The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This document describes the integration of Catalyst 9800 Wireless LAN Controller (WLC) with Aruba ClearPass to deliver Guest Wireless Service Set Identifier (SSID) which leverages Central Web Authentication (CWA) to wireless clients in a Flexconnect mode of Access Point (AP) deployment.
Guest wireless authentication is supported by Guest Portal with an anonymous acceptable user policy (AUP) page, hosted on Aruba Clearpass in a secure demilitarized zone (DMZ) segment.
This guide assumes these components have been configured and verified:
Cisco recommends that you have knowledge of these topics:
The information in this document is based on these software and hardware versions:
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
The diagram conveys the details of the Guest Wifi access exchanges before the guest user is allowed onto the network:
1. The guest user associates with the Guest Wifi in a remote office.
2. The initial RADIUS Access-Request is proxied by C9800 to the RADIUS server.
3. The server looks up the supplied guest MAC address in the local MAC Endpoint Database.
If the mac address is not found, then the server responds with a MAC Authentication Bypass (MAB) profile. This RADIUS response includes:
4. Client goes through the IP Learn process where it is assigned an IP address.
5. C9800 transitions the guest client (identified by its MAC address) to the 'Web Auth Pending' state.
6. Most modern device OS in association with guest WLANs perform some sort of captive portal detection.
The exact detection mechanism is dependent on specific OS implementation. The client OS opens a pop-up (pseudo browser) dialog with a page redirected by C9800 to the guest portal URL hosted by the RADIUS server supplied as part of the RADIUS Access-Accept response.
7. Guest User accepts the Terms and Conditions on the presented pop-up ClearPass sets a flag for the client MAC address in its Endpoint Database (DB) to indicate the client has completed an authentication and initiates a RADIUS Change of Authorization (CoA), by the selection of an interface based on the routing table (if there are multiple interfaces present on ClearPass).
8. WLC transitions Guest Client to 'Run' State and the user is granted access to the Internet with no further redirects.
Note: For Cisco 9800 Foreign, Anchor Wireless Controller state flow diagram with RADIUS and externally hosted Guest Portal, refer to the Appendix section in this article.
Guest Central Web Authentication (CWA) State Diagram
In a typical enterprise deployment with multiple branch offices, each branch office is set up to provide secure, segmented access to guests through a Guest Portal once the guest accepts EULA.
In this configuration example, 9800 CWA is used for guest access via integration to a separate ClearPass instance exclusively deployed for guest users in the secure DMZ of the network.
The guests must accept the terms and conditions laid out in the web-consent pop-up portal provided by the DMZ ClearPass server. This configuration example focuses on the Anonymous Guest Access method (that is, no guest username/password is required to authenticate to Guest Portal).
The traffic flow that corresponds to this deployment is shown in the image:
1. RADIUS - MAB phase
2. Guest Client URL redirect to Guest Portal
3. After guest acceptance of EULA on Guest Portal, RADIUS CoA Reauthenticate is issued from CPPM to 9800 WLC
4. Guest is allowed access to the Internet
Note: For lab demo purposes, a single/combined Aruba CPPM Server instance is used to serve both Guest and Corp SSID Network Access Server (NAS) functions. Best practice implementation suggests independent NAS instances.
In this configuration example, a new configuration model on C9800 is leveraged to create the necessary profiles and tags to provide dot1x Corporate Access and CWA guest Access to the enterprise branch. The resultant configuration is summarized in this image:
Note: About Cisco bug ID CSCvh03827, ensure the defined Authentication, Authorization, and Accounting (AAA) servers are not load-balanced, as the mechanism relies on SessionID persistency in WLC to ClearPass RADIUS exchanges.
Step 1. Add the Aruba ClearPass DMZ server(s) to the 9800 WLC configuration and create an authentication method list. Navigate to Configuration > Security > AAA > Servers/Groups > RADIUS > Servers > +Add and enter the RADIUS servers information.
Step 2. Define AAA Server Group for guests and assign the server configured in Step 1. to this server group. Navigate to Configuration > Security > AAA > Servers/Groups > RADIUS > Groups > +Add.
Step 3. Define an Authorization method list for guest access and map the server group created in Step 2. Navigate to Configuration > Security > AAA > AAA Method List > Authorization > +Add. Choose Type Network and then AAA Server Group configured in Step 2.
