Centralized Web Authentication (With COA)

Platform: https://racks.uninets.com

Lab Name: CCNP Security SISAS

Topology

Centralized Web Authentication (With COA)

https://racks.uninets.com/

TASK

• To take the access of ISE GUI (from the management pc browse https://192.168.1.21)

• To take the access of the user pc ( RDP from management pc 192.168.1.81)

• To take the access of the physical switch( telnet from management pc 192.168.1.253)

Explanation

For centralized web authentication we need two DHCP pool one before portal authentication

and another after portal authentication or COA. We need to create one DHCP pool of vlan 10 in

the physical switch the other DHCP pool is already configured. We need to create an SVI in the

switch for the DHCP and assign any random port to vlan 10 otherwise the SVI will not come up .

After COA the ip renewal is necessary go to command prompt of the user pc and type ipconfig

/release, ipconfig /renew. If you have java applet the ip renewal will be automatically done

NOTE- we are assuming the student have basic knowledge about CWA and COA to do this practical

Configure CWA according to the mentioned topology. Create an authentication rule which will

bypass the authentication if user not found in the identity source sequence .Before the web

authentication the user should be authorized with a restricted vlan of 10,with an ip address of

network 10.1.2.0/24 ,an dacl of CWA-phase1,(which will permit http, https, dns. dhcp and a tcp

connection to ISE on port 8443) and a redirect url. After the web auth the user should be

authorized with a vlan of 192, a dacl of CWA-phase2 ( which will permit http https, dns, dhcp) .

Use self registration portal

Configuration

WE will configure the following task in an order

ISE configuration

NAD Configuration

Verification from the usurp

ISE configuration-

Take the GUI of the isehttps://192.168.1.21

Add our network device or NAD device

Administration>>network device>>add

https://192.168.1.21/https://192.168.1.21/

Now will configure out portal settings work centers>>guest access >>portals and components

Next we will create our dacl CWA-PHASE1, CWA-PHASE2. Policy>>result>>authorization >>

downloadable acl>>add

Next we will create our authorization profile policy >>results>>authorization>>authorization profile>>add

Next we will create our next authorization profile CWA_PHASE2

Next we will create our authentication rule policy>>default policy sets>>authentication

policy>>add

Next we will create our authorization profile policy>>default policy sets>>authorization

policy>>add

Next we will configure our next order. Configuration of switch or NAD

next we will verify our configuration from the user_pc send any https traffic an portal will appear

sign on we will get an user name and password type the username and password then our vlan

and ip address will change if ip address does not change it manually (as mentioned in the

explanation part)