Cisco Cisco 5508 Wireless Controller Referencia técnica
3
Wireless BYOD with Identity Services Engine
Wireless LAN Controller RADIUS NAC and CoA Overview
Conventions
Refer to
for more information on document conventions.
Wireless LAN Controller RADIUS NAC and CoA Overview
This setting enables the WLC to look for the URL redirection AV-Pairs coming from the ISE RADIUS
server. This is only on a WLAN that is tied to an interface with the RADIUS NAC setting enabled. When
the Cisco AV-Pair for URL Redirection is received, the client is put into the POSTURE_REQD state.
This is basically the same as the WEBAUTH_REQD state internally in the controller.
server. This is only on a WLAN that is tied to an interface with the RADIUS NAC setting enabled. When
the Cisco AV-Pair for URL Redirection is received, the client is put into the POSTURE_REQD state.
This is basically the same as the WEBAUTH_REQD state internally in the controller.
When the ISE RADIUS server deems the Client is Posture_Compliant, it issues a CoA ReAuth. The
Session_ID is used to tie it together. With this new AuthC (re-Auth) it does not send the URL-Redirect
AV-Pairs. Because there are no URL Redirect AV-Pairs, the WLC knows the client does not require
Posture any longer.
Session_ID is used to tie it together. With this new AuthC (re-Auth) it does not send the URL-Redirect
AV-Pairs. Because there are no URL Redirect AV-Pairs, the WLC knows the client does not require
Posture any longer.
If the RADIUS NAC setting is not enabled, the WLC ignores the URL Redirect VSA.
CoA-ReAuth: This is enabled with the RFC 3576 Setting. ReAuth capability was added to the existing
CoA commands that were supported previously.
CoA commands that were supported previously.
The RADIUS NAC setting is mutually exclusive from this capability, although it is required for the CoA
to work.
to work.
Pre-Posture ACL: When a client is in POSTURE_REQ state, the default behavior of the WLC is to block
all traffic except DHCP/DNS. The Pre-Posture ACL (which it is called in the url-redirect-acl AV-Pair)
is applied to the client, and what is permitted in that ACL is what the client can reach.
all traffic except DHCP/DNS. The Pre-Posture ACL (which it is called in the url-redirect-acl AV-Pair)
is applied to the client, and what is permitted in that ACL is what the client can reach.
Pre-Auth ACL vs. VLAN Override: A Quarantine or AuthC VLAN that is different from the
Access-VLAN is not supported in 7.0MR1. If you set a VLAN from the Policy Server, it will be the
VLAN for the entire session. No VLAN changes are needed after first AuthZ.
Access-VLAN is not supported in 7.0MR1. If you set a VLAN from the Policy Server, it will be the
VLAN for the entire session. No VLAN changes are needed after first AuthZ.
Note
Starting with WLC software release 7.6.x, a feature to support DNS-based ACL allows specific URLs
to be configured with the existing Pre-Posture ACL. This allows a device at time of registration to access
certain URLs, such as Google Play store, and so on.
to be configured with the existing Pre-Posture ACL. This allows a device at time of registration to access
certain URLs, such as Google Play store, and so on.
Wireless LAN Controller RADIUS NAC and CoA Feature Flow
The below figure provides details of the message exchange when the client is authenticated to the
backend server and NAC posture validation.
backend server and NAC posture validation.
1.
Client authenticates using dot1x authentication.
2.
RADIUS Access Accept carries redirected URL for port 80 and pre-auth ACLs that includes
allowing IP addresses, ports, URL, or quarantine.
allowing IP addresses, ports, URL, or quarantine.
3.
Client will be re-directed to the URL provided in access accept, and put into a new state until posture
validation is done. The client in this state talks to the ISE server and validate itself against the
policies configured on the ISE NAC server.
validation is done. The client in this state talks to the ISE server and validate itself against the
policies configured on the ISE NAC server.
4.
NAC agent on client initiates posture validation (traffic to port 80): Agent sends HTTP discovery
request to port 80 which controller redirects to URL provided in access accept. The ISE knows that
client trying to reach and responds directly to client. This way the client learns about the ISE server
IP and from now on, the client talks directly with the ISE server.
request to port 80 which controller redirects to URL provided in access accept. The ISE knows that
client trying to reach and responds directly to client. This way the client learns about the ISE server
IP and from now on, the client talks directly with the ISE server.