FAQ – How to configure the wireless AC for Central Web Authentication (CWA) scenarios

Compared to the standard portal authentication process, the CWA functionality is implemented through MAC authentication followed by portal authentication where the RADIUS server is the component responsible for pushing the HTTPS authentication page to the client by including the redirection attributes in the Radius reply packets.

In this scenario, the entire HTTPS redirection process is based on the MAC address authentication of the users where the initial RADIUS-Accept response shall include the (1) 26-155 HW-Portal-URL and (2) 26-173 HW-Redirect-ACL attributes with the purpose of redirecting the HTTPS authentication page to the users.

In a second step, in the situation where the portal authentication is successful, a Radius Server-Initiated CoA shall include the radius attribute  26-238 HW-Ext-Specific sent to re-authenticate the MAC user and grant full permission.

Configuration example for the wireless AC to interact with a CLEAR PASS server for the CWA scenario:

1st Step:Configure a redirection ACL.

This type of ACL is preconfigured on the WLC and it is going to be used for blocking the traffic and redirecting the HTTPS URL to the user at the moment when the mac authentication is successful and the WLC receives a Radius-Accept message which includes the 26-173 HW-Redirect-ACL attribute mentioning the ACL number.

NOTE

A redirection ACL differs from a common ACL in the following aspects:

– permit: indicates that the switch redirects packets instead of allowing packets matching the rule to pass through.

– deny: indicates that the switch does not redirect packets and allows packets matching the rule to pass through.

A redirection ACL takes precedence over a common ACL. If the RADIUS server assigns a redirection ACL and a common ACL to users simultaneously and you want to control the user

rights through the common ACL, do not configure the last rule of the redirection ACL to rule rule-id deny ip. If you configure the last rule of the redirection ACL to rule rule-id deny ip, the assigned common ACL does not take effect.

Do not configure source-ip in the redirection ACL rules; otherwise, data transmission may be interrupted and authentication cannot be performed for users.

# Configure a redirection ACL 3003. Rules 1 and 2 allow DNS packets to pass through.

Rules 3, 4, 5, and 6 allow DHCP packets to pass through. Rule 7 allows packets exchanged between clients and the portal server

Eg:

acl number 3003

rule 1 deny udp destination-port eq dns

rule 2 deny udp source-port eq dns

rule 3 deny udp destination-port eq bootps

rule 4 deny udp destination-port eq bootpc

rule 5 deny udp source-port eq bootpc

rule 6 deny udp source-port eq bootps

rule 7 deny ip destination x.x.x.x  // portal server IP address

rule 8 permit tcp destination-port eq www

rule 9 permit tcp destination-port eq 443

2nd Step: Configure RADIUS communication parameters, including the RADIUS server template,AAA schemes, and authentication domain.

# Create the RADIUS server template policy.

radius-server template cwa

radius-server shared-key cipher xyy

radius-server authentication x.x.x.x 1812 weight 80

radius-server accounting x.x.x.x 1813 weight 80

radius-server authorization x.x.x.x shared-key cipher xxx         // radius authorization pre-shared key between the sever and WLC

radius-server authorization attribute-decode-sameastemplate     // enables the device to encapsulate attributes in the CoA/DM response                                                   

radius-server authorization calling-station-id decode-mac-format ascii hyphen-split common

# Create the AAA authentication scheme auth.

aaa

authentication-scheme cwa

  authentication-mode radius

accounting-scheme cwa

  accounting-mode radius

  accounting start-fail online

3rd Step: Create the authentication-profile

# Create the MAC access and the authentication profile

mac-access-profile cwa

authentication-profile name cwa

mac-access-profile cwa

authentication-scheme cwa

accounting-scheme cwa

radius-server cwa

4th Step:  Configure WLAN service parameters.

vap-profile name cwa

  forward-mode tunnel

  service-vlan vlan-id xxx

  ssid-profile cwa

  security-profile cwa

  authentication-profile cwa

5th Step: Configure the ClearPass server with the following Radius attributes described below:

(1) 26-155 HW-Portal-URL

(2) 26-173 HW-Redirect-ACL

(3) 26-238 HW-Ext-Specific

The server is supposed to send the Radius Attributes  26-155 HW-Portal-URL +  26-173 HW-Redirect-ACL in the Radius Accept message during the initial MAC authentication process, after which the HTTPS page shall be redirected to the user.

The server shall also be configured with CoA so that after the portal authentication is successful, the user will repeat the MAC authentication process and will be granted complete permission. The CoA will include attribute 26-238 HW-Ext-Specific with “user-command=1” which will force the user to reauthenticate.

More details about the HW private attributes and how their format can be found in the product documentation of the wireless AC.