Step 4. Create an Accounting method list for guest access and map the server group created in Step 2. Navigate to Configuration > Security > AAA > AAA Method List > Accounting > +Add. Choose Type Identity from the drop-down menu and then AAA Server Group configured in Step 2.
The redirect ACL defines what traffic must be redirected to Guest Portal vs allowed to pass with no redirection. Here, the ACL deny implies bypass redirect or pass through, while permit implies redirect to the portal. For each traffic class, you need to consider the direction of traffic when you create Access Control Entries (ACEs) and create ACEs that match both ingress and egress traffic.
Navigate to Configuration > Security > ACL, and define a new ACL named CAPTIVE_PORTAL_REDIRECT. Configure the ACL with these ACEs:
Step 1. Navigate to Configuration > Tags & Profiles > Wireless > +Add. Create a new SSID Profile WP_Guest, with the broadcast of SSID 'Guest' that guest clients associate with.
Under the same Add WLAN dialog, navigate to the Security > Layer 2 Tab.
- Layer 2 Security Mode: None
- MAC Filtering: Enabled
- Authorization list: AAA_Authz_CPPM from the drop-down menu (configured under Step 3. as part of AAA configuration)
On C9800 WLC GUI, navigate to Configuration > Tags & Profiles > Policy > +Add.
Name: PP_Guest
Status: Enabled
Central Switching: Disabled
Central Authentication: Enabled
Central DHCP: Disabled
Central Association: Disabled
Navigate to the Access Policies tab in the same Add Policy Profile dialog.
- RADIUS Profiling: Enabled
- VLAN/VLAN Group: 210 (that is, VLAN 210 is the Guest local VLAN at each branch location)
Note: Guest VLAN for Flex must not have to be defined on the 9800 WLC under VLANs, in the VLAN/VLAN Group type VLAN number.
Known defect: Cisco bug ID CSCvn48234 causes SSID not to be broadcasted if the same Flex guest VLAN is defined under WLC and in the Flex Profile.
In the same Add Policy Profile dialog, navigate to the Advanced tab.
- Allow AAA Override: Enabled
- NAC State: Enabled
- NAC Type: RADIUS
- Accounting List: AAA_Accounting_CPPM (that is defined in Step 4. as part of AAA configuration)
Note: 'Network Admission Control (NAC) State - Enable' is required to enable C9800 WLC to accept RADIUS CoA messages.
On C9800 GUI, navigate to Configuration > Tags & Profiles > Tags > Policy > +Add.
- Name: PT_CAN01
- Description: Policy Tag for CAN01 Branch Site
In the same dialog Add Policy Tag, under WLAN-POLICY MAPS, click +Add, and map the previously created WLAN Profile to Policy Profile:
- WLAN Profile: WP_Guest
- Policy Profile: PP_Guest
On C9800 WLC GUI, navigate to Configuration > Tags & Profiles > AP Join > +Add.
- Name: Branch_AP_Profile
- NTP Server: 10.0.10.4 (refer to the lab topology diagram). This is the NTP server that is used by APs in Branch to synchronize.
The profiles and tags are modular and can be reused for multiple sites.
In the case of FlexConnect deployment, if the same VLAN IDs are used at all of the branch sites, you can re-use the same flex profile.
Step 1. On a C9800 WLC GUI, navigate to Configuration > Tags & Profiles > Flex > +Add.
- Name: FP_Branch
- Native VLAN ID: 10 (only required if you have a non-default native VLAN where you want to have an AP management interface)
On the same Add Flex Profile dialogue, navigate to the Policy ACL tab and click +Add.
- ACL Name: CAPTIVE_PORTAL_REDIRECT
- Central Web Auth: Enabled
On a Flexconnect deployment, each managed AP is expected to download the redirect ACL locally as redirection happens at the AP and not on the C9800.
On the same Add Flex Profile dialogue, navigate to the VLAN tab and click +Add (refer to the lab topology diagram).
- VLAN Name: guest
- VLAN Id: 210
On 9800 WLC GUI, navigate to Configuration > Tags & Profiles > Tags > Site > Add.
Note: Create a unique Site Tag for each Remote Site that needs to support the two wireless SSIDs as described.
There is a 1-1 mapping between a geographical location, Site Tag, and a Flex Profile configuration.
A flex connect site must have a flex connect profile associated with it. You can have a maximum of 100 access points for each flex connect site.
