Scenario description:
In the CWA scenario, the users are authentication by a Portal Server only after an initial step of MAC authentication where the RADIUS server is working with the wireless AC to push the HTTPS authentication page to the authenticated client by including vendor specific redirection attributes in the RADIUS Reply packets, at the same time restricting the user access to the rest of the network.
The entire HTTPS redirection process is based on the MAC address authentication of the users where the initial RADIUS-Accept response should include the (1) 26-156 HW-Portal-URL and (2) 26-173 HW-Redirect-ACL attributes with the purpose of redirecting the HTTPS authentication page to the users.
In the situation where the user introduces the correct credentials and the portal authentication is successful, in a second step, a Radius Server-Initiated CoA that includes the radius attribute 26-238 HW-Ext-Specific is sent to re-authenticate the MAC user and grant full permission.
Configuration Example:
Configuration example for the wireless AC to interact with a CLEAR PASS server for the CWA scenario:
1st Step:Configure a redirection ACL.
This type of ACL is preconfigured on the WLC and it is going to be used for blocking the traffic and redirecting the HTTPS URL to the user at the moment when the mac authentication is successful and the WLC receives a Radius-Accept message which includes the 26-173 HW-Redirect-ACL attribute mentioning the ACL number.
NOTE
A redirection ACL differs from a common ACL in the following aspects:
– permit: indicates that the switch redirects packets instead of allowing packets matching the rule to pass through.
– deny: indicates that the switch does not redirect packets and allows packets matching the rule to pass through.
A redirection ACL takes precedence over a common ACL. If the RADIUS server assigns a redirection ACL and a common ACL to users simultaneously and you want to control the user
rights through the common ACL, do not configure the last rule of the redirection ACL to rule rule-id deny ip. If you configure the last rule of the redirection ACL to rule rule-id deny ip, the assigned common ACL does not take effect.
Do not configure source-ip in the redirection ACL rules; otherwise, data transmission may be interrupted and authentication cannot be performed for users.
# Configure a redirection ACL 3003. Rules 1 and 2 allow DNS packets to pass through.
Rules 3, 4, 5, and 6 allow DHCP packets to pass through. Rule 7 allows packets exchanged between clients and the portal server
Eg:
acl number 3003
rule 1 deny udp destination-port eq dns
rule 2 deny udp source-port eq dns
rule 3 deny udp destination-port eq bootps
rule 4 deny udp destination-port eq bootpc
rule 5 deny udp source-port eq bootpc
rule 6 deny udp source-port eq bootps
rule 7 deny ip destination x.x.x.x // portal server IP address
rule 8 permit tcp destination-port eq www
rule 9 permit tcp destination-port eq 443
2nd Step: Configure RADIUS communication parameters, including the RADIUS server template,AAA schemes, and authentication domain.
# Create the RADIUS server template policy.
radius-server template cwa
radius-server shared-key cipher xyy
radius-server authentication x.x.x.x 1812 weight 80
radius-server accounting x.x.x.x 1813 weight 80
radius-server authorization x.x.x.x shared-key cipher xxx // radius authorization pre-shared key between the sever and WLC
radius-server authorization attribute-decode-sameastemplate // enables the device to encapsulate attributes in the CoA/DM response
radius-server authorization calling-station-id decode-mac-format ascii hyphen-split common
# Create the AAA authentication scheme auth.
aaa
authentication-scheme cwa
authentication-mode radius
accounting-scheme cwa
accounting-mode radius
accounting start-fail online
3rd Step: Create the authentication-profile
# Create the MAC access and the authentication profile
mac-access-profile cwa
authentication-profile name cwa
mac-access-profile cwa
authentication-scheme cwa
accounting-scheme cwa
radius-server cwa
4th Step: Configure WLAN service parameters.
vap-profile name cwa
forward-mode tunnel
service-vlan vlan-id xxx
ssid-profile cwa
security-profile cwa
authentication-profile cwa
5th Step: Configure the ClearPass server with the following Radius attributes described below:
(1) 26-156 HW-Portal-URL
(2) 26-173 HW-Redirect-ACL
(3) 26-238 HW-Ext-Specific
The server is supposed to send the Radius Attributes 26-156 HW-Portal-URL + 26-173 HW-Redirect-ACL in the Radius Accept message during the initial MAC authentication process, after which the HTTPS page shall be redirected to the user.
The server shall also be configured with CoA so that after the portal authentication is successful, the user will repeat the MAC authentication process and will be granted complete permission. The CoA will include attribute 26-238 HW-Ext-Specific with “user-command=1” which will force the user to reauthenticate.
More details about the HW private attributes and how their format can be found in the product documentation of the wireless AC.
Hope this helps!:)
