Centralized Web Authentication (With COA)
Platform: https://racks.uninets.com
Lab Name: CCNP Security SISAS
Topology
Centralized Web Authentication (With COA)
https://racks.uninets.com/
TASK
• To take the access of ISE GUI (from the management pc browse https://192.168.1.21)
• To take the access of the user pc ( RDP from management pc 192.168.1.81)
• To take the access of the physical switch( telnet from management pc 192.168.1.253)
Explanation
For centralized web authentication we need two DHCP pool one before portal authentication
and another after portal authentication or COA. We need to create one DHCP pool of vlan 10 in
the physical switch the other DHCP pool is already configured. We need to create an SVI in the
switch for the DHCP and assign any random port to vlan 10 otherwise the SVI will not come up .
After COA the ip renewal is necessary go to command prompt of the user pc and type ipconfig
/release, ipconfig /renew. If you have java applet the ip renewal will be automatically done
NOTE- we are assuming the student have basic knowledge about CWA and COA to do this practical
Configure CWA according to the mentioned topology. Create an authentication rule which will
bypass the authentication if user not found in the identity source sequence .Before the web
authentication the user should be authorized with a restricted vlan of 10,with an ip address of
network 10.1.2.0/24 ,an dacl of CWA-phase1,(which will permit http, https, dns. dhcp and a tcp
connection to ISE on port 8443) and a redirect url. After the web auth the user should be
authorized with a vlan of 192, a dacl of CWA-phase2 ( which will permit http https, dns, dhcp) .
Use self registration portal
Configuration
WE will configure the following task in an order
ISE configuration
NAD Configuration
Verification from the usurp
ISE configuration-
Take the GUI of the isehttps://192.168.1.21
Add our network device or NAD device
Administration>>network device>>add
https://192.168.1.21/https://192.168.1.21/
Now will configure out portal settings work centers>>guest access >>portals and components
Next we will create our dacl CWA-PHASE1, CWA-PHASE2. Policy>>result>>authorization >>
downloadable acl>>add
Next we will create our authorization profile policy >>results>>authorization>>authorization profile>>add
Next we will create our next authorization profile CWA_PHASE2
Next we will create our authentication rule policy>>default policy sets>>authentication
policy>>add
Next we will create our authorization profile policy>>default policy sets>>authorization
policy>>add
Next we will configure our next order. Configuration of switch or NAD
next we will verify our configuration from the user_pc send any https traffic an portal will appear
sign on we will get an user name and password type the username and password then our vlan
and ip address will change if ip address does not change it manually (as mentioned in the
explanation part)