- Name: ST_CAN01
- AP Join Profile: Branch_AP_Profile
- Flex Profile: FP_Branch
- Enable Local Site: Disabled
On 9800 WLC GUI, navigate to Configuration > Tags & Profiles > Tags > RF > Add.
- Name: Branch_RF
- 5 GHz Band Radio Frequency (RF) Profile: Typical_Client_Density_5gh (system-defined option)
- 2.4 GHz Band RF Profile: Typical_Client_Density_2gh (system-defined option)
There are two options available to assign defined Tags to individual APs in the deployment:
- AP name-based assignment, which leverages regex rules that match on patterns in the AP Name field (Configure > Tags & Profiles > Tags > AP > Filter)
- AP Ethernet MAC address based assignment (Configure > Tags & Profiles > Tags > AP > Static)
In production deployment with DNA Center, it is highly recommended to either use DNAC and AP PNP Workflow, or use a static bulk Comma-Separated Values (CSV) upload method available in 9800 in order to avoid manual per-AP assignment. Navigate to Configure > Tags & Profiles > Tags > AP > Static > Add (Note the Upload File option).
- AP MAC Address: <AP_ETHERNET_MAC>
- Policy Tag Name: PT_CAN01
- Site Tag Name: ST_CAN01
- RF Tag Name: Branch_RF
Note: As of Cisco IOSĀ®-XE 17.3.4c there is a Max of 1,000 regex rules per controller limitation. If the number of sites in the deployment exceeds this number, the static per-MAC assignment must be leveraged.
Note: Alternatively, to leverage AP-name regex-based tag assignment method, navigate to Configure > Tags & Profiles > Tags > AP > Filter > Add.
- Name: BR_CAN01
- AP name regex: BR-CAN01-.(7) (This rule matches on AP name convention adopted within the organization. In this example the Tags are assigned to APs which have an AP Name field that contains 'BR_CAN01-' followed by any seven characters.)
- Priority: 1
- Policy Tag Name: PT_CAN01 (as defined)
- Site Tag Name: ST_CAN01
- RF Tag Name: Branch_RF
For production/best practices based Aruba CPPM configuration, contact your local HPE Aruba SE resource.
Aruba ClearPass is deployed with the use of the Open Virtualization Format (OVF) template on the ESXi <> server that allocates these resources:
Apply platform license via: Administration > Server Manager > Licensing. Add Platform, Access, and Onboard licenses.
Navigate to Administration > Server Manager > Server Configuration and choose the newly provisioned CPPM server.
- Hostname: cppm
- FQDN: cppm.example.com
- Verify Management Port IP Addressing and DNS
This certificate is used when the ClearPass Guest Portal page is presented via HTTPS to guest clients who connect to the Guest Wifi in Branch.
Step 1. Upload the CA pub chain certificate.
Navigate to Administration > Certificates > Trust List > Add.
- Usage: Enable Others
Step 2. Create Certificate Signing Request.
Navigate to Administration > Certificates > Certificate Store > Server Certificates > Usage: HTTPS Server Certificate.
- Click the Create Certificate Signing Request
- Common Name: CPPM
- Organization: cppm.example.com
Ensure to populate the SAN field (a common name must be present in SAN as well as IP and other FQDNs as needed). Format is DNS: <fqdn1>,DNS:<fqdn2>,IP<ip1>.
Step 3. In your CA of choice, sign the newly generated CPPM HTTPS Service CSR.
Step 4. Navigate to Certificate Template > Web Server > Import Certificate.
- Certificate Type: Server Certificate
- Usage: HTTP Server Certificate
- Certificate File: Browse, and select CA signed CPPM HTTPS Service certificate
Navigate to Configuration > Network > Devices > Add.
- Name: WLC_9800_Branch
- IP or Subnet Address: 10.85.54.99 (refer to lab topology diagram)
- RADIUS Shared Cisco: <WLC RADIUS password>
- Vendor Name: Cisco
- Enable RADIUS Dynamic Authorization: 1700
It is very important to set the correct timer values throughout the configuration. If timers are not tuned, you are likely to run into a cycling Web Portal redirect with the client not in 'Run State'.
