Skip to main content

 

Cisco Meraki Documentation

CWA - Central Web Authentication with Cisco ISE

 

Cisco Identity Services Engine (ISE) may be used for guest management when paired with Meraki Access Points. Cisco ISE is another option for authorizing users, enabling many additional business use cases. 

 

Meraki APs will pass necessary information over to Cisco ISE using MAC-based authentication and honor a Uniform Resource Locator (URL) redirect that is received from the Cisco ISE Server. Using change of authorization (CoA), the Cisco ISE server can ensure that the correct authorization is applied to the end user devices based on the authentication status. 

 

Expected Packet Flow 


Diagram of the expected packet flow for the Client Machine (Supplicant) to the MR (Authenticator) and ISE (Authentication Server).jpeg

 

  1. Client machine associates to the web authentication SSID

  2. Client MAC address is sent to RADIUS server as a username and password (Access-Request) by MR, and the MR responds to the client machine acknowledging the association request

  3. ISE server responds with an RADIUS Access-Accept and a redirect URL

  4. Client machine gets an IP address and DNS server address through DHCP

  5. Client machine tries to reach a webpage which results in an HTTP GET packet

  6. MR intercepts the GET packet and sends redirect URL instead (with webpage hosted on ISE)

  7. Client machine authenticates on the ISE web portal

  8. RADIUS server then sends a CoA request (CoA requests work on UDP Port 1700) with a request to re-authenticate, also indicating that user is valid
  9. MR sends CoA-ACK
  10. MR Authenticator sends an Access-Request with existing client machine's session-ID and MAC address
  11. ISE server then responds back with Access-Acccept and any extra ISE functions after client's successful authentication to web portal

  12. Client is allowed access to the network

 

Configuration

The following sections of this guide will outline a configuration example with using Cisco ISE as the guest management system which is also hosting the captive portal. 

Meraki Access Point Dashboard Configuration

The Meraki Access Point configuration is outlined below all on the Access Control Page for a particular SSID (Wireless > Configure > Access Control). 

Configure MAC-Based Authentication

Select MAC-based access control from the Security section of the access control page.

Screenshot of Security section configured for MAC-based access control where the Radius server is queried at associated time.png

 

Enter the details for the RADIUS server including the IP address, port, and secret. If using Group Policies select Airspace-ACL-Name for the RADIUS attribute specifying the group policy name. The Airspace-ACL-Name must match the name of one of your group policies configured under Network-wide > Group Policies. Enable CoA support if there is a requirement to change the attributes of an authentication, authorization, and accounting (AAA) session.

Screenshot of one Radius server with one accounting server and with CoA supported configured

Configure CWA for Splash page

Select Cisco Identity Services Engine (ISE) Authentication in the Splash Page section of the access control page. This setting will honor the Cisco custom url-redirect attribute sent from Cisco ISE. 

 

Screenshot of Splash page configured for Cisco Identity Services Engine ISE authentication where the users are redirected to the Cisco ISE web portal for device posturing and guest access

Configure the Walled Garden

The IP address of the Cisco ISE server needs to be added to the Walled garden under Advanced splash settings to ensure that a client will be permitted through the Walled garden before being authenticated by the Cisco ISE server.

Screenshot of Advanced Splash Settings with captive portal strength with block all access until sign-on is complete and Walled Garden enabled.png

 

Note: DNS traffic is permitted by default through the Walled garden

An access policy type of Hybrid Authentication with the Increase Access Speed option enabled will result in CWA failing. Please uncheck the Increase Access Speed option if you are planning to use CWA.

Disable CNA

As of Cisco ISE 2.2, Apple CNA is supported for Guest and BYOD. Beginning July 26th, 2017, Apple CNA and Android captive portal detection are enabled by default on Cisco Meraki MR access points. On iOS 7+ and OS X, the client will automatically launch a mini-browser (CNA) that takes the user to the splash page to complete authentication and gain access to the network. Android devices will display a notification on the device prompting the user to sign into the Wi-Fi network. Tapping the notification will launch the device browser and direct the user to the splash page. To disable CNA and captive portal detection, append the following 17.0.0.0/8 IP range and domain names to the walled garden below the ISE server address as shown below (192.168.140.37/32 being the ISE IP address in this example):

Screenshot of Advanced Splash Settings with captive portal strength with block all access until sign-on is complete and Walled Garden enabled with ranges.png

Copy/paste:

17.0.0.0/8
captive.apple.com
*.apple.com
*.appleiphonecell.com
*.ibook.info
*.itools.info
*.airport.us
*.thinkdifferent.us
clients3.google.com
*.gstatic.com

Disabling CNA will require that users manually open their web browser before being presented with the splash page. Applications on the user's device that require Internet connectivity will not function as expected until the user has opened their web browser and completed authentication via the splash page. If your network contains Apple devices running iOS 14/macOS Big Sur and newer operating systems , DHCP option 114 can be leveraged instead of Apple's legacy Captive Portal networks. For additional info, please see Apple's How to modernize your captive network documentation.

Cisco ISE Configuration

The following sections focuses on Cisco ISE 2.4 and it will present a basic configuration with default web portal from Cisco ISE. For more information about web portal customization please look into ISE documentation.

Adding Managed Network Devices

MR access points acting as authenticators (devices through which AAA requests are sent to Cisco ISE) need to be added to ISE before Access-Request will be answered, it will by default not answer any requests.

 

To add a new device:

  1. In Cisco ISE, choose Administration > Network Resources > Network Devices.

  2. From the Network Devices navigation pane on the left, click Network Devices.

 

Screenshot of adding Managed Network Devices in the Cisco ISE by choosing Administration > Network Resources > Network Devices..png

 

  1. Click Add, from the action icon on the Network Devices navigation pane or click an already added device name from the list to edit it.

