08/09/2022, 03:06 Central Web Authentication on the WLC and ISE Configuration Example - Cisco

Central Web Authentication on the WLC and ISE Configuration

Example

Updated: February 1, 2021 Document ID: 115732

Bias-Free Langua

Contents

Introduction
Prerequisites
Requirements
Components Used
Configure
WLC Configuration
ISE Configuration
Create the Authorization Profile
Create an Authentication Rule
Create an Authorization Policy
Enable the IP Renewal (Optional - not recommended)
Anchor-Foreign Scenario
Verify
Troubleshoot
Special Considerations for Anchoring Scenarios

Introduction
This document describes a configuration example that is used in order to complete Central
Web Authentication (CWA) on the Wireless LAN Controller (WLC).
It is superseded by the more complete Guest deployment guide available here :
https://communities.cisco.com/docs/DOC-77590

Prerequisites

Requirements
There are no specific requirements for this document.

Components Used
The information in this document is based on these software and hardware versions:

The Cisco ® Identity Services Engine (ISE) Software Release 3.0

Cisco WLC Software Release 8.3.150.0

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html 1/17
08/09/2022, 03:06 Central Web Authentication on the WLC and ISE Configuration Example - Cisco

Configure
The first method of web authentication is local web authentication. In this case, the WLC redirects the HTTP
traffic to an internal or external server where the user is prompted to authenticate. The WLC then fetches the
credentials (sent back via an HTTP GET request in the case of an external server) and makes a RADIUS
authentication. In the case of a guest user, an external server such as Identity Services Engine (ISE) is
required because the portal provides features such as device registering and self-provisioning. The flow
includes these steps:
1. The user associates to the web authentication Service Set Identifier (SSID).

2. The user opens the browser.

3. The WLC redirects to the guest portal (such as ISE) as soon as a URL is entered.

4. The user authenticates on the portal.

5. The guest portal redirects back to the WLC with the credentials entered.

6. The WLC authenticates the guest user via RADIUS.

7. The WLC redirects back to the original URL.

This flow includes several redirections. The new approach is to use CWA. The flow includes these steps:
1. The user associates to the web authentication SSID, which is in fact open. No Layer 2 and layer 3
security, only Mac Filtering enabled.

2. The user opens the browser.

3. The WLC redirects to the guest portal.

4. The user authenticates on the portal.

5. The ISE sends a RADIUS Change of Authorization (CoA - UDP Port 1700) to indicate to the controller
that the user is valid, and eventually pushes RADIUS attributes such as the Access Control List (ACL).

6. The user is prompted to retry the original URL.

The setup used is:

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html 2/17
08/09/2022, 03:06 Central Web Authentication on the WLC and ISE Configuration Example - Cisco

WLC Configuration
The WLC configuration is fairly straightforward. A trick is used (same as on switches) in order to obtain the
dynamic authentication URL from the ISE (since it uses Change of Authorization (CoA), a session must be
created and the session ID is part of the URL). The SSID is configured in order to use MAC filtering. The ISE
is configured in order to return an access-accept even if the MAC address is not found so that it sends the
redirection URL for all users. 
In addition to this, ISE Network Admission Control (NAC) and Authentication, Authorization, and Accounting
(AAA) Override must be enabled. The ISE NAC allows the ISE to send a CoA request that indicates that the
user is now authenticated and is able to access the network. It is also used for posture assessment, in which
case the ISE changes the user profile based on the posture result.
Ensure that the RADIUS server has Support for CoA enabled, which is by default.

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html 3/17
08/09/2022, 03:06 Central Web Authentication on the WLC and ISE Configuration Example - Cisco

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html 4/17
08/09/2022, 03:06 Central Web Authentication on the WLC and ISE Configuration Example - Cisco

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html 5/17
08/09/2022, 03:06 Central Web Authentication on the WLC and ISE Configuration Example - Cisco

The final step is to create a redirect ACL. This ACL is referenced in the access-accept of the ISE and defines
what traffic should be redirected (denied by the ACL) and what traffic should not be redirected (permitted by
the ACL). Here you just prevent from redirection traffic towards the ISE. You might want to be more specific
and only prevent traffic to/from the ISE on port 8443 (guest portal), but still redirect if a user tries to access
the ISE on port 80/443.

