ISE 1.3: Chain 802.1x with Centralised Web Authentication (CWA)

In Identity Services Engine version 1.3, Cisco has introduced the ability to chain 802.1x authentication with Central Web Authentication (CWA) and make an authorisation decision based on the two identities. The first identity used is the device identity (Certificate) and the second, the credentials used for the CWA.

The use case is very similar to EAP chaining using EAP-FAST, where you use the identity of the computer and user to make a decision on which Authorisation Profile to apply. However in this case once the device has been authenticated, the user would need to open up a web browser to authenticate with a set of credentials from Active Directory for example.

In the real world this would be great to deploy to use cases whereby the users are using a shared device such as an iPAD, whereby the device is authenticated to the network but not necessarily the users who are sharing those devices. I do not see it necessarily being applied to workstations as you can initiate a new EAP session for when the user logins into the workstation or chain using EAP-FAST with the AnyConnect client installed.

Below is a basic flow diagram we will work off, which will outline of the process involved.

Flow Diagram 802.1x_CWA

So let’s start with building the polices.

Lab Environment

  • Identity Services Engine 1.3
  • Active Directory identity store (Windows 2008 R2)
  • Cisco 2504 WLC running 7.6.120.0 AireOS
  • Windows 7 laptop which will be our shared EAP-TLS based device
  • Authentication and Authorization Policies already configured to allow access to devices using the chaining of the 802.1x certificate and Central Web Authentication

Assumed Knowledge

  • ISE PKI Implementation
  • Basic ISE Implementation, including how authentication and authorization logic works

Steps as below:

Part 1

The first part of our policy will identify that the device is logging in via EAP-TLS on the SSID: Cisco, at which point we will apply an authorisation profile to the device and send the user to the CWA portal.

  1. Create an Identity Source Sequence to use for the CWA Web Portal

Administration > Identity Management > Identity Source Sequences > Add

CWA_802.1x_ISS

2.  Next we need to create a “Guest Portal” to send our users to, the main thing to select is the Identity Source Sequence we created earlier.

Guest Access > Configure > Guest Portals > Create New >

CWA_802.1x_CWA_Portal

The portal as usual can be customised with a look and feel you like, but for our basic needs all we want to do is authenticate the user and give them a success page. We will not register their devices as endpoints in an EndPoint Identity Group in this scenario either.

3.  Create an Authorisation Profile which will contain the attributes to send the user to the CWA

Policy > Policy Elements > Results > Authorization > Authorization Profiles > Create New

CWA_802.1x_AuthZ_Profile

The AuthZ Profile will also need to list a NAMED WLC ACL. This is required and is a pre-requisite to be configured on the WLC. The two spots to configure the Named WLC in the AuthZ Profile is:

  • Web Redirection ACL
  • Airespace ACL Name

4.  Next we need to create the conditions to use in the Authorisation Policy later.

Policy > Policy Elements > Conditions > Authorization > Compound Conditions > Add

  • Network Access:AuthenticationMethod EQUALS x509_PKI
  • Radius:Called-Station-ID ENDS WITH CISCO

CWA_CC

5.  Now that we have the compound condition and Authorisation Profile defined we can complete out Authorisation Policy. Create a Auth Z rule similar to the one below (please remember ordering is important so ensure there isn’t a rule above that may match your policy).

Policy > Authorization Policy > Add

AuthZ-AD-Device_Access_CWA

We must now test our policy to ensure our Windows user is sent to the CWA portal that we defined earlier.

As you can see from the log entry below, the Windows device matches the policy created earlier and is sent to the CWA portal.

Operations > Authentications

Auth_log1

It’s worth mentioning, as I am only documenting the ISE Policies and not the ACL’s applied on the WLC, the WLC’s  ACL will be the same as most WebAuth-Redirect URL’s — restrict access to everything except ISE on port TCP/8443, DNS UDP/53 and DHCP (BOOTP).

The windows user on the shared device opens up Internet Explorer to see the following:

CWA_RedirectPart 2

Now that we have created the first part of the policy, we need to take the credentials supplied in the chain and apply a policy based on the credentials supplied. In this case we will take the device credentials (Cert Named Employee) and the CWA User (byoduser) and apply a less restrictive BYOD policy to them. In affect we are saying you are coming from a trusted device and are using trusted credentials, we are going to give you full permission to the network.

  1. Let’s start by creating a Compound Condition to check that the user logging in from the CWA portal belongs to a certain group and is also using EAP-TLS, this is where we concatenate the credentials and chain them together.

Policy > Policy Elements > Conditions > Authorization > Compound Conditions > Add

The conditions we are checking for are:

  • CWA:CWA_ExternalGroups EQUALS Active Directory Group (BYOD Users)
  • Network Access:AuthenticationMethod EQUALS x509_PKI
  • Radius:Called-Station-ID ENDS WITH CISCO

CWA_EAP_CHAIN_CC

2.  Next we need to create the Authorisation Profile which will define ultimately what the user can do, in this profile we will keep it quite generic, but you can be as restrictive as you like with dCALs or named ACLS for WiFi.

Policy > Policy Elements > Results > Authorization > Authorization Profiles > Create New

AuthZPro-AD-Device-CWA-Chain-Access3. Lastly, let’s create the Authorisation Policy to catch this user logging in via CWA, I will place this policy above the one created previously to ensure that the user is permitted and is called AuthZ-AD-Device-CWA-Access.

Policy > Authorization Policy > Add

AuthZ-AD-Device-CWA-Access

Now that we have the policy in place, let’s login with BYODUser to the CWA portal, what we should see is a log entry saying that the two identities Employee (Device-Cert-Name) and BYODUser (CWA Useraccount in AD) have been granted access to the network based on both of their identities.

Operations > Authentications

Auth_log3 Auth_log2

Summary

In this post I have detailed the steps required to chain device certificates and CWA credentials, you will need to take this and tailor so it’s suitable to your enviroment and this policy although created for Wireless, would also be applicable for Wired dot1X connections too.

Advertisements

1 thought on “ISE 1.3: Chain 802.1x with Centralised Web Authentication (CWA)”

  1. Please add “Authentication and Authorization Policies already configured to allow access to devices using the chaining of the 802.1x certificate and Central Web Authentication” Should never assume anyone has already done or knows any major part.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s