  2. In the right pane, enter the Name and IP Address. As for the mask, you can add devices inside a network using /24, or as needed to avoid manually importing several APs.

  3. Check the Authentication Settings check box and define a Shared Secret for RADIUS authentication. This must match the Secret entered for the RADIUS server when configuring the SSID in Dashboard.

 

Screenshot of configuring a new network device where the name is configured, description, device profile network device group along with the Radius authentication Settings where you have then the option to submit or cancel buttons.png

 

  1. Click Submit

 

Once a device is added, it will show up on the device list in ISE.

 

Screenshot of when a new device has been added it will now appear in the Network Devices list in the ISE portal where we see the MerakiAP with a Cisco for the profile name.png

 

Creating Results for Rules

A new results needs to be created where the redirection will be specified.

To do this, go to “Policy > Results”. Click on Authorization and Authorization Profiles.

 

Screenshot of where you will add or create a new rule where the redirection will be specified by going to Policy then Results, Authorization and then Authorization Profiles to click on the Add tab.png

 

Click on “Add

 

  1. Name this authorization profile.

  2. On Common Tasks, select “Web Redirection  (CWA, MDM, NSP, CPP)”, choose Centralized Web Auth, on ACL “NULL” and Value “Self-Registered” (These values can change depending on your needs.

Optionally, Static IP can be used to not used a DNS server, however, this is not recommended because the IP of the ISE server will be clear text and visible for the end client.

 

Screenshot of configuring the new Authorization profile with a new name, common task section select Web Redirection by choosing Centralized Web Auth, and on ACL add NULL and for Value enable it for Self-Registered..png

 

Enabling Policy Sets

Cisco ISE supports policy sets, which allow grouping sets of authentication and authorization policies, as opposed to the basic authentication and authorization policy model, which is a flat list of authentication and authorization rules. Policy sets allow for logically defining an organization's IT business use cases into policy groups or services, such as VPN and 802.1X. This makes configuration, deployment, and troubleshooting much easier.

In Cisco ISE, choose Administration > System > Settings > Policy Sets.

Creating a Policy Set

  1. Click on Policy > Policy Set

 

Screenshot of the Identity Services Engine portal where the Policy tab is highlighted and then Policy Sets where there is a  plus sign to click on to create a new policy..png

 

  1. Click the plus (+) sign or click on the settings icon and Create above to create a new policy set.

  2. Enter the Name, Description and a Condition for this group policy.

  3. Click on Condition, a new menu will show, match the condition necessary, per SSID policy sets are recommended, therefore, attribute “Radius·Called-Station-ID” ENDS WITH “<SSID name>”  is the preferred option. Click “Use” after configuring this step.

 

Screenshot after creating a new policy set with name, description and a condition for this group policy then click on Condition where this new menu will show to match the condition necessary per SSID policy sets.png

 

  1. Define allow protocols, by default “Default Network Access” can be used.

  2. Click on “Save

 

Screenshot of where you defined the allow protocols by choosing Default Network Access to be enabled.png

 

Create Authentication Policy

  1. Click on “View” policy by clicking on the right arrow.

  2. Click on ”Options

  3. Change “If user not found” to CONTINUE

 

Screenshot of Authentication Policy status of policy set called CWA and the default authentication policy.png

 

 

Create Authorization Policy

Two rules are required in Authorization Policies for Central Web-Auth, one rule will prompt the redirection and the second rule will grant access once the client machine has passed web page authentication.

 

  1. Click on Authorization Policy

 

Screenshot of the Policy set menu showing authorization policy where we are showing the status of the default rule name.png

 

  1. Click on the (+) sign or on the settings Icon to create a new rule.

  2. Click on “Condition”. a new window will pop up. In this window, the method of the client requesting access can be selected. 

    • Look for Called-Station-ID, and match it to the name of the SSID.

 

Screenshot of the conditions studio library showing selected attribute for a condition by looking for Called-Station-ID and match it to the name of the SSID.png

Screenshot of the conditions studio library showing select attribute for condition by looking for Called-Station-ID and contains CWA_RO with duplicate or save for buttons.png

 

  1. Click “Use

  2. Select on “Results”, the name of the profile created for redirection, in this case it is “CWA.

 

For second rule click on the Action Icon and select “Insert new row above

 

Screenshot showing the name of the profile created for redirection is CWA and for the rule click on the Action Icon and select Insert new row above.png

 

  1. Click on “Condition” a new window will pop up, in this window the method of the client requesting access can be selected. 

  2. Look for “IdentityGroup:Name

 

Screenshot showing to click on the Condition so a new window will pop up and in this window the method of the client requesting access can be selected by looking for IdentityGroup:Name.png

 

  1. Select “In” and “Endpoint Identity Groups: GuestEndpoints”.

 

Screenshot showing after selecting the IdentityGroup:name prior next select the In and then Endpoint Identity Groups:GuestEndpoints.png

 

  1. Click on “Use”.

  2. Select on “Results” the profile called “PermitAccess

  3. Click Save.

 

Both rules should be created and should look like the image below, order is very important.

 

Screenshot of the status and rule names that have been created and should be in order with Passed Web first and second Redirection and last is the Default rule.png

 

Note: If Active directory is being used, it is a recommended practice to match the AD group where most of the users exist for better security and functionality.

Within the Passed Web conditions, Network Access-Use Case EQUALS Guest Flow is not supported with Meraki APs. If this condition is used, the client's session is reset every time they roam and will have to reauthenticate.

 

  • Was this article helpful?