the CoA, then find out which attributes HiveOS supports/expects. This may require a support case or posting back here for an employee of Aerohive to comment at that point.
(Edited)
Photo of gaasdal

gaasdal

  • 26 Posts
  • 1 Reply Like
Hello, and thank you for your answers.
I was going about this the wrong way, and I got the authetication bit working now.
It also authorizes correctly, but the client does not get sent to the guest portal.
And that is probaly because Cisco ISE uses cisco-av-pair to do that:
cisco-av-pair = url-redirect=https://ip:port/portal/gateway?sessionId=SessionIdValue&portal=

If only there was a way to recreate that with "common" radius attributes..
Is there a way?

Thanks
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
I will have a look to see what HiveOS supports.
Photo of gaasdal

gaasdal

  • 26 Posts
  • 1 Reply Like
Thank you.
I could probably do as Eastman Rivai mentions, but it would be much "cleaner" to make it all in one from one product.
Photo of gaasdal

gaasdal

  • 26 Posts
  • 1 Reply Like
It's a shame that Aerohive does not support at least some of the cisco-av-pair attributes.
Cisco ISE is an excellent radius server, and we all need radius servers.
So support for all functions that ISE can offer is a win / win situation from where I stand.

On the other hand, it's a shame that Cisco does not use more default radius attributes instead of their own.
But I guess it's easier to get Aerohive to make a change than Cisco, so is there a place I make requests for changes such as this?

Thanks.
Photo of gaasdal

gaasdal

  • 26 Posts
  • 1 Reply Like
Ok,
I think ISE is able to import attributes, so if Aerohive has an equivalent to, or have support for CWA / LWA via Aerohive VSA's, maybe I can try to import or create them in ISE.

Do you know where I can find a list or something over Aerohive VSA's?

Thanks.
Photo of gaasdal

gaasdal

  • 26 Posts
  • 1 Reply Like
Hello again.
Did you find the time to look into this?
Photo of Eastman Rivai

Eastman Rivai, Official Rep

  • 146 Posts
  • 17 Reply Likes
CWA is designed by Cisco in order to provide web authentication to switches and WLC. The device using this feature has to be able to support Ciso Radius NAC. The more detail can be found in here,

http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-4/configuration/guides/consolidated/b_cg7...

This feature so far is only supported on Cisco WLC and some Switches. Even Cisco APs in autonomous mode do not support this feature.

This feature is part of Cisco NAC port folio. Cisco like to keep the NAC to only work with their products in order to protect their market. You may use it for as the policy based radius server but not for NAC.

There is another company that have the same capability as Cisco ISE. This company only focus on wired and wireless security, so they do have to make sure that they work with all vendors in order to capture the market. Their product works well with all major wireless players, including Aerohive. 

I hope this explain.
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Sorry for the delay in getting back! I couldn't find any proper documentation, information or otherwise on what HiveOS supports through attributes set in CoA. It may just be session termination. It's a question therefore that's best posed to Aerohive directly!

If there is the ability to return a new Tunnel-Private-Group-Id / Filter-Id to dynamically change the VLAN / user profile, it would provide the necessary primitives to build the type of thing you're after.
(Edited)
Photo of Lionel

Lionel

  • 2 Posts
  • 0 Reply Likes
Hi, we are struggeling with the same problem, having to support ISE captive portal for both Cisco and Aerohive wi-fi implementations. Did you find a way to make it work?
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
One of the new features of HiveOS 6.4r1 is:
User profile reassignment independent of CWP
This feature allows user profile attribute reassignment based on RADIUS COA message without enabling HiveOS CWP. This removes the dependency on HiveOS CWP for user profile reassignment, and allows an external RADIUS server to inform device compliance information and restrict the device to a quarantined URL for remediation.
However, this feature understandably does-and-will not work using Cisco's cisco-av-pair vendor specific attribute (VSA). It is entirely due a limitation of ISE therefore as that uses proprietary means to pass the profile information, not Aerohive's implementation in HiveOS.

To get this working, you need to use something like FreeRADIUS >= 3.0.8 in a rewriting proxy role  in the middle to translate/remap the cisco-av-pair VSA to something that HiveOS understands, specifying the user profile to apply in the Tunnel-Private-Group-Id attribute.

I suggest that you use the unlang feature of FreeRADIUS to achieve this.
See: http://networkradius.com/doc/FreeRADIUS-Implementation-Ch16.pdf

Also see "man unlang".
(Edited)
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
No, sorry, I do not use or have access to ISE. I just understand how this all works.

