Cisco Cisco 2504 Wireless Controller 문제 해결 가이드
Pre−Auth ACL vs. VLAN Override: A Quarantine or AuthC VLAN that is different from the Access−VLAN
is not supported in 7.0MR1. If you set a VLAN from the Policy Server, it will be the VLAN for the entire
session. No VLAN changes are needed after first AuthZ.
is not supported in 7.0MR1. If you set a VLAN from the Policy Server, it will be the VLAN for the entire
session. No VLAN changes are needed after first AuthZ.
Wireless LAN Controller RADIUS NAC and CoA Feature
Flow
Flow
The below figure provides details of the message exchange when the client is authenticated to the backend
server and NAC posture validation.
server and NAC posture validation.
Client authenticates using dot1x authentication.
1.
RADIUS Access Accept carries redirected URL for port 80 and pre−auth ACLs that includes
allowing IP addresses and ports, or quarantine VLAN.
allowing IP addresses and ports, or quarantine VLAN.
2.
Client will be re−directed to the URL provided in access accept, and put into a new state until posture
validation is done. The client in this state talks to the ISE server and validate itself against the policies
configured on the ISE NAC server.
validation is done. The client in this state talks to the ISE server and validate itself against the policies
configured on the ISE NAC server.
3.
NAC agent on client initiates posture validation (traffic to port 80): Agent sends HTTP discovery
request to port 80 which controller redirects to URL provided in access accept. The ISE knows that
client trying to reach and responds directly to client. This way the client learns about the ISE server IP
and from now on, the client talks directly with the ISE server.
request to port 80 which controller redirects to URL provided in access accept. The ISE knows that
client trying to reach and responds directly to client. This way the client learns about the ISE server IP
and from now on, the client talks directly with the ISE server.
4.
WLC allows this traffic because the ACL is configured to allow this traffic. In case of VLAN
override, the traffic is bridged so that it reaches the ISE server.
override, the traffic is bridged so that it reaches the ISE server.
5.
Once ISE−client completes assessment, a RADIUS CoA−Req with reauth service is sent to the WLC.
This initiates re−authentication of the client (by sending EAP−START). Once re−authentication
succeeds, the ISE sends access accept with a new ACL (if any) and no URL redirect, or access
VLAN.
This initiates re−authentication of the client (by sending EAP−START). Once re−authentication
succeeds, the ISE sends access accept with a new ACL (if any) and no URL redirect, or access
VLAN.
6.
WLC has support for CoA−Req and Disconnect−Req as per RFC 3576. The WLC needs to support
CoA−Req for re−auth service, as per RFC 5176.
CoA−Req for re−auth service, as per RFC 5176.
7.
Instead of downloadable ACLs, pre−configured ACLs are used on the WLC. The ISE server just
sends the ACL name, which is already configured in controller.
sends the ACL name, which is already configured in controller.
8.
This design should work for both VLAN and ACL cases. In case of VLAN override, we just redirect
the port 80 is redirected and allows (bridge) rest of the traffic on the quarantine VLAN. For the ACL,
the pre−auth ACL received in access accept is applied.
the port 80 is redirected and allows (bridge) rest of the traffic on the quarantine VLAN. For the ACL,
the pre−auth ACL received in access accept is applied.
9.
This figure provides a visual representation of this feature flow: