Becoming a Wi-Fi Guest Star

Better Practices for Guest Networks on Cisco Catalyst Wireless

Federico Ziliotto, Technical Solutions Architect

CCIE – 23280 (Wireless, R&S)
Special thanks to Jérôme Henry,
Principal Engineer, CCIE 24750
Who contributed to and presented this resource

BRKEWN-2284
From rocking guest Wi-Fi...

...to guest Wi-Fi rock stars

Federico ➔ Fede
• ~16 years at
• 4 years as a Customer Support Engineer (CSE)
• 3 years as a Specialized Systems Engineer
• 5 years as a Consulting Systems Engineer (CSE)
• ~4 year as a Technical Solutions Architect (TSA)

• Always focused on Wireless and NAC

BRKEWN-2284 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
For your reference For your
reference

• There are slides in your PDF that will not be presented, or quickly
presented
• They are valuable, but included only “For your reference”

For your
reference

BRKEWN-2094 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Cisco Webex App

Questions?
Use Cisco Webex App to chat
with the speaker after the session

How
1 Find this session in the Cisco Live Mobile App
2 Click “Join the Discussion”
3 Install the Webex App or go directly to the Webex space Enter your personal notes here

4 Enter messages/questions in the Webex space

Webex spaces will be moderated

until February 24, 2023.

BRKEWN-2284 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
 • Learn from past feedbacks,
usefulness and popularity of a
feature, requests for more
content, etc.

A new breakout on • Some new topics, more details

and updates
wireless guest... • References
(BRKEWN-2014)
https://www.ciscolive.com/on-demand/on-demand-
library.html?#/session/16360600789430017umm

* Screenshots may refer to different IOS-XE

versions, but the options stay very similar

BRKEWN-2284 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
 • What are guest networks?
• Guest portals techniques and configuration

Agenda • Portal-less options (Passpoint and

OpenRoaming)
• Advanced settings for better end user
experience

BRKEWN-2284 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Guest Wi-Fi Options

“Open” Guest Portal OpenRoaming

Currently Connected
to: Open Roaming:
Internet Access

Wireless Network
Connection
OpenRoaming

Swedish Fish

66N64

COWBOY89

SV36

Negative

M2Q46

ShangriLa
Open Network and Sharing
Center

BRKEWN-2284 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
The “Open” option

WLAN creation on C9800

• No security, no authentication
o Or “light” security (publicly available passphrase)
o Or OWE*
• Easy to setup
• Useful for avoiding massive network
resources usage (e.g., DHCP)
• Changing password may lead to poor user
experience

* Opportunistic Wireless Encryption…. assuming your clients are supporting it

BRKEWN-2284 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
For wireless, it’s either secure or open

• Secure SSID

• Open SSID

• A secure SSID cannot fall back to open.

o Example: guests not supporting 802.1X cannot fall back to web portal authentication on the same SSID as
corporate users.

• Pre-shared keys (PSK) and keys derived from 802.1X are not supported on the same SSID.

• We can have a secure SSID (PSK or 802.1X) followed by web portal authentication. In such a
scenario, PSK / 802.1X must succeed before the end user can be redirected to a web portal.

BRKEWN-2284 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Guest Portals

Customer Analytics / $$$ Engagements

satisfaction

BRKEWN-2284 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
What guest portals do?

• Validate who is connecting

o From “everyone” to “by invitation only”
o Useful for business operations, or regulatory mandates (MAC address
and/or contactable identity collection)
• Disclaimers (local regulations or liability limitation).
o In some regulatory domains, no disclaimers may mean top tier security
(firewalls, intrusion detection, etc.)

BRKEWN-2284 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Guest portals
techniques and
configuration
Rocking the 3 portal options (what guests see)
Cisco Spaces

WLC

Identity Services Engine (ISE)

BRKEWN-2284 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 14

In few words
WLC
• Native and easy to use.
• Ideal for passthrough with
local hotspot portals.
• LWA with consent.
Cisco Spaces
• Very easy/powerful to
customize and assign hotspot
portals based on sites.
• Ideal for passthrough with
hotspot portals (or for one-time
SMS/email codes).
• LWA with consent.
BRKEWN-2284
ISE
• Most versatile solution.
• Ideal for both hotspot and
sponsored/self-reg portals.
• It requires an additional
learning curve.
• LWA or CWA.
© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
 Where “authentication” happens
• Local Web Authentication (LWA) • Central Web Authentication (CWA)
happens at L3. happens at L2 and L3.
• LWA needs to rely on IP/DNS high • CWA can rely on RADIUS / ISE high
availability options. availability options.
PSN 1

WLC WLC
PSN 2

Redirect to RADIUS

...
myPortal.com servers group

...
(10.0.0.200)
PSN N

BRKEWN-2284 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
 Local Web Authentication (LWA) External Resources
(DHCP, DNS, etc.)
AP-WLC RADIUS Server