Timers to pay attention to:
ClearPass-side CWA Configuration is composed of (3) Service Points/Stages:
ClearPass Component |
Service Type |
Purpose |
1. Policy Manager |
Service: Mac Authentication |
If custom attribute Allow-Guest-Internet = TRUE, allow it onto the network. Else, trigger Redirect and COA: Reauthenticate. |
2. Guest |
Web Logins |
Present Anonymous login AUP page. |
3. Policy Manager |
Service: Web-based Authentication |
Update Endpoint to Known |
Create a metadata attribute of type Boolean to track the Guest Endpoint state as the client transitions between the 'Webauth Pending' and 'Run' state:
- New guests that connect to wifi have a default metadata attribute set to Allow-Guest-Internet=false. Based on this attribute the client auth goes through the MAB service
- Guest client when you click on the AUP Accept button, has its metadata attribute updated to Allow-Guest-Internet=true. Subsequent MAB based on this attribute set to True allows non-redirected access to the Internet
Navigate to ClearPass > Configuration > Endpoints, pick any endpoint from the list, click the Attributes tab, add Allow-Guest-Internet with the value false and Save.
Note: You can also edit the same endpoint, and delete this attribute right after - this step simply creates a field in Endpoints metadata DB that can be used in policies.
Create an Enforcement Profile that is assigned to the guest client immediately after the client accepts AUP on the Guest Portal page.
Navigate to ClearPass > Configuration > Profiles > Add.
- Template: RADIUS Dynamic Authorization
- Name: Cisco_WLC_Guest_COA
Radius:IETF |
Calling-Station-Id |
%{Radius:IETF:Calling-Station-Id} |
Radius:Cisco |
Cisco-AVPair |
subscriber:command=reauthenticate |
Radius:Cisco |
Cisco-AVPair |
%{Radius:Cisco:Cisco-AVPair:subscriber:audit-session-id} |
Radius:Cisco |
Cisco-AVPair |
subscriber:reauthenticate-type=last-type=last |
Create an Enforcement Profile that is applied to Guest during the initial MAB phase, when the MAC address is not found in the CPPM Endpoint Database with 'Allow-Guest-Internet' set to 'true'.
This causes the 9800 WLC to redirect the Guest client to the CPPM Guest Portal for external authentication.
Navigate to ClearPass > Enforcement > Profiles > Add.
- Name: Cisco_Portal_Redirect
- Type: RADIUS
- Action: Accept
ClearPass Redirect Enforcement Profile
In the same dialogue, under the Attributes tab, configure two Attributes as per this image:
ClearPass Redirect Profile Attributes
The url-redirect-acl attribute is set to CAPTIVE-PORTAL-REDIRECT, which is the name of the ACL created on C9800.
Note: Only the reference to the ACL is passed in the RADIUS message, and not the ACL contents. It is important that the name of the ACL created on 9800 WLC matches exactly to the value of this RADIUS attribute as shown.
The url-redirect attribute is composed of several parameters:
The URL of the ClearPass Guest Web Login Page is seen when you navigate to CPPM > Guest > Configuration > Pages > Web Logins > Edit.
In this example, the Guest Portal page name in CPPM is defined as iaccept.
Note: The configuration steps for the Guest Portal page are as described.
Note: For Cisco devices, audit_session_id would be normally used but that is not supported by other vendors.
Configure Enforcement Profile to update Endpoint metadata attribute that is used for state transition tacking by CPPM.
This profile is applied to the Guest Client MAC Address entry in the Endpoint database and sets the 'Allow-Guest-Internet' argument to 'true'.
Navigate to ClearPass > Enforcement > Profiles > Add.
- Template: ClearPass Entity Update Enforcement
- Type: Post_Authentication
In the same dialogue, the Attributes tab.
- Type: Endpoint
- Name: Allow-Guest-Internet
Note: For this name to appear in the dropdown menu, you have to manually define this field for at least one Endpoint as described in the Steps.
- Value: true
Navigate to ClearPass > Enforcement > Policies > Add.
- Name: WLC Cisco Guest Allow
- Enforcement Type: RADIUS
- Default Profile: Cisco_Portal_Redirect
In the same dialogue, navigate to the Rules tab and click Add Rule.
- Type: Endpoint
- Name: Allow-Guest-Internet
- Operator: EQUALS
- Value True
- Profile Names / Select to Add: [RADIUS] [Allow Access Profile]
Navigate to ClearPass > Enforcement > Policies > Add.