Note: Earlier versions of WLC software such as 7.2 or 7.3 did not require you to specify Domain Name
System (DNS), but later code versions require you to permit DNS traffic on that redirect ACL.

The configuration is now complete on the WLC.

ISE Configuration

Create the Authorization Profile

On the ISE, the authorization profile must be created. Then, the authentication and authorization policies are
configured. The WLC should already be configured as a network device.
In the authorization profile, enter the name of the ACL created earlier on the WLC.
https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html 6/17
08/09/2022, 03:06 Central Web Authentication on the WLC and ISE Configuration Example - Cisco

1. Click Policy, and then click Policy Elements.

2. Click Results.

3. Expand Authorization, and then click Authorization profile.

4. Click the Add button in order to create a new authorization profile for central webauth.

5. In the Name field, enter a name for the profile. This example uses WLC_CWA.

6. Choose ACCESS_ACCEPT from the Access Type drop-down list.

7. Check the Web Redirection check box, and choose Centralized Web Auth from the drop-down list.

8. In the ACL field, enter the name of the ACL on the switch that defines the traffic to be redirected. This
example uses CWA_Redirect.

9. In the value field, one can choose Sponsored Guest Portal or Self-Registered Guest Portal from the
drop-down list. In the sponsored guest portal, sponsors create guest accounts, and guests access the
network using their assigned username and password while in the self-registration guest portal, guests are
allowed to create their own accounts and access the network using their assigned username and
password. This example uses Sponsored Guest Portal.

Create an Authentication Rule

Ensure that the ISE accepts all of the MAC authentications from the WLC and make sure it will pursue
authentication even if the user is not found.
Under the Policy > Policy Sets > Default Polcy Set, click Authentication.

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html 7/17
08/09/2022, 03:06 Central Web Authentication on the WLC and ISE Configuration Example - Cisco

The next image shows an example of how to configure the authentication policy rule. In this example, a rule
is configured that triggers when MAB is detected.

1. Enter a name for your authentication rule. This example uses MAB, which already exists by default on
ISE.

2. Select the plus (+) icon in the condition field.

3. From the Conditions Studio drag Wireless_MAB in the Editor window and Save

4. Use Internal endpoints.

5. Click Options and Choose Continue from the If user not found a drop-down list

Note: MAB authentication rule is already created on the ISE by default.

Create an Authorization Policy

Configure the authorization policy. One important point to understand is that there are two
authentications/authorizations:

The first is when the user associates to the SSID ("CWA" in this case) and the CWA profile is returned.

In this example, Airespace-Wlan-Id is used as a condition. When a client connects to the SSID, the

RADIUS access request to ISE contains the Airespace-WLAN-ID attribute. This attribute is used to make
policy decisions in ISE. So when an unknown client connects to SSID CWA, ISE sends an access-accept
with redirect URL (web portal) and ACL. Use of the Airespace-Wlan-Id rule ensures that the portal page is
presented to users that only connect to the CWA SSID. 
The second is when the user authenticates on the web portal. This one matches the default rule (internal
users) in this configuration (it can be configured in order to meet your requirements). It is important that
the authorization part does not match the CWA profile again. Otherwise, there will be a redirection loop.
The Network Access:UseCase Equals Guest Flow attribute can be used in order to match this second
authentication. The result looks like this:

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html 8/17
08/09/2022, 03:06 Central Web Authentication on the WLC and ISE Configuration Example - Cisco

Complete these steps in order to create the authorization rules as shown in the previous images:

1. Create a new rule, and enter a name. This example uses Guest Redirection.

2. Click the pencil icon in the condition field, and create a new condition.

3. Under Editor, Click to add an attribute.

4. Choose Radius, and expand it.

5. Click Radius·Called-Station-ID, and choose the CONTAINS operator.

6. Enter the CWA in the right-hand field, in this example 1. 

7. On the General Authorization page, choose WLC_CWA (Authorization Profile) under Results.

This step allows the ISE to continue even though the user (or the MAC address) is not known when
connected to CWA SSID and present them with the login portal.