SSID configured
for Web Auth
Association
Pre-Webauth ACL

Traffic denied by the Pre-Webauth ACL

LOCAL because the redirection triggers redirection to the portal
URL and the pre-webauth ACL
Pre-Webauth ACL permits DHCP, DNS, and other resources
are locally configured on the
WLC. HTTP(S) traffic denied by the ACL triggers redirection
We say that LWA is purely L3,
because it starts from a client
trying to resolve a (server’s) IP
address. Endpoint submits credentials

WLC queries AAA server

(or internal database)
Final (L3) policy
BRKEWN-2284 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
 LWA with passthrough External Resources
(DHCP, DNS, etc.)
AP-WLC

SSID configured
for Web Auth
Association
Pre-Webauth ACL

Traffic denied by the Pre-Webauth ACL

When you do not need to triggers redirection to the portal
authenticate individual users,
Pre-Webauth ACL permits DHCP, DNS, and other resources
but connect anyone who asks,
possibly with an Acceptable HTTP(S) traffic denied by the ACL triggers redirection to an AUP page
User Policy (AUP) page

User accepts AUP’s Cisco is pleased to provide web-based Wi-Fi Access

in this facility. Please enjoy.

Final (L3) policy

BRKEWN-2284 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
 Passthrough / Consent / Hotspot
• The user may needs to complete some
• “Passthrough” on AireOS operation(s) on the web portal (e.g. click
“accept”, enter an email address)
• “Consent” on IOS-XE
• There is no form of authentication
• “Hotspot” on ISE
performed by the WLC.

AireOS

Configuration > Security > Web Auth > Webauth Parameter Map
IOS-XE

BRKEWN-2284 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
 LWA and certificates
A certificate signed by a known root CA avoids scary messages

HTTPS request
WLC

Cisco is pleased to provide web-based Wi-Fi

redirection
Access in this facility. Please enjoy.

AP

Certificates for the Controller Web Authentication:

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213917-generate-csr-for-third-party-certificate.html
http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/115951-web-auth-wlc-guide-00.html#anc20

BRKEWN-2284 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
 LWA with an anchor controller
A certificate signed by a known root CA avoids scary messages
EoIP/CAPWAP

HTTPS request Foreign Anchor

WLC WLC
Cisco is pleased to provide web-based Wi-Fi
Access in this facility. Please enjoy.

redirection

AP
Layer 2: (VLAN)
Association Layer 3:
MAC filtering DHCP
802.1X/PSK DNS
… ACL
QoS
…
Enterprise Mobility 8.5 Design Guide – Cisco Unified Wireless Network Guest Access Services:
https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-5/Enterprise-Mobility-8-5-Design-Guide/Enterprise_Mobility_8-5_Deployment_Guide/WirelessNetwork_GuestAccessService.html

Cisco Catalyst 9800 Wireless Controller – AireOS IRCM Deployment Guide:

https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-8/b_c9800_wireless_controller-aireos_ircm_dg.html

BRKEWN-2284 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
LWA configuration: 9800’s internal portal For your
reference

• AAA and method lists

• Pre-webauth ACL
• Web auth parameter map
• WLAN / Policy Profiles

BRKEWN-2284 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
 LWA configuration: 9800’s internal portal For your
reference
AAA and method lists

aaa new-model
!
aaa authentication login MLIST_AUTHC_LOGIN_LOCAL local For local accounts
!
aaa authorization network default local Alternatively, we could
use an external RADIUS
server too

radius server RADIUS_SRVR_ISE

address ipv4 <RADIUS_IP> auth-port 1812 acct-port 1813
key <SHARED_SECRET>
!
aaa group server radius RADIUS_SRVR_GRP_01
server name RADIUS_SRVR_ISE
!
aaa authentication login MLIST_AUTHC_LOGIN_ISE group RADIUS_SRVR_GRP_01
aaa accounting identity MLIST_ACCT_ID_ISE start-stop group RADIUS_SRVR_GRP_01

BRKEWN-2284 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
 LWA configuration: 9800’s internal portal For your
reference
Pre-webauth ACL

ip access-list extended ACL_LWA_REDIRECT

permit udp any any eq bootps
permit udp any eq bootps any
permit udp any any eq domain
permit udp any eq domain any
permit tcp any host <SRVR_IP> eq 443 Anything permitted is permitted.
permit tcp host <SRVR_IP> eq 443 any
deny ip any any
(for HTTP/S) Anything denied is redirected.

<SRVR_IP> in this example could be an internal

HTTPS application we’d need to access even
before authenticating to the guest portal. This
could be readapted to other examples as
needed.

