Central Web Authentication with WLC, ISE, FlexConnect Local Switching

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
this video explains the flow of information during central web authentication of a WLAN client web authentication can be performed in multiple waves on Cisco WLC in local web authentication authentication occurs on Cisco WLC either with a local database or an external database in central web authentication authentication occurs on Cisco eyes which is a policy server and Cisco WLC redirects all HTTP traffic to cisco eyes cisco eyes is configured to use mac authentication bypass or map this allows cisco eyes to return an access except message to cisco WLC even if the MAC address of a connecting devices unknown to cisco eyes when a WLAN client is associating with a central web authentication SSID cisco WLC sends an access request message to cisco eyes requesting access for the device even if the MAC address of the client is unknown to cisco eyes as cisco eyes is configured with map cisco eyes does not reject the client and instead sends an access except message back to cisco WLC the pre authentication ACL and guest portal URL pushed from cisco eyes to cisco WLC the client is now connected to the network and the client state is central web auth when the user tries to browse the internet cisco WLC redirects the client to the guest portal URL on cisco eyes in the central web authentication window that is displayed the user enters the username and password cisco eyes authenticates the user and sense the change of authorization or CoA message to Cisco wlz to indicate that the user is valid Cisco WL CD authenticates the client and the client rejoins the network Cisco WLC sends an access request to Cisco ice Cisco ice sends back an access accept message Cisco ice changes the matching policies and the client state changes to run the user is prompted to access the network you this video explains how to configure central web authentication using a Cisco wireless controller or Cisco WLC and a Cisco identity services engine or Cisco eyes to configure central web authentication the following components are required a Cisco wireless controller a lightweight access point a wireless adapter a switch to connect Cisco WLC to the LW ap a reachable Cisco ice server to configure central web authentication ensure that these prerequisites are met a cisco WLC configured for basic operation a reachable DHCP and DNS servers with internet access available lightweight access points registered with Cisco WLC in ends of UAB interfaces configured in trunk mode a double inclined with HTML browser with JavaScript enabled a Cisco I server configure with groups and identities here is an overview of tasks for central web authentication for ease of use and understanding each of these steps are described in individual videos that make up a series first cisco WLC is configured configure cisco WLC with cisco eyes IP address shared secret and other information configure a flex connect redirect access control list to allow traffic to and from cisco eyes create a VLAN interface create a WLAN instance associated with a VLAN interface disable security policies configure the cisco eyes server details and enable Mac filtering radius nak and AAA override then cisco eyes is configured configure cisco eyes with cisco WLC IP address shared secret and other information create an authentication rule to accept all mac authentication requests from cisco WLC and to continue authentication even if a user is not found create an authorization profile for central web authentication and associated to the redirect access control list configured on cisco WLC create an authorization policy for registered guest users and an authorization policy for mac authentication bypass configure an access point for flex connect finally a WLAN is connected and monitored on cisco WLC configure a WLAN client for web authentication connect WLAN clients to the network and monitor them on cisco WLC we can now move on to the actual configuration of central web authentication you this video shows you how to configure Cisco WLC with Cisco ice IP address and other related information in the Cisco WLC web UI top menu click the security tab in the left navigation pane click radius and then authentication to display a list of configured radius servers in the radius authentication servers window that is displayed click new in the top right corner in the radius authentication servers new window that is displayed enter the IP address of Cisco ice in the shade secret field enter the secret key ensure that the same value is configured later in Cisco ice for more information refer to the video configuring Cisco ice with Cisco WLC retain the default value of port number choose enabled from server status drop-down list from the support for RFC 3 5 7 6 drop-down list choose enabled check the enable checkbox for the network user field retain the default values for all the other parameters click apply this completes the configuration of Cisco WLC with Cisco ice details you this video shows you how to create a redirect access control list on Cisco WLC to permit traffic to and from cisco eyes in the cisco WLC web UI top menu click the security tab in the left navigation beam click access control lists and then flex connect ACLs in the window that is displayed click new in the top right corner in the access control list new window enter your name in the access control list name field click apply in the access control lists window that is displayed click the name of the newly created access control list now define the access control list rules to permit packets to and from Cisco eyes in the access control lists edit window that is displayed click add new rule in the top right corner enter one in the sequence number field from the action drop-down list choose permit from the destination drop-down list choose IP address in the IP address field that appears enter the cisco eyes IP address in the net mask field enter 255 dot 255 dot 255 dot 255 you can retain the default values for all the other fields click apply in the access control list edit window that is displayed click add new rule in the top right corner enter 2 in the sequence number field from the action drop-down list choose permit from the source drop-down list choose IP address in the IP address field that