Conceptually, it should be relatively easy and quick to implement.

If I worked with Aerohive rather than just helping out casually, I'd definitely test and document this type of thing! But... as I don't have a job with them, I'm sorry that I can't realistically help you out more.
(Edited)
Photo of gaasdal

gaasdal

  • 26 Posts
  • 1 Reply Like
Thank you for the tip. I have basically given up on this.
But ISE is able to import radius attributes from other vendor.
If someone could tell me what the attributes for Aerohive CoA / CWP is, I'm more than happy to try it out.

It would be a so much better solution than trying to make custom script on another radius server.
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
You do not need to use any VSAs to do this so you will not need to import anything. The CoA reassignment just uses RADIUS standard attributes.

If you can configure ISE to send the attributes you need in the CoA to the Aerohive APs, you will be fine.

I have not seen any proper documentation on using this feature, although I haven't checked again recently.

From the beta process for 6.4r1, the following comment was made on how you can use CoA reassignment:
The feature:
1.      RADIUS server can return user’s profile to AP by using Attribute #11 “Filter-Id” and carry the attribute # matching what’s in the User Profile.
2.      The VLAN will change if needed based on the User Profile.
3.      Check the Accept CoA, then RADIUS can send COA back to AP anytime and carries the new attribute # (which matches the new User Profile) – and AP will change user to the new user profile.
(There are some devil in the detail questions about the implementation that I asked during the beta about CoA reassignment that I am still trying to clear up.)

In the initial Access-Accept, you can either use the Tunnel-Private-Group-Id method or another attribute such as the Filter-Id to reference the desired user profile. The documentation for that is:



You should conceptually therefore be able to use either the Tunnel-Private-Group-Id or the Filter-Id attribute to reference the desired user profile in the CoA.

You need to reference the session with the Acct-Session-Id.

I've been meaning to get this tested in anger for a while now. I'll do so and write a blog post up about it. Give me a day or two!
(Edited)
Photo of gaasdal

gaasdal

  • 26 Posts
  • 1 Reply Like
I'm not able to make this work.
This is what I do:

I make a SSID with Open Authentication, Enable MAC authentication selected (MS-CHAP V2) and Enable Captive Web Portal
Next, I make a Network Policy where I choose a CWP that I have configured with these options:
External Authentication.
Since Aerohive does not support cisco-av-pair, I set the portal url manually.
Then I set ISE as the radius server.
Permit Dynamic Change of Authorization Messages (RFC 3576) is enabled.

So, when I connect to the SSID, get redirected to the self registration portal, where I am able to make
myself a user.
When that is done, I'm able to log in, and I get a message that I am successfully logged in.
And a Authorization profile is sent.

But when I try to browse a page, I'm just redirected back to the login page.

I don't understand how ISE tells the client / AP that the client is now authenticated Isn't that what the CoA
is for?

Thanks again.
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
There should be an initial Access-Accept that kicks a session off. It should contain a Class attribute. There will be an initial user profile applied to this session.

The subsequent accounting that occurs for a session with Accounting-Request packets from the NAS includes an Acct-Session-Id and Class attribute(s) if they were including in the Access-Accept allowing binding to occur from the auth to accounting.

CoA is Change of Authorization, it therefore only ever applies to an existing session.

The Acct-Session-Id for the session is then used to reference the session to change the user profile that is applied to it when used in conjunction with other attributes like a Filter-Id.

Hopefully this makes sense! :)

(Point of interest: With wireless NASes, there is also an Acct-Multi-Session-Id that is constant across all related sessions that share the same authentication - it's neeed in roaming scenarios.

At present, HiveOS does not support referencing a session in CoA via the Acct-Multi-Session-Id however. )
(Edited)
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Did you get any further with this?