BRKEWN-2284 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
LWA configuration: 9800’s internal portal For your
reference
Web auth parameter map

“webauth” for a login/pwd portal

“consent” for a hotspot/passthrough portal

BRKEWN-2284 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
LWA configuration: 9800’s internal portal For your
reference
WLAN / Policy Profiles
No L2 security options (unless
we’d like 802.1X/PSK/MAB on
top of web auth)

Pre-webauth ACL

• Web Policy enabled

• Web Auth Parameter Map and
Authentication List from previous slides

BRKEWN-2284 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
 LWA login with an ext. web server External Resources
(DHCP, DNS, etc.) External
AP-WLC Web Server
RADIUS Server

SSID configured
for Web Auth
Association
Pre-Webauth ACL

Traffic denied by the Pre-Webauth ACL

LOCAL because the redirection
URL and the pre-webauth ACL
are locally configured on the
WLC.
We say that LWA is purely L3,
because it starts from a client
trying to resolve a (server’s) IP
address.
Endpoint submits credentials
triggers redirection to the portal
Pre-Webauth ACL permits DHCP, DNS, and other resources
HTTP(S) traffic denied by the ACL triggers redirection
Endpoint redirected to the external web server and submits credentials
Server redirects back to WLC’s virtual IF with user’s credentials
WLC queries AAA server
(or internal database)
Final (L3) policy
BRKEWN-2284 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
 LWA passthrough with an ext. web server
LOCAL because the redirection
URL and the pre-webauth ACL
are locally configured on the
WLC.
We say that LWA is purely L3,
because it starts from a client
trying to resolve a (server’s) IP
address.
AP-WLC Ext. Resources (DHCP, DNS, etc.) Ext. Web Server
SSID configured
for Web Auth
Association
Pre-Webauth ACL
Traffic denied by the Pre-Webauth ACL
triggers redirection to the portal
Pre-Webauth ACL permits DHCP, DNS, etc.
HTTP(S) traffic denied by the ACL triggers redirection
Endpoint redirected to the external web server and accepts AUP’s
Server redirects back to WLC’s virtual IF with client’s Ok code
HTTP(S) request with Ok
Final (L3) policy
BRKEWN-2284 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
LWA and certificates
External web server

redirection
HTTPS HTTPS
request request
WLC Web Server

redirection

AP

BRKEWN-2284 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
LWA with an anchor controller
External web server

EoIP/CAPWAP
HTTPS redirection
request
HTTPS
Foreign Anchor request
Web Server
WLC WLC

redirection
AP

Layer 2: (VLAN)
Association Layer 3:
MAC filtering DHCP
802.1X/PSK DNS
… ACL
QoS
…

BRKEWN-2284 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
LWA with FlexConnect For your
reference
External web server

Web
Server

Central Site
redirection
HTTPS
request
redirection

Local Site HTTPS WLC

request

AP

BRKEWN-2284 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
LWA configuration: ext. web server For your
reference

• AAA and method lists

• Pre-webauth ACL
• Web auth parameter map
• WLAN / Policy Profiles

BRKEWN-2284 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
 LWA configuration: ext. web server
AAA and method lists

aaa new-model
!
aaa authentication login MLIST_AUTHC_LOGIN_LOCAL local For local accounts
!
aaa authorization network default local Alternatively, we could
use an external RADIUS
server too

radius server RADIUS_SRVR_ISE

address ipv4 <RADIUS_IP> auth-port 1812 acct-port 1813
key <SHARED_SECRET>
!
aaa group server radius RADIUS_SRVR_GRP_01
server name RADIUS_SRVR_ISE
!
aaa authentication login MLIST_AUTHC_LOGIN_ISE group RADIUS_SRVR_GRP_01
aaa accounting identity MLIST_ACCT_ID_ISE start-stop group RADIUS_SRVR_GRP_01

BRKEWN-2284 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
LWA configuration: ext. web server For your
reference
AAA and method lists

If our portal is a passthrough/consent/hotspot one, like with Cisco

Spaces, we can just “relax”.
No local database or external RADIUS servers are needed, because
there is no guest account to authenticate (authC/authZ method lists
should still be configured).

BRKEWN-2284 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
LWA configuration: ext. web server For your
reference
Pre-webauth ACL
ip access-list extended ACL_LWA_REDIRECT
permit udp any any eq bootps
permit udp any eq bootps any
permit udp any any eq domain
permit udp any eq domain any
permit tcp any host <WEB_SRVR_IP> eq <WEB_SRVR_PORT>
permit tcp host <WEB_SRVR_IP> eq <WEB_SRVR_PORT> any
deny ip any any

Example with DNA Spaces public IPs (ymmv):

Anything permitted is permitted.
ip access-list extended ACL_LWA_REDIRECT
permit udp any any eq bootps
(for HTTP/S) Anything denied is redirected.
permit udp any eq bootps any
permit udp any any eq domain <WEB_SRVR_IP> and <WEB_SRVR_PORT>
permit udp any eq domain any
permit tcp any host 34.235.248.212 eq 443 are the IP/port of the external web server, to
permit tcp host 34.235.248.212 eq 443 any allow access to its guest portal even before
permit tcp any host 52.55.235.39 eq 443
permit tcp host 52.55.235.39 eq 443 any
web authentication.
deny ip any any

BRKEWN-2284 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
LWA configuration: ext. web server For your
reference
Web auth parameter map

“global” Web Auth Parameter Map determines the Virtual IP and the trustpoint certificate
used for LWA redirections.
Other custom Web Auth Parameter Maps will inherit these settings.