8. Click the Actions button located at the end of the Guest Redirection rule, and choose to insert a new
rule above it.

Note: It is very important that this new rule comes before the Guest Redirection rule.

9. Enter a name for the new rule. This example uses Guest Portal Auth.

10. In the condition field, click the pencil icon, and choose to create a new condition.

11. Choose Network Access, and click UseCase.

12. Choose Equals as the operator.

13. Choose GuestFlow as the right operand.

14. On the authorization page, click the drop-down option under Results

You can choose a PermitAccess default Authorization Profile option or create a custom profile in order to
return the VLAN or attributes that you like. Note that on top of If GuestFlow, you can add more conditions
in order to return various authz profiles based on the user group. As mentioned in Step 7, this Guest Portal
Auth rule matches upon the second MAC address authentication initiated after the successful portal login
https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html 9/17
08/09/2022, 03:06 Central Web Authentication on the WLC and ISE Configuration Example - Cisco

and after ISE sent a CoA in order to re-authenticate the client. The difference with this second
authentication is that, instead of coming to ISE with simply its MAC address, ISE remembers the username
given in the portal. You can make this authorization rule take into account the credentials entered a few
milliseconds before in the guest portal.

Note: In a multi-controller environment the WLAN-ID should be the same across the WLCs. If one
does not want to use the Airespace-Wlan-Id attribute as a condition, then it is better to match
Wireless_MAB (Built-in condition) requests. 

Enable the IP Renewal (Optional - not recommended)

If you assign a VLAN, the final step is for the client PC to renew its IP address. This step is achieved by the
guest portal for Windows clients. If you did not set a VLAN for the 2nd AUTH rule earlier, you can skip this
step. This is not a recommended design as changing the client VLAN after it already got an IP address will
disrupt connectivity, some clients might wrongly react to it and it requires elevated Windows privileges to
work fine.
If you assigned a VLAN, complete these steps in order to enable IP renewal:

1. Click Work Centers > Guest Access, and then click Portals & Components.

2. Click Guest Portals.

3. Click Sponsored Guest Portal (used in this example), and then expand VLAN DHCP Release Page
Settings.

4. Click the VLAN DHCP Release check box.

Note: VLAN DHCP Release support is available for Windows devices only. It is not available for
mobile devices. If the device being registered is mobile and the VLAN DHCP Release option is
enabled, the guest is requested to manually renew their IP address. For mobile device users, we
recommend using Access Control Lists(ACLs) on the WLC, rather than using VLANs.

Anchor-Foreign Scenario
This setup can also work with the auto-anchor feature of the WLCs. The only catch is that since this web
authentication method is Layer 2, you have to be aware that it will be the foreign WLC that does all of the
RADIUS work. Only the foreign WLC contacts the ISE, and the redirection ACL must be present also on the
foreign WLC. The foreign just needs to have the ACL name exist (Does not need ACL entries). The foreign
WLC will send the ACL name to the anchor and it will be the anchor applying the redirection (and therefore
needs the right ALC content).
Just like in other scenarios, the foreign WLC quickly shows the client to be in the RUN state, which is not
entirely true. It simply means that traffic is sent to the anchor from there. The real client state can be seen on
the anchor where it should display CENTRAL_WEBAUTH_REQD.
Here is the flow in an anchor-foreign setup:

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html 10/17
08/09/2022, 03:06 Central Web Authentication on the WLC and ISE Configuration Example - Cisco

