Home > Articles > Web Authentication

Web Authentication

Contents

  1. "Do I Know This Already?" Quiz
  2. Web Authentication Scenarios
  3. Configuring Centralized Web Authentication
  4. Building CWA Authorization Policies
  5. Verifying Centralized Web Authentication
  6. Exam Preparation Tasks
  7. Review All Key Topics
  8. Define Key Terms
  9. Q&A

Chapter Description

There are a number of reasons that a company may choose to implement a WebAuth strategy. In this sample chapter from CCNP Security Identity Management SISE 300-715 Official Cert Guide, you will learn how to configure Centralized Web Authentication, build CWA authorization rules, and verify Centralized Web Authentication.

From the Book

CCNP Security Identity Management SISE 300-715 Official Cert Guide

CCNP Security Identity Management SISE 300-715 Official Cert Guide

$55.99 (Save 20%)

Configuring Centralized Web Authentication

Multiple devices need to be configured to enable CWA. The network access device (NAD) requires some special configuration, such as a redirection ACL; in addition, ISE needs authentication and authorization rules set up for CWA. The following sections look at these configurations.

Cisco Switch Configuration

With secure network access using ISE, the switch performs the URL redirection for Web Authentication and also redirects the discovery traffic from the posture agent to the ISE policy service node.

Performing URL redirection at the Layer 2 access (edge) device is a vast improvement over previous NAC solutions, which requires an appliance (such as the inline device) to capture web traffic and perform redirection to a Web Authentication page. URL redirection at the Layer 2 access device simplifies Web Authentication deployment, device onboarding, and the posture agent discovery process.

Configure Certificates on the Switch

In order to redirect HTTPS traffic, there is a prerequisite for the switch to have its own certificate. To configure a certificate, perform the following tasks in global configuration mode on a switch:

NOTE

Cisco IOS does not allow for certificates or even self-generated keys to be created and installed until a DNS domain name is defined on the device.

  • Step 1. To set the DNS domain name on the switch, type ip domain-name domain-name at the global configuration prompt. Now that the domain name is configured, and the keys can be generated.

  • Step 2. To generate keys to be used for HTTPS, type crypto key generate rsa general-keys mod 2048 at the global configuration prompt.

Enable the Switch HTTP/HTTPS Server

The embedded HTTP/HTTPS server in IOS is used to grab HTTP traffic from the user and redirect that user’s browser to the Centralized Web Authentication portal or to a device registration portal or even to the mobile device management onboarding portal. This same function is used for redirecting the posture agent’s traffic to the Policy Services node. Follow these steps to enable the switch HTTP/HTTPS server:

  • Step 1. Enable the HTTP server by entering the following command in global configuration mode:

    C3850(config)# ip http server

  • Step 2. Enable the HTTP secure server by entering the following command:

    C3850(config)# ip http secure-server

Many organizations need to ensure that this redirection process, which is using the switch’s internal HTTP server, is decoupled from the management of the switch itself. To disconnect the HTTP management process from the URL-redirection process, run the following two commands in global configuration mode:

key_topic_icon.jpg 
C3850(config)# ip http active-session-modules none
C3850(config)# ip http secure-active-session-modules none

Verify the URL-Redirect ACL

In Chapter 11, you created an access list named ACL-WEBAUTH-REDIRECT, which is used to determine what traffic is redirected to the CWA portal with the permit statement. Any traffic that is denied is not redirected.

key_topic_icon.jpg

Contrary to the way a wireless LAN controller works, the URL-Redirect ACL on a switch is used only to determine what traffic is redirected and what traffic is not redirected. If network traffic is denied from redirection, it is not necessarily denied the ability to traverse the network. The traffic-filtering capability comes from the downloadable ACL (dACL) that is sent to the switch from ISE as part of the authorization result.

The use of dual ACLs is limited to IOS-based wired and wireless devices. (The AirespaceOS wireless controllers behave differently and are covered later in this chapter.) Follow these steps to verify the URL-Redirect ACL:

  • Step 1. Validate whether the ACL-WEBAUTH-REDIRECT ACL is configured on the NAD by entering the following command:

    C3850# show ip access-list ACL-WEBAUTH-REDIRECT
Extended IP access list ACL-WEBAUTH-REDIRECT
 10 deny udp any any eq domain
 20 permit tcp any any eq www
 30 permit tcp any any eq 443

    If the ACL is not there or needs to be modified, continue to step 2.