BRKEWN-2284 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
LWA configuration: ext. web server For your
reference
Web auth parameter map

Note: with external portals

we may want to disable the
9800’s internal logout and
success windows.

“webauth” for a login/pwd portal

“consent” for a hotspot/passthrough portal

BRKEWN-2284 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
 LWA configuration: ext. web server For your
reference
Web auth parameter map for DNA Spaces

Change the Web Auth Parameter Map’s “Type” to “consent”

Modify the Advanced parameters with:

• Redirect for log-in = https://<DNA_SPACES_IP>/<PATH>
• Redirect Append for AP MAC Address = ap_mac
• Redirect Append for Client MAC Address = client_mac
• Redirect Append for WLAN SSID = wlan
• Portal IPV4 Address = <DNA_SPACES_IP>

BRKEWN-2284 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
 LWA configuration: ext. web server For your
reference
WLAN / Policy Profiles
No L2 security options (unless
we’d like 802.1X/PSK/MAB on
top of web auth)

Pre-webauth ACL

• Web Policy enabled

• Web Auth Parameter Map and
Authentication List from previous slides

Note: if the web auth parameter map is

configured for “consent” (i.e. passthrough),
the Authentication List is not needed.

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public
LWA configuration: ext. web server For your
reference
ISE as the RADIUS authentication server: Policy Set

Some NADs (e.g., C9k switches and controllers)

use Outbound, some others (e.g., other Catalyst
switches and AireOS WLCs) use Login

Wireless NADs use Wireless – IEEE 802.11,

wired NADs use Ethernet

BRKEWN-2284 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
LWA configuration: ext. web server For your
reference
ISE as the RADIUS authentication server: Policy Set (alternative)

On top of “NAS-Port-Type = Wireless – IEEE 802.11”,

we could additionally filter for a specific SSID with the
RADIUS attribute [32] NAS-Identifier (more on this in
later slides)

BRKEWN-2284 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
LWA configuration: ext. web server For your
reference
ISE as the RADIUS authentication server: authentication policies

Guest accounts created by Sponsors /

Self-Registrations go in the “Guest Users”
store, which is accessible only through a
sponsor account/portal (not through the Not much needed in the authC policies
admin one) unless we’d like to do some extra filtering

The Guest_Portal_Sequence checks by

default internal and external sources

BRKEWN-2284 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
LWA configuration: ext. web server For your
reference
ISE as the RADIUS authentication server: authorization policies

In the authZ policies we can configure pretty much whatever best

suits the final needs (e.g., AD groups, guest groups, etc.)

BRKEWN-2284 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
Cisco Spaces passthrough portal example

It’s a consent / passthrough / hotspot

workflow from the controller’s
perspective.
We can still configure some end user
verifications through Cisco Spaces
directly.

BRKEWN-2284 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
Cisco Spaces passthrough portal example

BRKEWN-2284 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
Cisco Spaces passthrough portal example

BRKEWN-2284 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
 Central Web Authentication (CWA)
CENTRAL because the
redirection URL, the pre-
webauth ACL are centrally
configured on ISE and
dynamically communicated
to the WLC (NAD*) via
RADIUS.
CWA is partially L2 (MAC
Authentication) and partially
L3 (redirect on IP
resolution).
*Network Access Device
External Resources
(DHCP, DNS, etc.)
AP-WLC Identity Services Engine (ISE)
SSID configured
for MAC Filtering
Association
MAC Authentication Guest portal
Access-Accept redirection rule
Url-Redirect + Url-Redirect-Acl
Traffic denied (AireOS) / permitted (IOS-XE) by the
Url-Redirect-Acl triggers redirection to the Url-Redirect
Url-Redirect-Acl permits DHCP, DNS, and other resources
HTTP(S) traffic hits the Url-Redirect-Acl and triggers redirection to ISE
Login / AUP Page submission
Endpoint’s
session updated
Change of Authorization (CoA)
Final (L2/L3) policy MAC (Re-)Authentication
BRKEWN-2284 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
CWA is a “URL-Redirect” scenario External Resources
(DHCP, DNS, AV, MDM, etc.)
For your ISE (PSN)
NAD reference

1st connection
802.1X / MAC Authentication
Guest/BYOD/posture/MDM
• Traffic permitted by the Url-Redirect-Acl
triggers redirection to the Url-Redirect Access-Accept portal redirection rule
(Url-Redirect + Url-Redirect-Acl + dACL)
• dACL actually permits/denies traffic

dACL permits DHCP, DNS, ISE portal(s) and other resources

HTTP(S) traffic permitted by the Url-Redirect-Acl triggers redirection to ISE
ISE portal for guest,
BYOD, posture,
Additional actions if needed (profile, agent, AV download, etc.) MDM, etc.
Endpoint’s
session
updated
Change of Authorization (CoA)
2nd connection (if CoA terminate)
802.1X / MAC Authentication
Guest/BYOD/posture/MDM Final Access-Accept
final (d)ACL/SGT/VLAN/etc.

