Ruijie Community

Title: Central Web Authentication (web-auth) on AC RG-WS6512 (11.9(6)W3B4) with Cisco ISE as RADIUS/CaptivePortal [Print this page]
Author: alexey.savkin1@    Time: 2024-4-3 19:41
Title: Central Web Authentication (web-auth) on AC RG-WS6512 (11.9(6)W3B4) with Cisco ISE as RADIUS/CaptivePortal
Edited by Alexey Savkin at 2024-4-3 19:43

Dear colleagues.
Need to configure Guest Web Authentication (aka Central Web Authentication, CWA) on AC RG-WS6512 (11.9(6)W3B4) with Cisco ISE.
We have planned to replace Cisco Wireless by Ruijie Wireless across the company, but we need to test all our scenarios prior. We have two RG-WS6512 ACs and four 880/840 Access Point.
Original (Cisco) CallFlow assumes that wireless controller (NAC) must support the next features:

CWA assumes, that first NAC performing dot1x-MAB access-request, getting "access-accept" with the first two av-pairs listed above, redirecting STA to CaptivePortal, after successful login - getting CoA, and than  - sending new access-request.
So, the questions are:
Note two moments:

Author: chenchunyan@rui    Time: 2024-4-3 20:56
Hi Alexey Savkin,
1. Do you want different users to access ISE and get different urls?
2. AC support authorization
3. Please see the attachment. This is the Callfolw of eportal
<img alt="image.png">

4. Does ISE use the radius protocol? Or some other one?
Author: alexey.savkin1@    Time: 2024-4-3 21:16
GTAC-Vivian replied at 2024-4-3 20:56
Hi Alexey Savkin,
1. Do you want different users to access ISE and get different urls?
2. AC support ...

Hi Vivian.
1. Do you want different users to access ISE and get different urls?

In case of Cisco CallFlow, ISE generates dynamic URL and sent it to NAC via Redirection URL (cisco-av-pair = url-redirect=__custom_URL_begins_with_https__) in ACCESS-ACCEPT

If NAC is not supported Redirect-URL avpair in ACCESS-ACCEPT, it supports static URL that can be configured directly on NAC


2. AC support authorization

What does it means? My question was about CoA (change-of-Authorization), as per attached CallFlow in my initial message


3. Please see the attachment. This is the Callfolw of eportal

<img alt="image.png">

Unfortunately, your image was not attached and now visible for me. Please, attach it ones again, may be, in different way


4. Does ISE use the radius protocol? Or some other one?

Cisco ISE is a Cisco Authorization server, and yes - it uses RADIUS. You can see it on attached CallFlow in my initial message


As of now, I was able to perform web-auth through cpweb (clear-pass), but in this case username/password pair is visible as cleartext in http request from STA, so, it is absolutely not securing.
Author: alexey.savkin1@    Time: 2024-4-5 14:47
Alexey Savkin replied at 2024-4-3 21:16
Hi Vivian.
1. Do you want different users to access ISE and get different urls?

Any ideas / recommendations, please?


Author: 1457743047@qq.c    Time: 2024-4-9 18:58
Alexey Savkin replied at 2024-4-5 14:47
Any ideas / recommendations, please?

Hi Hi Alexey Savkin,
We are confirming with R&D. If it supports, I will share the result and the guide here with you.
Author: chenchunyan@rui    Time: 2024-4-10 15:01
Alexey Savkin replied at 2024-4-5 14:47
Any ideas / recommendations, please?

Hi Alexey Savkin,
Please kindly refer to this guide to configure it.
Ruijie RG-WLAN Series Access Controllers Configuration Guide, RGOS11.9(6)W3B13 (V1.2) - Ruijie Networks



Author: alexey.savkin1@    Time: 2024-4-10 21:07
GTAC-Vivian replied at 2024-4-10 15:01
Hi Alexey Savkin,
Please kindly refer to this guide to configure it.
Ruijie RG-WLAN Series Access  ...

Hi Vivian.
I already mentioned, that I went through this procedure, it works, but this is CLearPASS procedure means that username and password are visible in RadioChannel without any encryption between STA and CA (because web-auth usually uses in WLAN without any security). It can be easily grubbed by any person who can setup sniffer on particular WiFi Channel (please, look at the attached screenshot)


We need a design like Cisco CWA or your web-auth v2 portal, where un-secure authentication data exchange is fully excluding from Open-WLAN.
Author: chenchunyan@rui    Time: 2024-4-10 22:56
Edited by GTAC-Vivian at 2024-4-12 09:07
Alexey Savkin replied at 2024-4-10 21:07
Hi Vivian.
I already mentioned, that I went through this procedure, it works, but this is CLearPAS ...

Hi Alexey Savkin,


We are still confirming with R&D. If it supports, I will share the result and the guide here with you.


Author: 1457743047@qq.c    Time: 2024-4-12 14:50
GTAC-Vivian replied at 2024-4-10 22:56
Hi Alexey Savkin,

Hi Alexey Savkin,

Please kindly refer to this command provided by R&D to configure it.




If the issue is still exist after, please help to collect the result and talk with me again. I would be glad to help you in Community.

Author: alexey.savkin1@    Time: 2024-5-16 21:44
Chunyan Chen replied at 2024-4-12 14:50
Hi Alexey Savkin,

Please kindly refer to this command provided by R&D to configure it.

Dear Chan!
Unfortunately, it does not help. Right now I have another urgent activity, so, give me some times for re-testing and analyzing it again, and I will back to you with the results.

Thanks and regards,
Alexey
Author: chenchunyan@rui    Time: 2024-5-16 21:49
Alexey Savkin replied at 2024-5-16 21:44
Dear Chan!
Unfortunately, it does not help. Right now I have another urgent activity, so, give me  ...

Dear Alexey,

Thank you for your kind response.
As for the encryption issue,I need to double check with the R&D team. It may take some time to double check with our R&D team. I will reply to the result here and inform you by email. Please pay attention.




Welcome to Ruijie Community (https://community.ruijienetworks.com/) Powered by Discuz! X3.2