Central Web Authentication (web-auth) on AC RG-WS6512 (11.9(6)W3B4) with Cisco ISE as RADIUS/CaptivePortal

Dear colleagues.
Need to configure Guest Web Authentication (aka Central Web Authentication, CWA) on AC RG-WS6512 (11.9(6)W3B4) with Cisco ISE.
We have planned to replace Cisco Wireless by Ruijie Wireless across the company, but we need to test all our scenarios prior. We have two RG-WS6512 ACs and four 880/840 Access Point.
Original (Cisco) CallFlow assumes that wireless controller (NAC) must support the next features:

• Redirection ACL Radius Override (cisco-av-pair = url-redirect-acl=REDIRECT). This is locally configured ACL (on NAC side) that need to be applied for redirect to CaptivePortal and limit all other connectivities
• Redirection URL (cisco-av-pair = url-redirect=). Key arguments included into URL:
  
  • sessionId=SessionIdValue (this is Radius Session ID)
  • action=cwa (instruct CaptivePortal to send CoA - Change-of-Authorization to NAC in case of successful login)
  • portal= (identifies the ISE portal mapped to particular result)
    
• CoA (Change-of-Authorization)
  

CWA assumes, that first NAC performing dot1x-MAB access-request, getting "access-accept" with the first two av-pairs listed above, redirecting STA to CaptivePortal, after successful login - getting CoA, and than  - sending new access-request.
So, the questions are:

• does Ruijie AC supports dynamic redirection (ACL redirect and URL redirect over RADIUS) or we need to use static redirection
• does AC supports CoA
• what is the target/supported CallFlow for web-auth between AC and Cisco ISE
• finally, it will be great to get complete guide how to configure AC+CiscoISE for Web-AUTH scenario
  

Note two moments:

• procedure described in Configuration Guide chapter 1.4.56. Configuring ISE Authentication does not work for me
• Cisco CWA CallFlow attached
  

Hi Alexey Savkin,
1. Do you want different users to access ISE and get different urls?
2. AC support authorization
3. Please see the attachment. This is the Callfolw of eportal
<img alt="image.png">

4. Does ISE use the radius protocol? Or some other one?

GTAC-Vivian replied at 2024-4-3 20:56
Hi Alexey Savkin,
1. Do you want different users to access ISE and get different urls?
2. AC support ...

Hi Vivian.
1. Do you want different users to access ISE and get different urls?

In case of Cisco CallFlow, ISE generates dynamic URL and sent it to NAC via Redirection URL (cisco-av-pair = url-redirect=__custom_URL_begins_with_https__) in ACCESS-ACCEPT

If NAC is not supported Redirect-URL avpair in ACCESS-ACCEPT, it supports static URL that can be configured directly on NAC


2. AC support authorization

What does it means? My question was about CoA (change-of-Authorization), as per attached CallFlow in my initial message


3. Please see the attachment. This is the Callfolw of eportal

<img alt="image.png">

Unfortunately, your image was not attached and now visible for me. Please, attach it ones again, may be, in different way


4. Does ISE use the radius protocol? Or some other one?

Cisco ISE is a Cisco Authorization server, and yes - it uses RADIUS. You can see it on attached CallFlow in my initial message


As of now, I was able to perform web-auth through cpweb (clear-pass), but in this case username/password pair is visible as cleartext in http request from STA, so, it is absolutely not securing.

Alexey Savkin replied at 2024-4-3 21:16
Hi Vivian.
1. Do you want different users to access ISE and get different urls?

Any ideas / recommendations, please?

Alexey Savkin replied at 2024-4-5 14:47
Any ideas / recommendations, please?

Hi Hi Alexey Savkin,
We are confirming with R&D. If it supports, I will share the result and the guide here with you.

Alexey Savkin replied at 2024-4-5 14:47
Any ideas / recommendations, please?

Hi Alexey Savkin,
Please kindly refer to this guide to configure it.
Ruijie RG-WLAN Series Access Controllers Configuration Guide, RGOS11.9(6)W3B13 (V1.2) - Ruijie Networks

GTAC-Vivian replied at 2024-4-10 15:01
Hi Alexey Savkin,
Please kindly refer to this guide to configure it.
Ruijie RG-WLAN Series Access  ...

Hi Vivian.
I already mentioned, that I went through this procedure, it works, but this is CLearPASS procedure means that username and password are visible in RadioChannel without any encryption between STA and CA (because web-auth usually uses in WLAN without any security). It can be easily grubbed by any person who can setup sniffer on particular WiFi Channel (please, look at the attached screenshot)


We need a design like Cisco CWA or your web-auth v2 portal, where un-secure authentication data exchange is fully excluding from Open-WLAN.

Alexey Savkin replied at 2024-4-10 21:07
Hi Vivian.
I already mentioned, that I went through this procedure, it works, but this is CLearPAS ...

Hi Alexey Savkin,


We are still confirming with R&D. If it supports, I will share the result and the guide here with you.

GTAC-Vivian replied at 2024-4-10 22:56
Hi Alexey Savkin,

Hi Alexey Savkin,

Please kindly refer to this command provided by R&D to configure it.




If the issue is still exist after, please help to collect the result and talk with me again. I would be glad to help you in Community.