BRKEWN-2284 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
 URL-Redirect-Acl
For Cisco IOS(-XE) based WLCs/NADs (e.g., Catalyst switches and wireless controllers), traffic
permitted by the Url-Redirect-Acl triggers redirection to the Url-Redirect and traffic denied by the Url-
Redirect-Acl is just permitted (if not denied by other dACL/Filter-ID, if any).
An optional dACL/Filter-ID can control more granularly which traffic is permitted/denied.
Note: Catalyst 9800 supports dACL starting from IOS-XE 17.10.1 (otherwise it’s ignored)

ip access-list extended ACL_REDIRECT

deny udp any eq bootpc any eq bootps
deny udp any any eq domain
deny ip any host 10.150.20.220
permit ip any any

BRKEWN-2284 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
URL-Redirect-Acl For your
reference

For Cisco AireOS based NADs (e.g., 3504, 5520, 8540 WLCs), traffic denied by the
Url-Redirect-Acl triggers redirection to the Url-Redirect.
Other traffic permitted by the Url-Redirect-Acl is simply permitted.

Ignored

BRKEWN-2284 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
 CWA and certificates
AVP’s:
url-redirect-acl
url-redirect

HTTPS
request
WLC ISE

redirection

AP

Central Web Authentication on the WLC and ISE Configuration Example:

http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html
ISE and Catalyst 9800 series integration guide:
https://community.cisco.com/t5/security-documents/ise-and-catalyst-9800-series-integration-guide/ta-p/3753060

BRKEWN-2284 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
CWA with an anchor controller
AVP’s:
url-redirect-acl
url-redirect
EoIP/CAPWAP

HTTPS
request ISE
Foreign Anchor
WLC WLC

redirection
AP
Layer 2: Layer 2:
Association VLAN
MAC filtering Layer 3:
802.1X/PSK DHCP
… DNS
ACL
QoS
…

BRKEWN-2284 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
CWA with FlexConnect For your
reference

ISE
AVP’s:
url-redirect-acl Central Site
url-redirect
HTTPS
request

Local Site redirection

WLC

AP

BRKEWN-2284 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
CWA with Software-Defined Access (SDA) For your
reference

AVP’s:
url-redirect-acl
url-redirect

C B
ISE
WLC
CAPWAP Control
CAPWAP Data
VXLAN
HTTPS redirection
Data traffic
E B
E E
Campus
Fabric
C Control-Plane Node (Map Server)
B Border Node
AP
E Edge Node

BRKEWN-2284 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
CWA configuration

• AAA and method lists

• Url-Redirect-Acl
• WLAN / Policy Profiles
• Policy set and authentication/authorization rules on ISE

BRKEWN-2284 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
 CWA configuration
AAA and method lists

radius server RADIUS_SRVR_ISE

address ipv4 <ISE_IP> auth-port 1812 acct-port 1813
key <SHARED_SECRET>
!
aaa new-model
!
aaa group server radius RADIUS_SRVR_GRP_01
server name RADIUS_SRVR_ISE
!
aaa authorization network MLIST_AUTHZ_NTWRK_ISE group RADIUS_SRVR_GRP_01
aaa accounting identity MLIST_ACCT_ID_ISE start-stop group RADIUS_SRVR_GRP_01
Particularly
!
needed for CoA
aaa server radius dynamic-author
client <ISE_IP> server-key <SHARED_SECRET> support for CWA

BRKEWN-2284 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
CWA configuration For your
reference
ISE configuration: network device entry for the wireless controller

BRKEWN-2284 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
 CWA configuration
Url-Redirect-Acl

ip access-list extended ACL_CWA_REDIRECT

deny udp any any eq bootps
deny udp any eq bootps any
deny udp any any eq domain
deny udp any eq domain any
deny tcp any host <ISE_IP> eq 8443 Anything denied is permitted.
deny tcp host <ISE_IP> eq 8443 any
permit ip any any
(for HTTP/S) Anything permitted is redirected.

<ISE_IP> here is the IP on which ISE PSN serves

the guest portal (by default on TCP:8443).
If we’re using multiple ports/interfaces on ISE, it
may be different from ISE’s admin IP or even
from its IP used for RADIUS traffic, for example.

BRKEWN-2284 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
CWA configuration – C9800
Optional: NAS-Identifier to redirect to different portals based on site tag, AP location, WLAN name, etc.

