Configuration example for the wireless AC to interact with a CLEAR PASS server for the CWA scenario:
1st Step:Configure a redirection ACL.
This type of ACL is preconfigured on the WLC and it is going to be used for blocking the traffic and redirecting the HTTPS URL to the user at the moment when the mac authentication is successful and the WLC receives a Radius-Accept message which includes the 26-173 HW-Redirect-ACL attribute mentioning the ACL number.
A redirection ACL differs from a common ACL in the following aspects:
– permit: indicates that the switch redirects packets instead of allowing packets matching the rule to pass through.
– deny: indicates that the switch does not redirect packets and allows packets matching the rule to pass through.
A redirection ACL takes precedence over a common ACL. If the RADIUS server assigns a redirection ACL and a common ACL to users simultaneously and you want to control the user
rights through the common ACL, do not configure the last rule of the redirection ACL to rule rule-id deny ip. If you configure the last rule of the redirection ACL to rule rule-id deny ip, the assigned common ACL does not take effect.
Do not configure source-ip in the redirection ACL rules; otherwise, data transmission may be interrupted and authentication cannot be performed for users.
# Configure a redirection ACL 3003. Rules 1 and 2 allow DNS packets to pass through.
Rules 3, 4, 5, and 6 allow DHCP packets to pass through. Rule 7 allows packets exchanged between clients and the portal server
acl number 3003
rule 1 deny udp destination-port eq dns
rule 2 deny udp source-port eq dns
rule 3 deny udp destination-port eq bootps
rule 4 deny udp destination-port eq bootpc
rule 5 deny udp source-port eq bootpc
rule 6 deny udp source-port eq bootps
rule 7 deny ip destination x.x.x.x // portal server IP address
rule 8 permit tcp destination-port eq www
rule 9 permit tcp destination-port eq 443
2nd Step: Configure RADIUS communication parameters, including the RADIUS server template,AAA schemes, and authentication domain.
# Create the RADIUS server template policy.
radius-server template cwa
radius-server shared-key cipher xyy
radius-server authentication x.x.x.x 1812 weight 80
radius-server accounting x.x.x.x 1813 weight 80
radius-server authorization x.x.x.x shared-key cipher xxx // radius authorization pre-shared key between the sever and WLC
radius-server authorization attribute-decode-sameastemplate // enables the device to encapsulate attributes in the CoA/DM response
radius-server authorization calling-station-id decode-mac-format ascii hyphen-split common
# Create the AAA authentication scheme auth.
accounting start-fail online
3rd Step: Create the authentication-profile
# Create the MAC access and the authentication profile
authentication-profile name cwa
4th Step: Configure WLAN service parameters.
vap-profile name cwa
service-vlan vlan-id xxx
5th Step: Configure the ClearPass server with the following Radius attributes described below:
(1) 26-155 HW-Portal-URL
(2) 26-173 HW-Redirect-ACL
(3) 26-238 HW-Ext-Specific
The server is supposed to send the Radius Attributes 26-155 HW-Portal-URL + 26-173 HW-Redirect-ACL in the Radius Accept message during the initial MAC authentication process, after which the HTTPS page shall be redirected to the user.
The server shall also be configured with CoA so that after the portal authentication is successful, the user will repeat the MAC authentication process and will be granted complete permission. The CoA will include attribute 26-238 HW-Ext-Specific with “user-command=1” which will force the user to reauthenticate.
More details about the HW private attributes and how their format can be found in the product documentation of the wireless AC.