  • Step 2. Add the following ACL to be used for URL redirection with Web Authentication:

    C3850(config)# ip access-list ext ACL-WEBAUTH-REDIRECT
C3850(config-ext-nacl)# remark explicitly deny DNS from
being redirected to address a bug
C3850(config-ext-nacl)# deny udp any any eq 53
C3850(config-ext-nacl)# remark redirect all applicable
traffic to the ISE Server
C3850(config-ext-nacl)# permit tcp any any eq 80
C3850(config-ext-nacl)# permit tcp any any eq 443
C3850(config-ext-nacl)# remark all other traffic will be
implicitly denied from the redirection

Cisco WLC Configuration

Cisco switches are responsible for redirecting web browser traffic to the centralized portal(s), and Cisco WLCs must do the same thing.

NOTE

As stated in the introduction to this chapter, you are expected to have already configured the WLC according to the directions in Chapter 11. In Chapter 11, you should have created an “open” WLAN with MAC filtering enabled and the NAC state configured for ISE NAC. In addition, you created an access list named ACL-WEBAUTH-REDIRECT.

Validate That MAC Filtering Is Enabled on the WLAN

The MAC Filtering option for an open wireless network configures a WLAN for wireless MAB. This is necessary to ensure that an authentication is sent from the WLC to ISE, so ISE can return the URL redirection in the authorization result.

From the WLC’s GUI, navigate to the WLANs tab, examine the list of WLANs, and ensure that MAC Filtering is listed in the Security Policies column, as shown for the CiscoPress-Guest SSID in Figure 12-4.

12fig04.jpg

Figure 12-4 MAC Filtering on an Open SSID

Validate That ISE NAC Is Enabled on the WLAN

The ISE NAC feature is a very important setting. It is critical to allow for URL redirection, Centralized Web Authentication, posture assessment, native supplicant provisioning, and more.

From the WLC GUI, follow these steps:

  • Step 1. Navigate to WLANs > and select your open SSID.

  • Step 2. Click on the Advanced tab.

  • Step 3. Ensure that NAC State is forest to ISE NAC, as shown in Figure 12-5. In the same screen, ensure that Allow AAA Override is set to Enabled.

12fig05.jpg

Figure 12-5 ISE NAC Setting

Validate That the URL-Redirection ACL Is Configured

The last critical item you need to ensure exists in the WLC configuration is an ACL to use for URL redirections. In Chapter 11, you created an ACL named ACL-WEBAUTH-REDIRECT, which is used to determine what traffic is redirected to the CWA portal with the deny statement. Any traffic that is permitted is not redirected.

key_topic_icon.jpg

Unlike IOS-based NADs, AirespaceOS-based wireless controllers use a single ACL to determine which traffic to redirect and which traffic to permit through. In other words, both redirection and traffic filtering are handled by a single ACL. Therefore, the logistics of which traffic is redirected are not the same as with IOS-based devices. With Cisco WLCs, a deny statement means that traffic should be redirected. A permit statement allows the traffic through the WLC and bypasses the redirection.

In the WLC GUI, follow these steps:

Configure ISE for Centralized Web Authentication

When you’re sure the key elements of the network devices are configured correctly, it’s time to ensure that ISE is configured correctly, too. A key change must be made in the authentication policy: An identity source sequence that uses all the appropriate identity stores and the appropriate traffic-filtering dACLs need to be configured. In addition, you need to create the appropriate authorization rules for both before and after Web Authentication.

NOTE

Beginning with ISE Version 2.0, ISE contains “smart default” policies. These are preconfigured policies that help customers deploy things like CWA, BYOD, and posture. Due to a communication error between the software developers and Aaron Woland (the man who drove the idea behind smart defaults), those smart defaults include using an ACL named ACL_WEBAUTH_REDIRECT. Notice the underscore instead of the dash. This section does not use the prebuilt rules but shows how to create new rules.

The sections that follow describe the key steps in configuring ISE for Centralized Web Authentication:

  • Step 1. Configure MAB Continue for the Authentication.

  • Step 2. Verify the Web Authentication identity source sequence.

  • Step 3. Configure a dACL for pre-WebAuth authorization.

  • Step 4. Configure an authorization profile.

Configure MAB Continue for the Authentication

WebAuth is often used for guest access, which means an endpoint is likely to be unknown to ISE when a guest attaches to the network. It is therefore critical to set the identity options to continue when the MAC address is unknown. This has been the default for MAB since ISE Version 2.0, but we examine it anyway to better understand the situation.

In the ISE GUI, follow these steps (see Figure 12-8):

12fig08.jpg

Figure 12-8 MAB Continue

  • Step 1. Navigate to Work Centers > Network Access > Policy Sets.

  • Step 2. Select the Default policy set.

  • Step 3. Expand the Authentication Policy section.

  • Step 4. In the MAB rule, click Options underneath Internal Endpoints.

  • Step 5. Ensure that If User Not Found is set to CONTINUE.