RADIUS [32] NAS-Identifier = Option1:Option2:Option3

BRKEWN-2284 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
CWA configuration For your
reference
Optional: Called-Station-Id to redirect to different portals based on AP location, AP name, etc.

RADIUS [30] Called-Station-Id

BRKEWN-2284 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
 CWA configuration – C9800
WLAN / Policy Profiles
WLAN Profile

Policy Profile

• Open SSID, unless we’d like to add 802.1X/PSK on top

• MAC Filtering with the “MLIST_AUTHZ_NTWRK_ISE” authorization list

• “Allow AAA Override” for the 9800 to accept RADIUS attributes

• “NAC State” enabled and “RADIUS” NAC Type for CoA support from ISE
• (optional) “AAA_POLICY_1” for a custom NAS-Identifier
• “MLIST_ACCT_ID_ISE” accounting list for CoA and accounting with ISE

BRKEWN-2284 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
 CWA configuration - ISE
ISE configuration: Policy Set

Wireless NADs use “Wireless – IEEE 802.11”,

Cisco NADs use “Call Check”, for other 3rd party wired NADs use “Ethernet”
NADs we’d need to check what other values are used

Usually we could just rely on the pre-defined

smart conditions, which automatically adapt
according to the NAD Profile

BRKEWN-2284 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
CWA configuration - ISE
ISE configuration: authentication policies

“If User not Found ➔ CONTINUE” is fundamental

for CWA to work.
Although CWA is based on MAC Filtering / MAB,
when a guest connects for the very first time ISE is
not supposed to know its MAC yet. This option
allows to anyway continue to the authZ policies
(for the portal redirection).

Not much needed in the authC policies unless we’d like to do some extra filtering

CWA is based on MAC Filtering on the NAD, so the authC policy should point to
the MACs database in ISE
BRKEWN-2284 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
CWA configuration - ISE
ISE configuration: authorization policies

By default, the session of an endpoint that successfully went through a portal’s workflow
is marked with the attribute “Use Case = Guest Flow” in the ISE’s internal database.

Alternatively, guest portal’s options allow to register the MAC of an endpoint that
successfully went through the portal’s workflow into a specific Identity Group.
BRKEWN-2284 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
CWA configuration - ISE
ISE configuration: authorization policies

By optionally customizing the RADIUS attribute [32] NAS-Identifier on the 9800, we can reuse this attribute in the
authZ policies to redirect to different portals based on the Site Tag / Location / etc. of the AP, where the endpoint
is connecting from.

BRKEWN-2284 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
 CWA configuration - ISE
ISE configuration: authorization profile

Url-Redirect-Acl

Name of the Url-Redirect portal for our use case,

“Hot Spot” for a hotspot/passthrough portal
created under Work Centers > Guest Access >
“Centralized Web Auth” for sponsored or self-registered portals
Portals & Components > Guest Portals

The Url-Redirect dynamically uses the PSN’s FQDN, but we can override it

BRKEWN-2284 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
CWA configuration - ISE
ISE configuration: hotspot portal settings

Identity Group used in the authZ policy to let guests

go through the portal just once every X days

...according to the purge rules configured here

BRKEWN-2284 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
CWA configuration For your
reference
ISE configuration: sponsored portal settings

In this example, under

Guest Types > Daily

This is used for guest logins with accounts not created by a sponsor (e.g.,
internal store, AD, LDAP, etc. )
For accounts created by a sponsor, the sponsor decides the Guest Type.

BRKEWN-2284 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
CWA configuration For your
reference
ISE configuration: self-registered portal settings

In this example, under

Guest Types > Daily

Note: not the same as for employees under “Portal Settings”

BRKEWN-2284 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
ISE portal customization options
Granular options to customize guest and sponsor portals Visualize as you configure Consistent branding
across device-types

Test portal URL then and there

BRKEWN-2284 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
ISE guest portals: some other facts For your
reference

• Up to max ~150 concurrent logins/web page requests per second per PSN (Policy
Services Node):
https://www.cisco.com/c/en/us/td/docs/security/ise/performance_and_scalability/b_ise_perf_and
_scale.html#Cisco_Reference.dita_59adea36-0b36-4981-91e3-2ff0478d6ff4

• Up to 1M guest accounts with the internal database.

• Support for Facebook Wi-Fi as of ISE 2.3.
• More customization options available with the dedicated portal builder:
https://isepb.cisco.com

• It supports APIs for guest accounts creation and additional integration with external
tools.

BRKEWN-2284 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
OpenRoaming
Passpoint
• The need: seamless and secure end user’s connectivity to Wi-Fi
• The former answer: 802.11u / Hotspot 2.0 / Passpoint

WLC

AP

Service Provider
(BU, Fairizon, AT&U,
U-Mobile, Lemon, etc.)

BUT… it required routing/VPN for secure RADIUS messages, a “clearinghouse” and a AAA proxy for
multiple identity providers, it mainly worked with very few service providers, etc.

