Lab Minutes Forum
Technical Discussion => Security => Topic started by: tomimma on March 03, 2015, 10:22:18 AM
-
Hi
During configuration, "Centralized Web Auth" is selected under Web Redirection in AuthZ profile setting.
For single SSID onboarding, "Native Supplicant Provisioning" was selected. So, I am a bit confused. Is there any particular reason to choose "CWA" instead of "Native Supplicant Provisioning"? Or this has to be "CWA"?
My guess is it would work with "Native Supplicant Provisioning" and define this portal under "administration" -> "Device Portal Management" -> BYOD portal.
If so, what would be the benefit to use CWA?
Thanks!
-
For Single SSID, you can send user directly to "Native Supplicant Provisioning" to immediately begin onboarding since the user should have already been authenticated via 802.1x. For dual-SSID, you need to send user to a web login since the SSID is open and as part of the Guest portal config have the allow employee to onboard setting configured so users are presented with an option to onboard after a successful web login. So you wouldn't really use the "Native Supplicant Provisioning" in dual-SSID.
The "administration" -> "Device Portal Management" -> BYOD portal is only for portal customization and doesn't really affect the onboarding process.
-
Hi MC,
Very clear and thanks for detailed explanation. Now that totally makes sense!
I guess need to work a lot on ISE... :(
-
Hi MC, firstly thanks so much for your fantastic detailed videos. I've been able to sort out my Guest and BYOD very nicely.
The Native vs CWA redirect is something I came across because I am not using an open SSID for Guest or provisioning.
I have two SSIDs: Guest and BYOD but both are 802.1X. On ISE AuthC i only allow PEAP-MSCHAPv2 for Guest and it looks up either the Internal Guest DB or AD. If it's an AD user I redirect it to BYOD and when they're provisioned they go to the BYOD SSID which allows EAP-TLS only. Perhaps it's overboard - I could potentially do it on one SSID but later on I might want to have them on different VLANs
My big question - is it possible to have a Native redirect for Guest? In the portal list it only gives options for the BYOD portals, not Guest but in my case it would be very handy. Without that I am faced with either allowing the Guests directly on once they've auth'd with PEAP, or make them login a second time if I wanted them to get the Portal interface (AUP acceptance, password change etc)
-
What you can try is after a successful guest authentication via 802.1x/PEAP, redirect them to a Hostspot portal, instead of a Sponsored Guest, so all they need to do is clicking to accept AUP and gain access. Would that work?