Friday, May 10, 2013

FlexConnect Local Switching - Guest/BYOD

Overview
BYOD is all the rage lately so it is imparative for us to be able to get it working properly.  One environment that I found particularly challenging was getting Central Web Authentication working with FlexConnect and locally switched WLANs.  In this article I will step through a working configuration from both the ISE (Identity Services Engine) and WLC (Wireless LAN Controller) perspectives.  
NOTE: All components and configurations were performed in a lab environment.  If you are working in a production environment be sure to validate the steps in your scenario.
We will cover the configuration requirements in two major sections:  WLC Configuration and ISE Configuration
My lab consists of the following components: 
    Cisco vWLC version 7.5 (beta)
    Cisco 1131 AG Access Point
    Cisco CSR1000v
    Cisco ISE version 1.1.2 in Stand Alone Mode
    ESXi 5.1
    Ubuntu Server for DNS, NTP, etc
    Catalyst 2950 Lab for basic connectivity
WLC Configuration
Here is a summary of the steps to be performed in this section: 
1.Create the locally switched SSID
2.Create the access control list for Authenticated users
3.Create the access control list for web authentication redirect
4.Define the FlexConnect group
5.Configure the Access Point
1. Create new SSID named flex-guest
You can use any name you choose for your SSID.  I chose one that I could use that would be easily identifiable in my lab.  The SSID will be flex-guest in this example. 

Screen shot 2013 05 09 at 11 46 32 AM
     
Once you have created the WLAN and are in the configuration details screen, set the L2 security to be None and Mac Filtering as shown below.  This will allow ISE to treat this as wireless MAB (MAC Authentication Bypass) and it will flow through to the CWA profile to be created later. 
 Screen shot 2013 05 09 at 11 46 48 AM
     
Make sure to select your RADIUS servers for authentication and accounting on the AAA Servers tab.
Screen shot 2013 05 09 at 11 46 57 AM
It is required to enable AAA Override and NAC State of “Radius NAC”.
 Screen shot 2013 05 09 at 11 47 16 AM

In the FlexConnect Section will will make this WLAN locally switched. 
Screen shot 2013 05 09 at 11 47 29 AM
2.  Create the flex-guest FlexConnect  access control list
We will have to configure a couple of ACLs to be used in our solution.  The first ACL will be the ACL that is applied to control what the guest users can do once authenticated.  This will be referenced in our Authorization Policy by name.  
The first ACL can be tailored to support your needs, but I have essentially allowed all traffic accept for ICMP to one of the IP addresses on the CSR1000v router for testing purposes. 
 Screen shot 2013 05 09 at 12 02 56 PM
3.  Create the  WEBAUTH-REDIRECT-ACL  access-control list
The WEBAUTH-REDIRECT-ACL is a FlexConnect ACL.  The FlexConnect ACL is applied to the FlexConnect Group under the Policies tab later.
FlexConnect ACL
Screen shot 2013 05 08 at 4 26 30 PM
I created the ACL to be used during central web auth and will identify the traffic that will  be let through without being redirected.  There are some good examples out there in the Cisco trustsec docs you can copy.  I basically allowed any traffic to / from the ISE box and also DNS to get us going. 
4.  Define the FlexConnect Group
Create the Group and associate the access point. 
Screen shot 2013 05 09 at 12 04 51 PM
Associate the WEBAUTH-REDIRECT-ACL under the ACL Mapping -> Policies tab.
Screen shot 2013 05 08 at 4 26 16 PM
Add the WLAN to VLAN mapping 
Screen shot 2013 05 09 at 12 06 52 PM
5.  Configure the AP for FlexConnect 
First, ensure the access point is in AP Mode FlexConnect
Screen shot 2013 05 09 at 11 51 54 AM
Enable VLAN Support on the FlexConnect Tab.
Screen shot 2013 05 09 at 11 52 43 AM
Click the VLAN Mappings Tab and add the VLAN to the AP. 
Then at the bottom you will associated the FlexConnect FLEX-GUEST ACL created earlier. 
Screen shot 2013 05 09 at 11 53 20 AM
ISE Related Configurations
The assumption will be that you have a basic, functional ISE installation.  I will talk about only the specific configurations related to the FlexConnect lab I am working on.  
1.Guest Account Created and Active
2.Result Element Create for CWA 
3.Result Element Created for FLEX-GUEST
4.AuthZ Policy created for CWA
5.AuthZ Policy create for Activated Guest
1.  Guest Account Creation 
Login into your sponsor portal (default https://ise:8443) and create a guest account to be used during testing
2.  Create the Result Policy Element for central web auth
Screen shot 2013 05 09 at 4 04 10 PM
Screen shot 2013 05 09 at 4 04 22 PM
3.  Create the Result Policy Element for FLEX-GUEST 
Screen shot 2013 05 09 at 4 03 41 PM
Screen shot 2013 05 09 at 4 03 57 PM
4. Create the AuthZ policy for CWA
I am using the default catch all authorization policy in this example and have associated it with the result, CentralWebAuth, created in a prior step. 
Screen shot 2013 05 09 at 4 05 05 PM
5.  Create the AuthZ policy for FLEX-GUEST
This rules is using the ActivatedGuest endpoint group for guests and the result of FLEX-GUEST. 
Screen shot 2013 05 09 at 4 05 17 PM
The basic flow will be: 
1.Client Connects to the flex-guest SSID
2.WLC will send the RADIUS packet to ISE as MAB 
3.Since there is not an endpoint with the MAC address in the database we will allow authentication to “Continue” through to Authorization. 
4.There will also not be a match in the Authorization rules yet so it will end up at the default rule (CWA policy from above)
5.ISE returns RADIUS packet with the ACL name for webauth-redirect to be used and access-accept
6.WLC will use the webauth redirect ACL created locally to determine what traffic will qualify for redirect and send browser traffic to the ISE guest portal
7.User will enter the guest username and password created in the sponsor portal
8.Following success authentication the COA is issued and the ACL from (FLEX-GUEST) will replace the webauth redirect and the client will enter the run state.  

1 comment:

  1. This information is helpful for gather knowledge about bring your own device and security also. For implementation and of byod security and byod security policy http://byodsecurity.org that site also
    effective.

    ReplyDelete