BRKEWN-2284 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
OpenRoaming

Access Providers Identity Providers

•
•
•
•
Enterprise offices
SP-owned
Public hotspots
Home networks
> < •
•
•
•
Service providers
Venue/loyalty chain
Network operators
Web companies
• Etc. • Etc.

BRKEWN-2284 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
OpenRoaming
Cisco Spaces IDP
(hotspot) Connector IDP AAA
(RADSEC proxy) DNS
WLC

AP
802.11u beacon “OR-CL”

Associate to “OR-CL”

EAP Id request

EAP response
[email protected] RADIUS
Lookup guestco.com
AAA address
RADSEC

EAP over (W)LAN EAP over RADSEC

BRKEWN-2284 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
OpenRoaming Architecture For your
reference

Certificate Authority
& Revocation service

OpenRoaming
Identity Federation

Wi-Fi
Access
Network
Spaces RADSEC RADIUS
AP/ RADSEC RADSEC PROXY AAA
Credential “hotspot”
Controller (or AAA)
Connector IDP
• OpenRoaming.org PKI management

Sign-up/Manage
• DNS-based IDP discovery
• TLS tunnel management
• RADIUS-RADSEC proxy
• RADIUS attribute adaptation

Credential

BRKEWN-2284 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
 Prospected OpenRoaming user experience

1 2 3
Currently Connected to:
User walks into a Open Roaming:
Starbucks, which Internet Access

is supported by Wireless Network Connection Wireless Network Connection

OpenRoaming w/ 66N64 OpenRoaming

Device Identifies SSID Swedish Fish Zero-Touch by User Swedish Fish

Google as IDP. OpenRoaming 66N64

COWBOY89 Authenticated through COWBOY89

SV36 SV36

Negative Negative

M2Q46 M2Q46

ShangriLa ShangriLa

Open Network and Sharing Center Open Network and Sharing Center

BRKEWN-2284 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
Prospected OpenRoaming user experience For your
reference

4 5 6
Currently Connected to:
User walks onto Currently Connected to:

Open Roaming:
Internet Access
the Microsoft Open Roaming:
Internet Access

Wireless Network
campus, which Wireless Network Connection
Connection
OpenRoaming
only will
OpenRoaming

Swedish Fish
authenticate using Zero-Touch by User Swedish Fish

66N64
LinkedIn in 66N64

COWBOY89
OpenRoaming. Authenticated through
COWBOY89

SV36
SV36

Negative since LinkedIn was

Negative
added previously to
M2Q46 their profile M2Q46
ShangriLa
ShangriLa
Open Network and Sharing Center
Open Network and Sharing Center

BRKEWN-2284 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
Device Provisioning For your
reference

AP & IDP Signup

User Service
IDP Sign-up (provision certificate) web IDP
Credentials service Credentials

& app Certificate Authority

& member validation

open-roaming

Sign-up (provisiom credential)

Identity Federation

Wi-Fi
Access
AAA
Network
RADSEC RADSEC Identity
Authentication
IDP Proxy Proxy
Credentials
Service Service*
Provider
email

Open-roaming
elements

BRKEWN-2284 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
 OpenRoaming Mobile App, or Your Own

• OpenRoaming app: iOS and Android Build your own

• Sign in through the available cloud
IDPs: Apple ID and Google Account App

API’s

SDK
Profile
Management

https://developer.cisco.com/dna-spaces-sdk/
BRKEWN-2284 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
Advanced settings for better
end user experience
Wi-Fi Certified Enhanced Open
The next generation of hotspot security
• Another WFA certification (not part of WPA3), mostly for hotspots.
• Based on Opportunistic Wireless Encryption (OWE): APs and clients
automatically negotiate encryption.
• It prevents passive attacks (i.e., traffic visibility).

Endpoints not supporting

Enhanced Open might not
correctly see/connect to an
SSID with Enhanced Open
configured.
But...

BRKEWN-2284 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
Wi-Fi Certified Enhanced Open
OWE Transition Mode to the “rescue”

OWE capable OWE not capable

Cool, an Type 18 what?

OWE SSID! Not sure...

OWE-Guest
RSN info: AKM Suite Type 18

AP

BRKEWN-2284 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
Wi-Fi Certified Enhanced Open
OWE Transition Mode to the “rescue”

OWE capable OWE not capable

Oh, I see you also

have a (hidden)
Open, yes,
OWE SSID?
interested!
Yes, better...