- Name: Cisco WLC Webauth Enforcement Policy
- Enforcement Type: WEBAUTH (SNMP/Agent/CLI/CoA)
- Default Profile: [RADIUS_CoA] Cisco_Reauthenticate_Session
In the same dialogue, navigate to Rules > Add.
- Conditions: Authentication
- Name: Status
- Operator: EQUALS
- Value: User
- Profile Names: <add each>:
- [Post Authentication] [Update Endpoint Known]
- [Post Authentication] [Make-Cisco-Guest-Valid]
- [RADIUS_CoA] [Cisco_WLC_Guest_COA]
Note: If you run into a scenario with a continuous Guest Portal redirect pseudo browser pop-up, it is indicative that either the CPPM Timers require adjustments or that the RADIUS CoA messages are not properly exchanged between CPPM and 9800 WLC. Verify these sites.
- Navigate to CPPM > Monitoring > Live Monitoring > Access Tracker, and ensure the RADIUS log entry contains RADIUS CoA details.
- On 9800 WLC, navigate to Troubleshooting > Packet Capture, enable pcap on the interface where the arrival of RADIUS CoA packets is expected and verify RADIUS CoA messages are received from the CPPM.
The service is matched on Attribute Value (AV) pair Radius: Cisco | CiscoAVPair | cisco-wlan-ssid
Navigate to ClearPass > Configuration > Services > Add.
Service Tab:
- Name: GuestPortal - Mac Auth
- Type: MAC Authentication
- More Options: Select Authorization, Profile Endpoints
Add match rule:
- Type: Radius: Cisco
- Name: Cisco-AVPair
- Operator: EQUALS
- Value: cisco-wlan-ssid=Guest (match your configured Guest SSID name)
Note: 'Guest' is the name of the broadcasted Guest SSID by 9800 WLC.
While in the same dialogue, choose the Authentication Tab.
- Authentication Methods: Remove [MAC AUTH], Add [Allow All MAC AUTH]
- Authentication Sources: [Endpoints Repository][Local SQL DB], [Guest User Repository][Local SQL DB]
While in the same dialogue, choose the Enforcement Tab.
- Enforcement Policy: WLC Cisco Guest Allow
While in the same dialogue, choose the Enforcement Tab.
Navigate to ClearPass > Enforcement > Policies > Add.
- Name: Guest_Portal_Webauth
- Type: Web-based Authentication
While in the same dialogue, under the Enforcement tab, the Enforcement Policy: Cisco WLC Webauth Enforcement Policy.
For the Anonymous AUP Guest Portal page, use a single username with no password field.
The username that is used must have these fields defined/set:
username_auth | Username Authentication: | 1
In order to set the 'username_auth' field for a user, that field must be first exposed in the 'edit user' form. Navigate to ClearPass > Guest > Configuration > Pages > Forms, and choose create_user form.
Choose visitor_name (row 20), and click Insert After.
Now create the username to use behind the AUP Guest Portal page.
Navigate to CPPM > Guest > Guest > Manage Accounts > Create.
- Guest Name: GuestWiFi
- Company Name: Cisco
- Email Address: guest@example.com
- Username Authentication: Allow guest access with the use of their username only: Enabled
- Account Activation: Now
- Account Expiration: The account does not expire
- Terms of Use: I am the sponsor: Enabled
Create Web Login Form. Navigate to CPPM > Guest > Configuration > Web Logins.
The Endpoint Attributes in the post-auth section:
username | Username
visitor_name | Visitor Name
cn | Visitor Name
visitor_phone | Visitor Phone
email | Email
mail | Email
sponsor_name | Sponsor Name
sponsor_email | Sponsor Email
Allow-Guest-Internet | true
In the CPPM, navigate to Live Monitoring > Access Tracker.
The New Guest user that connects and triggers MAB Service.
Summary Tab:
In the same dialogue, navigate to the Input Tab.
In the same dialogue, navigate to the Output Tab.
For reference purposes, a state flow diagram is presented here for Cisco 9800 Foreign, Anchor controller interactions with RADIUS Server and externally hosted Guest Portal.
Guest Central Web Authentication State Diagram with Anchor WLC
Revision | Publish Date | Comments |
---|---|---|
2.0 |
22-Jul-2022 |
Initial Release |
1.0 |
23-Jun-2022 |
Initial Release |