Техническая Инструкция для Cisco Cisco Identity Services Engine Software
Central Web Authentication with a Switch and
Identity Services Engine Configuration
Example
Identity Services Engine Configuration
Example
Contents
Introduction
Prerequisites
Requirements
Components Used
Configure
Overview
Create the Downloadable ACL
Create the Authorization Profile
Create an Authentication Rule
Create an Authorization Rule
Enable the IP Renewal (Optional)
Switch Configuration (Excerpt)
Switch Configuration (Full)
HTTP Proxy Configuration
Important Note about Switch SVIs
Important Note about HTTPS Redirection
Final Result
Verify
Troubleshoot
Related Information
Introduction
This document describes how to configure central web authentication with wired clients connected
to switches with the help of Identity Services Engine (ISE).
to switches with the help of Identity Services Engine (ISE).
The concept of central web authentication is opposed to local web authentication, which is the
usual web authentication on the switch itself. In that system, upon dot1x/mab failure, the switch
will failover to the webauth profile and will redirect client traffic to a web page on the switch.
usual web authentication on the switch itself. In that system, upon dot1x/mab failure, the switch
will failover to the webauth profile and will redirect client traffic to a web page on the switch.
Central web authentication offers the possibility to have a central device that acts as a web portal
(in th is example, the ISE). The major difference compared to the usual local web authentication is
that it is shifted to Layer 2 along with mac/dot1x authentication. The concept also differs in that the
radius server (ISE in this example) returns special attributes that indicate to the switch that a web
redirection must occur. This solution has the advantage to eliminate any delay that was necessary
for web authentication to kick. Globally, if the MAC address of the client station is not known by the
radius server (but other criteria can also be used), the server returns redirection attributes, and the
switch authorizes the station (via MAC authentication bypass [MAB]) but places an access list to
redirect the web traffic to the portal. Once the user logs in on the guest portal, it is possible via
(in th is example, the ISE). The major difference compared to the usual local web authentication is
that it is shifted to Layer 2 along with mac/dot1x authentication. The concept also differs in that the
radius server (ISE in this example) returns special attributes that indicate to the switch that a web
redirection must occur. This solution has the advantage to eliminate any delay that was necessary
for web authentication to kick. Globally, if the MAC address of the client station is not known by the
radius server (but other criteria can also be used), the server returns redirection attributes, and the
switch authorizes the station (via MAC authentication bypass [MAB]) but places an access list to
redirect the web traffic to the portal. Once the user logs in on the guest portal, it is possible via