Cisco Cisco 5520 Wireless Controller 기술 참조
4
Wireless BYOD with Identity Services Engine
DNS Based ACL Support for BYOD Clients
5.
WLC allows this traffic because the ACL is configured to allow this traffic. In case of VLAN
override, the traffic is bridged so that it reaches the ISE server.
override, the traffic is bridged so that it reaches the ISE server.
6.
Once ISE-client completes assessment, a RADIUS CoA-Req with reauth service is sent to the WLC.
This initiates re-authentication of the client (by sending EAP-START). Once re-authentication
succeeds, the ISE sends access accept with a new ACL (if any) and no URL redirect, or access
VLAN.
This initiates re-authentication of the client (by sending EAP-START). Once re-authentication
succeeds, the ISE sends access accept with a new ACL (if any) and no URL redirect, or access
VLAN.
7.
WLC has support for CoA-Req and Disconnect-Req as per RFC 3576. The WLC needs to support
CoA-Req for re-auth service, as per RFC 5176.
CoA-Req for re-auth service, as per RFC 5176.
8.
Instead of downloadable ACLs, pre-configured ACLs are used on the WLC. The ISE server just
sends the ACL name, which is already configured in controller.
sends the ACL name, which is already configured in controller.
9.
This design should work for both VLAN and ACL cases. In case of VLAN override, we just redirect
the port 80 is redirected and allows (bridge) rest of the traffic on the quarantine VLAN. For the ACL,
the pre-auth ACL received in access accept is applied.
the port 80 is redirected and allows (bridge) rest of the traffic on the quarantine VLAN. For the ACL,
the pre-auth ACL received in access accept is applied.
This figure provides a visual representation of this feature flow:
DNS Based ACL Support for BYOD Clients
Prior to 7.6 software release the WLC had to be configured with the ACL name that will be returned by
the AAA (ISE) server for pre-auth ACL to be applied. If the ACL name is returned by the AAA server,
the ACL will be applied for the client data traffic as shown above.
the AAA (ISE) server for pre-auth ACL to be applied. If the ACL name is returned by the AAA server,
the ACL will be applied for the client data traffic as shown above.
For the purpose of supporting device registration and onboarding of BYOD clients, a DNS based ACL
feature was added. This allows the user to configure permitted URLs along with the ACL rules. The
URLs need to be pre-configured on the ACL. At client authentication phase, the AAA server returns the
pre-auth ACL (url-redirect-acl).
feature was added. This allows the user to configure permitted URLs along with the ACL rules. The
URLs need to be pre-configured on the ACL. At client authentication phase, the AAA server returns the
pre-auth ACL (url-redirect-acl).
Wireless User
AP
WLC
L3 Switch
ISE
Wireless
Wired
1.802.1x Authentication Phase
2. Access Accept (URL redirect Port 80
{ACL name [IP addr, Port]})
3. Apply (ACL) and move to posture state
4. HTTP GET request (80)
9. Send EAP-START
5. URL redirect received in
Access Accept
6. NAC initiates Posture
Validation
7. ACL Letting the traffic reach ISE server
8. Posture OK, CoA-Req to reauth. the client
10. 802.1x Reauthentication Phase
11. Access Accept (new ACL, VLAN)
Trusted
Network
352462