1. The client connects to the SSID on the foreign WLC. The foreign WLC contacts the ISE server for MAB.
ISE sends access-accept with the redirect URL and redirect ACL to the foreign.
2. Now the client is anchored to the anchor WLC where it gets an IP address and is put in
CENTRAL_WEBAUTH_REQD.
3. When the client tries to access a website, the anchor WLC redirects the client to the ISE portal page.
The client is presented with the login page.
4. After successful login, ISE sends a CoA to the foreign WLC.
5. The foreign WLC contacts the anchor WLC to let it know to put the client in the RUN state.
6. All the client traffic is forwarded from foreign to anchor and goes out of the anchor WLC.

The firewall ports which are required to allow communication between the WLC and ISE are:
UDP:1645, 1812 (RADIUS Authentication)
UDP:1646, 1813 (RADIUS Accounting)
UDP:1700 (RADIUS CoA)
TCP:8443 Guest Portal or 8905 if you have Posturing. 

Note: The anchor-foreign setup with Central Web Authentication (CWA) only works in Releases 7.3 or
later.

Note: Due to Cisco bug ID CSCul83594, you cannot run accounting on both anchor and foreign
because it causes the profiling to become inaccurate due to a potential lack of IP-to-MAC binding. It
also creates many issues with the session ID for guest portals. If you desire to configure accounting,
then configure it on the foreign controller. Note that this should not be the case anymore starting 8.6
WLC software where the session id will be shared between the anchor and foreign controllers and
accounting will then be possible to enable on both.

Verify
Use this section in order to confirm that your configuration works properly.

1. Once the user is associated to the SSID, WLC contacts the ISE (as MAC filtering is configured). ISE has
been configured to return access accept with redirect URL and ACL. This is the first authentication.
The client details in the WLC show that the redirection URL and ACL are applied.

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html 11/17
08/09/2022, 03:06 Central Web Authentication on the WLC and ISE Configuration Example - Cisco

In the WLC client and AAA all debug, you can see access accept with the redirect URL and ACL sent from
the ISE.
*radiusTransportThread: d0:37:45:89:ef:64 Access-Accept received from RADIUS serv
*radiusTransportThread: AuthorizationResponse: 0x166ab570

*radiusTransportThread: structureSize................................425

*radiusTransportThread: resultCode...................................0

*radiusTransportThread: protocolUsed.................................0x00000001

*radiusTransportThread: proxyState...................................D0:37:45:89

*radiusTransportThread: Packet contains 4 AVPs:

*radiusTransportThread: AVP[01] User-Name................................D0-37-4

*radiusTransportThread: AVP[02] Class....................................CACS:0a

*radiusTransportThread: AVP[03] Cisco / Url-Redirect-Acl.................CWA_Red

*radiusTransportThread: AVP[04] Cisco / Url-Redirect.....................DATA (1

*radiusTransportThread: d0:37:45:89:ef:64 processing avps[0]: attribute 1

*radiusTransportThread: d0:37:45:89:ef:64 username = D0-37-45-89-EF-64

*apfReceiveTask: d0:37:45:89:ef:64 Redirect URL received for client from RADIUS.

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html 12/17
08/09/2022, 03:06 Central Web Authentication on the WLC and ISE Configuration Example - Cisco

The same thing can also be verified in the ISE. Navigate to Operations > Radius livelogs. Click the detail
for that MAC.
You can see that for the first authentication (MAC filtering) ISE returns the AuthZ profile WLC_CWA as
it hits the authentication rule MAB and authz policy Guest Redirection. 

2. At this point, the client gets an IP address. Now the client is in CENTRAL_WEB_AUTH state. When any
address is opened on the client, the browser is redirected to the ISE. Ensure that the DNS is set up
correctly.

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html 13/17
08/09/2022, 03:06 Central Web Authentication on the WLC and ISE Configuration Example - Cisco

3. Once the correct credentials are entered, network access is granted. This is the second authentication.

When the credentials are entered, ISE authenticates the client and sends the CoA. 