appears enter the cisco eyes IP address in the net mask field enter 255 dot 255 dot 255 dot 255 retain the default values for all the other fields click apply define the access control list rules to deny all the other packets to and from the cisco WLC in the access control list edit window that is displayed click add new rule in the top right corner enter 3 in the sequence number field from the action drop-down list choose deny retain the default values for all the other fields click apply click back this completes the creation of the redirect flex connect access control list this video shows you how to add a WLAN instance configure it with a VLAN interface disable security policies configure these Cisco I server retails and enable Mac filtering radius snack and AEA override in the Cisco WLC web UI top menu click the WLAN stab in the W lands window that is displayed choose create new from the drop-down list on the top right corner click go in the W lands new window that is displayed choose W LAN from the type drop-down list in the profile name field enter a name for the WLAN enter a WLAN SSID in the SSID field click apply in the W LANs edit window that is displayed enable the W LAN by checking the status check box from the interface slash interface group drop-down list choose the wheel and interface that you created earlier for more information refer to the video titled creating a VLAN interface you can retain the default values for all the other fields now click the security tab then click the layer to tab check the Mac filtering checkbox choose none from the security drop-down list click the layer 3 tab choose none from the layer 3 security drop-down list now click the aaaa servers tab under radius servers choose the configured radius server from the authentication servers drop-down list retain the default values for all the other fields click the Advanced tab check the allow AAA override check box choose radius knack from the next date drop-down list in the Flex connect section check the SEC's connect local switching checkbox click apply now click back in the W lands window that is displayed under security policies ensure that Mac filtering is enabled for the WLAN this completes the configuration of the WLAN instance on Cisco WLC this video shows you how to configure Cisco WLC the IP address shared secret and other information in the Cisco ice web UI top menu hold the administration tab and click network devices under network resources in the network devices window that is displayed click Add in the name field enter a name to identify your Cisco WLC device enter an IP address and then prefix length enter the shared secret ensure that the same value is configured on Cisco WLC for more information refer to the video titled configuring Cisco WLC with a Cisco eyes scroll down and click Submit this completes the configuration of cisco eyes with cisco WNC you this video shows you how to create an authentication rule on the Cisco ice to accept all the MAC authentications from Cisco wlz and to continue authentication even if users are not found in the Cisco ice web UI top menu hold your mouse over policy and from the drop down list that is displayed choose authentication ensure that the rule based radio button is checked in the authentication policy window that is displayed click Edit button in the right to modify the default map rule or click the Edit drop-down list to add a new row this video shows you how to add a new row in the standard rule field enter the name of the authentication rule in the if field click the plus sign click the select existing condition from library button that is displayed if this button is not displayed proceed to the next step click the Select condition drop-down arrow in the authentication conditions dialog box that is displayed click compound condition now click while mab in the compound condition dialog box that is displayed click the drop down arrow at the end of the row from the drop down list that is displayed choose add condition from library to add a second condition from the new row that is added click the Select condition drop down arrow repeat these steps to add wireless map from the and/or all drop-down list choose or click the minus sign to close the window click the plus sign in the use field click the identity source drop-down arrow that is displayed and choose internal endpoints from the identity source list dialog box from the if user found drop-down list choose continue click the minus sign to close the window from the allow protocols drop-down list choose allowed protocols and then default network access click done now scroll down and click Save this completes the configuration of the require authentication rule you this video shows you how to create an authorization profile on cisco eyes configure it for central web authentication and associated to the redirect ACL configure own cisco WLC in the cisco eyes web UI top menu hover over policy and from the drop down list that is displayed choose results from the policy element section in the left navigation pane that is displayed expand authorization and click authorization profile in the standard authorization profiles window that is displayed click Add in the name field enter the name of the authorization profile from the access type drop-down list choose access accept check the web Direction check box and choose centralized web auth from the drop down list that is displayed in the ACL field enter the name of the redirect ACL configured earlier for more information refer to the video titled configuring a redirect ACL choose default from the redirect drop-down list scroll down and expand the attribute details section you can observe here the redirect URL that is sent to the WLAN client click Submit wait for the successful notification message in the bottom right corner this completes the creation and configuration of an authorization profile on Cisco eyes you this video shows you how to create an authorization policy on the cisco eyes for guest users and an authorization policy for unknown MAC addresses or Mac authentication bypass or map the first policy provides permit access to guest users the second policy is for Mac authentication bypass or map for unknown MAC addresses ensure that the policy from AB is below the policy for guest users note that the authorization policies in the video are