Verify the Web Authentication Identity Source Sequence

There is a preconfigured identity source sequence (ISS) named Guest_Portal_Sequence. The default Web Authentication portal is configured to use this ISS. It is configured by default to check Internal Users, Guest Users, and All_AD_Join_Points—in that order.

There is no configuration change required. This sequence, and all the preconfigured sequences since ISE Version 2.0, are ready to use as is. However, just to be sure it does what you need, in the ISE GUI, navigate to Work Centers > Network Access > Identities > Identity Source Sequence and select the Guest_Portal_Sequence, as shown in Figure 12-9.

12fig09.jpg

Figure 12-9 Identity Source Sequences

Configure a dACL for Pre-WebAuth Authorization

Before a device can reach the CWA portal, it first has to be permitted onto the network. Full network access is not desirable in most cases. For IOS-based devices, a dACL can and should be used to limit the network access.

In the ISE GUI, follow these steps:

  • Step 1. Navigate to Work Centers > Network Access > Policy Elements > Results > Downloadable ACLs, as shown in Figure 12-10.

    12fig10.jpg

    Figure 12-10 Downloadable ACLs

  • Step 2. Click Add.

  • Step 3. Name the new dACL WebAuth.

  • Step 4. Add a description.

  • Step 5. Configure the ACL to permit traffic to the ISE policy service nodes but deny access to the remainder of the internal network. Figure 12-11 shows what this might look like.

    12fig11.jpg

    Figure 12-11 Sample WebAuth dACL

  • Step 6. Click Submit.

Configure an Authorization Profile

At this point, you are ready to build the authorization profile to allow the end user onto the network, apply the URL redirection to the default CWA portal with the correct URL-Redirect ACL, and apply the dACL to limit network traffic.

In the ISE GUI, follow these steps:

  • Step 1. Navigate to Work Centers > Network Access > Policy Elements > Results > Authorization Profiles, as shown in Figure 12-12.

    12fig12.jpg

    Figure 12-12 Downloadable ACLs

  • Step 2. Click Add.

  • Step 3. Name the new Authorization Profile CWA.

  • Step 4. Select the WebAuth dACL.

  • Step 5. Select the Web Redirection checkbox and choose Centralized Web Auth from the first dropdown. In the ACL text box, type ACL-WEBAUTH-REDIRECT. You are using a default WebAuth portal, so ensure that Sponsored Guest Portal (default) is selected from the Value dropdown.

Figure 12-13 is a composite image that shows all the key parts in one graphic, including the complete authorization profile.

12fig13.jpg

Figure 12-13 Complete CWA Authorization Profile

key_topic_icon.jpg

Many organizations implement segmentation with ISE, as it is a security best practice. After all, this is a major use case for ISE and probably a big reason you are reading this book now. With segmentation, users and devices that have an 802.1X supplicant and perform strong authentication should be admitted to the network and kept separate (segmented) from users and devices that have not gone through strong authentication.

If you are going to use VLANs for segmentation, go for it. However, you don’t want to change VLANs on a device that is not using a supplicant unless you absolutely have no other choice.

A supplicant detects VLAN changes and renews its IP address in the new VLAN. Most devices that are not using a supplicant don’t detect that change of VLAN, and they therefore hold on to the wrong IP address, effectively ensuring that the device will be unable to communicate on the network at all.

Some tricks of the trade can be employed here. (Some in the industry like to call it network gymnastics.) Java and ActiveX applets can be used with WebAuth, and you can play tricks with the DHCP scope in the initial VLAN. The DHCP option is one of the better ones, as a lease can be issued for a very short time, such as 5 minutes. The rules of DHCP client behavior dictate that a client will try to renew its IP address at 50% of the lease time (in this case, 2.5 minutes). ISE has a built-in DHCP server for just such use cases.

However, the recommendation from most implementors is to change VLANs only on clients who use supplicants. Therefore, the default VLAN of your switch ports should remain in a common network segment for guest users and the like, while an authorization profile for employees who gain access via 802.1X should include the VLAN change, and an employee who gains access via CWA should land in the default VLAN of the switch.

4. Building CWA Authorization Policies | Next Section Previous Section

Cisco Press Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from Cisco Press and its family of brands. I can unsubscribe at any time.

Overview

Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about Cisco Press products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information

To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites; develop new products and services; conduct educational research; and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@ciscopress.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information

Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security

Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children

This site is not directed to children under the age of 13.

Marketing

Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information

If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out

Users can always make an informed choice as to whether they should proceed with certain services offered by Cisco Press. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.ciscopress.com/u.aspx.

Sale of Personal Information

Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents

California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure

Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links

This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact

Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice

We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020