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html 14/17
08/09/2022, 03:06 Central Web Authentication on the WLC and ISE Configuration Example - Cisco

On the WLC this can be seen in AAA all debugs.

*radiusCoASupportTransportThread: audit session ID recieved in CoA = 0a6a207a0000
*radiusCoASupportTransportThread: Received a 'CoA-Request' from 10.106.32.25 port

*radiusCoASupportTransportThread: CoA - Received IP Address : 10.106.32.122, Vlan

*radiusCoASupportTransportThread: d0:37:45:89:ef:64 Calling-Station-Id ---> d0:37
*radiusCoASupportTransportThread: Handling a valid 'CoA-Request' regarding statio
*radiusCoASupportTransportThread: Sending Radius CoA Response packet on srcPort:
*radiusCoASupportTransportThread: Sent a 'CoA-Ack' to 10.106.32.25 (port:23974)

After this the client is reauthenticated and granted access to the network. 

4. On the controller, the Policy Manager state and RADIUS NAC state changes from
CENTRAL_WEB_AUTH  to RUN.

Note: In Release 7.2 or earlier, the state CENTRAL_WEB_AUTH was called POSTURE_REQD.

Note that the type of CoA returned by ISE evolved across versions. ISE 3.0 will request the WLC to start re-
authentication using the last method i.e. MAB in this case. The WLC re-authenticates the user when it sends
the RADIUS Access-Request with the Authorize-Only attribute.
Example of ISE 3.0 CoA request :

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html 15/17
08/09/2022, 03:06 Central Web Authentication on the WLC and ISE Configuration Example - Cisco

The WLC will then not send a disassociation frame to the client and will run a radius authentication again and
apply the new result transparently to the client. Since 8.3, the WLC supports setting a WPA pre-shared key
on a CWA SSID. The user experience remains the same as in classical non-PSK scenarios, the WLC will not
send a disassociate frame to the client and will simply apply the new authorization result. However an
"association response" is still sent to the client although no "association request" was ever received from the
client, which might seem curious when analyzing sniffer traces.

Troubleshoot
Complete these steps in order to troubleshoot or isolate a CWA problem:
1. Enter the debug client <mac address of client> command on the controller and monitor in order to
determine whether the client reaches the CENTRAL_WEBAUTH_REQD state. A common problem is
observed when the ISE returns a redirect ACL that does not exist (or is not properly input) on the WLC. If
this is the case, then the client is deauthenticated once the CENTRAL_WEBAUTH_REQD state is reached,
which causes the process to begin again.

2. If the correct client state can be reached, then navigate to monitor > clients on the WLC web GUI and
verify that the correct redirect ACL and URL are applied for the client.

3. Verify that the correct DNS is used. The client should have the ability to resolve internet websites and
the ISE hostname. You can verify this via nslookup.

4. Verify that all authentication steps occur on the ISE:

The MAC authentication should occur first, to which CWA attributes are returned.

The portal login authentication occurs.

The dynamic authorization occurs.

The final authentication is a MAC authentication that shows the portal username on the ISE, to which the
final authorization results are returned (such as the final VLAN and ACL).

Special Considerations for Anchoring Scenarios

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html 16/17
08/09/2022, 03:06 Central Web Authentication on the WLC and ISE Configuration Example - Cisco

Consider these Cisco bug IDs that limit the efficiency of the CWA process in a mobility scenario (especially
when accounting is configured):

CSCuo56780 - ISE RADIUS Service Denial of Service Vulnerability

CSCul83594 - Session-id is not synchronized across mobility, if the network is open

Quick Links -
About Cisco

Contact Us

Careers

Meet our Partners

Resources and Legal -

Feedback

Help

Terms & Conditions

Privacy Statement

Cookies

Trademarks

Supply Chain Transparency

Sitemap

©2022 Cisco Systems, Inc.

© 2022 Cisco and/or its affiliates. All rights reserved.

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html 17/17