only examples in the cisco eyes web UI top menu or your mouse over policy and from the drop down list that is displayed choose authorization in the authorization policy window click the corresponding edit button to modify an existing policy or click the Edit drop-down list and add a new row to create a new policy in this video a new row is added let us first create an authorization policy for guest users in the rule name field enter the name of the authorization policy in the if conditions field click the plus sign now click the any drop-down arrow in the identity groups dialog box that is displayed click user identity groups select the identity group of choice in the den conditions field click the plus sign click the select and item drop-down arrow that is displayed in the profiles dialog box choose standard in the standard dialog box that is displayed choose the authorization profile of your choice for guest users in this video we choose permit access click done let us now create an authorization policy for Mac authentication bypass click the Edit drop-down list in the right to add a second row below the newly added policy in the rule name field of the row enter a name for the authorization policy select the conditions identifying Mac authentication bypass this video uses the wild map or wireless map condition click the anne's conditions drop down arrow click the select existing condition from library button now click the condition name drop-down arrow in the authorization conditions dialog box click compound conditions choose wild map in the compound conditions dialog box click the drop down arrow at the end of the row from the drop-down list that is displayed choose add condition from library to add a second condition from the and/or all drop-down list choose or in the new row that is added click the Select condition drop-down arrow now add the wireless map condition in the dem conditions field click the plus sign click the select an item drop-down arrow that is displayed in the profiles dialog box that is displayed choose standard in the standard dialog box that is displayed choose the authorization profile configured earlier for more information about this refer to the video titled configuring an authorization profile click the minus sign in the then field to close the window click done now scroll down and click Save this completes the configuration of the required authorization policy you this video shows you how to configure an Access Point or flex connect in the Cisco WLC web UI stop menu click the wireless tab in the ap name column click the access point of your choice from the AP mode drop-down list choose flex connect and click apply under the Flex connect tab select the VLAN support check box and click apply this completes the configuration of an access point for flex connect this video shows you how to configure a flex connect group add access points to it associate it with a flex connect redirect access control list and map a WLAN to a VLAN in the Cisco WLC web UI stop menu click the wireless tab in the left navigation pane click flex connect groups click new in the top right corner in the Flex connect groups new window that is displayed enter a name for the Flex connect group in the Flex connect groups window that is displayed click the Flex connect group created click the general tab click the add a PS button check the select a PS from the current controller check box from the AAP name drop-down list select ApS to be added to the Flex connect group and click Add in the ACL mapping tab click policies from the policies ACL drop-down list select the redirect ACL configured earlier for more information about the redirect ACL that was created refer to the video titled configuring a flex connector redirect access control list now click Add under the WLAN VLAN mapping tab enter the number of the W LAN ID you can refer to the W LANs tab for this information enter the VLAN ID to which guest users should be mapped to and click Add the WLAN is now mapped to the VLAN ID click apply this completes the configuration of Flex connect Group you this video shows you how to connect a WLAN kline to a network configured on Cisco WLC for central web authentication this video also shows you how to monitor such WLAN clients on Cisco WLC log into a client machine that is in proximity to an access point configured for Cisco WLC connect to the network configure using Cisco WLC for central web authentication you can now monitor the connected WLAN client on Cisco WLC in the Cisco WLC web UI top menu click the monitor tab in the left navigation pane click clients in the clients window that is displayed you can see the connected WLAN lines and details such as IP address assigned to each client by the DHCP click the client MAC address of your choice to monitor the details of a specific client observe the Policy Manager state field to identify the state of the client connection you can also observe the dynamic authentication URL and the pre authentication ACL that the client has received now login to the WLAN client again open a browser window and access the Internet you will be directed to the web authentication page in the guest portal window that is displayed a guest user can register by entering a new username and password if your eyes registration is successful you will see this window displayed you can now access the internet using this browser window log into the Cisco WLC and observe that the client state has changed to run this completes the video series that explains the configuration of central web authentication with a Cisco wireless controller and a Cisco Ice you
Info
Channel: Cisco Community
Views: 55,317
Rating: 4.8609624 out of 5
Keywords:
Id: Zb6uTmzsSAE
Channel Id: undefined
Length: 30min 4sec (1804 seconds)
Published: Fri Mar 11 2016
Related Videos
How to Configure Flexconnect Mode on Cisco WLC PART 1
Cisco Networking
26K
CCNA Wireless Training :: Wireless Guest Networks
IPexpertInc
111K
Internal Web Authentication with Cisco WLC
Cisco Community
64K
One of the Greatest Speeches Ever | Steve Jobs
Motivation Ark
10M
Configure Site-to-site IPSEC VPN Tunnel in Palo Alto Firewall
Sec-U-rity
10K
CCIE Wireless Training Video :: Guest Networks
IPexpertInc
39K
WLC & RADIUS Tutorial and Free PT Lab | Cisco CCNA 200-301
Keith Barker
17K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.