I see this has been discussed briefly on the Cisco forums but without a clear answer:

https://supportforums.cisco.com/discussion/12351331/cisco-ise-cwa-redirect-another-way-cisco-av-pair
Photo of gaasdal

gaasdal

  • 26 Posts
  • 1 Reply Like
Hi.
I was me that started that thread :)

No, I haven't gotten any further.
I had a hope that it didn't work because I was missing a PLUS license in ISE, but that wasn't it :(
It does not seem that a CoA is being sent to the AP after a successful authentication. And therefore the client is re-redirected to the web portal again and again.
I don' really understand why, since the CoA is not a Cisco proprietary thing.
I'm guessing it's because the session-id is missing. (Since portal URL has to be set manually)

This is what I do:

I make a SSID with Open Authentication, Enable MAC authentication selected (MS-CHAP V2) and Enable Captive Web Portal
Next, I make a Network Policy where I choose a CWP that I have configured with these options:
External Authentication.
Since Aerohive does not support cisco-av-pair, I set the portal url manually.
Then I set ISE as the radius server.
Permit Dynamic Change of Authorization Messages (RFC 3576) is enabled.

So, when I connect to the SSID, get redirected to the self registration portal, where I am able to make
myself a user.
When that is done, I'm able to log in, and I get a message that I am successfully logged in.
And a Authorization profile is sent.

But when I try to browse a page, I'm just redirected back to the login page.

I don't understand how ISE tells the client / AP that the client is now authenticated Isn't that what the CoA is for?

Thanks again.

So I have given up on this. Very sad for our customers. Very annoying for me.
So I guess I have to support 2 solutions:
One for all our customers using Cisco, and one for our customers using Aerohive's own solution, which is not in any way as good as Cisco's, IMO
I mean, the MyHive pages are just sad.

Thanks.
Photo of User969020

User969020

  • 1 Post
  • 0 Reply Likes
Has anyone tried this with ISE 2.0? There is now the ability to customise RADIUS CoA attributes and the way the redirect URL is formed for support of non-Cisco devices. I'm hoping it's the solution to all of our problems! 
Photo of John Neumann

John Neumann

  • 2 Posts
  • 0 Reply Likes
I have just started to work with Aerohive after supporting a Cisco Unified Wireless Network system including ISE. My knowledge of Cisco is OK but I am just learning Aerohive.

So... forgive me since this may sound naive... but how comfortable are you with the policies configured on the ISE side?

You mention getting stuck in the authentication loop. This can because you are not hitting a rule in your ISE policy before hitting the rule that does the re-direction to the Guest portal. The CoA occurs and reauthorizes and you're still hitting the same rule on ISE.

The logic inside the ISE Guest portals is that is they place endpoints into Endpoint Identity Groups when users sucessfully log into them.

For the default ISE Guest Portal, by default, your authenticated guest's devices' MAC will be placed into the GuestEndPoints Endpoint Identity Group. You need to define a AuthZ rule above the rule with the authorization profile that is doing your redirection. That rule may simply just be If GuestEndPoints then GuestLoggedIn. Your GuestLoggedIn authorization profile would send an ACCESS-ACCEPT and AVPs that correlate to the user profile defined in your Aerohive system.

I may have that  all wrong because as someone already mentioned in this thread, in the CUWN world, NAC states are part of the flow too.

The guest services engine inside ISE is great with loads of options on how you can configure guest types, sponsor types and notification options to the Nth degree. However, I am still not a fan of the policy engine leveraging JUST the EndPointIdentity group to validate guest access. In this scenario, you have to rely on endpoint purge rules to remove remove your guest endpoints from the GuestEndPoints group and then separately invalidate the guest credentials that they used to login to the Portal page.
Photo of user4455

user4455

  • 1 Post
  • 0 Reply Likes
Hi John,
I am working with User969020  on the setup with Aerohive and ISE and we are quite knowledgeable about ISE, so we are ok with the policies there.
We believe then when ISE returns the CoA to Aerohive, somehow the redirect is not removed, and it might be that we are not sending the right parameters, or combination of in order to apply a new profile.
Is this you have come across as well by any chance?
Photo of John Neumann

John Neumann

  • 2 Posts
  • 0 Reply Likes
Three moths later and I reply.

Your statement is the same as where I finished up with this, too.

RFC 3576 enabled?

Maybe, conceptually the Aerohive CWP functionality is that far abstracted it is not close enough to resembling NAC that ISE is ready to work with.

What happens if you setup a SSID with just MAC filtering with no CWP pointed at ISE with ISE tuned as appropriate to process the incoming MABs. In fact, how does Aerohive even send its MABs? Framed or Call-Check?

Can Aerohive interpret a returned redirect URL and filter that doesn't allow any traffic except to the server hosting that login URL and your DHCP, DNS etc? That would eliminate the need for Aerohive's CWP to be in place and removed.

I do not regularly work with Aerohive equipment. Just an interested by-stander.