(not broadcasted) OWE-Guest Open-Guest

RSN info: AKM Suite Type 18 Vendor Specific Tag: Wi-Fi Alliance: OWE Transition Mode
SSID: OWE-Guest

AP

BRKEWN-2284 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 84
Wi-Fi Certified Enhanced Open
OWE Transition Mode to the “rescue”

BRKEWN-2284 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
Guest Experts don’t change VLAN (CWA)

WLC ISE

AP
1st Association
MAC Auth. Request
AVP’s:
A MAC Auth. Response
IP A VLAN (VLAN A)
URL-Redirect-ACL
URL-Redirect

Premium Guest CoA Reauthenticate

➔ VLAN B
MAC Auth. Request
MAC Auth. Response AVP’s:
IP A VLAN B VLAN B
Session-Timeout
AVC Profile

BRKEWN-2284 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 86
Guest Experts don’t change VLAN (CWA) For your
reference

WLC ISE

AP
1st Association
MAC Auth. Request

A MAC Auth. Response

IP A VLAN

Premium Guest CoA Reauthenticate

➔ ACL/SGT
MAC Auth. Request
MAC Auth. Response AVP’s:
IP A VLAN A (VLAN A)
Session-Timeout
AVC Profile
ACL/SGT

BRKEWN-2284 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 87
Guest Experts sometime change VLAN (CWA) For your
reference

WLC ISE

AP
1st Association
802.1X EAP Request
802.1X EAP Response
Premium Guest
➔ VLAN B EAP and RADIUS Exchanges
AVP’s:
RADIUS Response
IP B VLAN B VLAN B
URL-Redirect-ACL
URL-Redirect
CoA Reauthenticate
RADIUS Request
AVP’s:
RADIUS Response Session-Timeout
AVC Profile

BRKEWN-2284 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 88
Timeouts and caching the endpoint’s session
CWA example

As an option, we could dynamically assign the Session Timeout through the RADIUS
attribute [27] Session-Timeout.

Webauth Init
WLC ISE

AP
Run

Session Timeout

BRKEWN-2284 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 89
Timeouts and caching the endpoint’s session
CWA example
Endpoints that went through a portal can be “cached” in ISE by registering their MACs
in an Identity Group to be used in the authZ policy, so to go through the portal just once
every X days/weeks/months.

Webauth Init
WLC ISE

AP Client’s
MAC
Run

Session Timeout

BRKEWN-2284 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 90
What if the MAC address keeps changing?
WLC ISE

AP
Associate with MAC #1
MAC #1?
Guest Portal Workflow
MAC #1 Authorized ✔ MAC #1 cached
✔

(Re-)Associate with MAC #2

MAC #2?
Guest Portal Workflow
MAC #2 Authorized ✔ MAC #2 cached
✔
No matter the web auth technique (LWA or CWA) or the guest portal solution that we choose
(WLC’s internal portal, Cisco Spaces, ISE, 3rd party non-Cisco solution, etc.)

BRKEWN-2284 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 91
Locally administered (a.k.a., randomized) MAC
So far…
• Windows
o Randomization disabled by default
o Once a random MAC is generated for an
SSID, the endpoint keeps using it until
deletion of the SSID
o Can be configured to use a different
randomized MAC every day
• Android
o Randomization enabled by default
o Android 10 and 11, the same randomized
MAC is used for the same SSID, even if
deleted/re-added
o Android 12, under some frequent conditions
a new randomized MAC is generated for
every new association
• Apple
o Randomization enabled by default
o Once a random MAC is generated for an
SSID, the endpoint keeps using it until
deletion of the SSID

BRKEWN-2284 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 92
What options do we have?
1. Let it be and monitor On the 9800, starting from IOS-XE 17.5.1, under the endpoint’s details

On DNAC, starting from 2.2.3, in the clients list and AI Endpoint Analytics too

BRKEWN-2284 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 93
 WLAN Profile > Advanced > Deny LAA (RCM) clients
What options do we have?
1. Let it be and monitor

2. Block randomized MACs

o On the 9800, starting from IOS-XE 17.5.1
(the randomized MAC cannot even associate)

o On ISE, with an authC/authZ condition

(the randomized MAC gets past association)
Calling-Station-ID MATCHES ^.[26AEae].*

BRKEWN-2284 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 94
What options do we have?
1. Let it be and monitor

2. Block randomized MACs

3. Force disabling randomized MACs through an MDM solution

(more adapted to enterprise/BYOD use cases)

More details:
https://www.cisco.com/c/en/us/products/collateral/wireless/randomized-changing-mac-dg.html
and
https://community.cisco.com/t5/security-knowledge-base/random-mac-address-how-to-deal-with-it-using-ise/ta-p/4049321

BRKEWN-2284 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 95
Guest portal redirection with HTTPS pages

AP
HTTPS request for Google
WLC
HTTPS request for Yahoo

BRKEWN-2284 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 96
Guest portal redirection with HTTPS pages
Let’s delegate the portal detection through HTTP to the OS/browser

AP

http://www.apple.com/library/test/success.html
Open Yes Can I reach
SSID?
an (HTTP) http://clients3.google.com/generate_204
page?
http://detectportal.firefox.com
etc.
No

Pop-up the
embedded browser

BRKEWN-2284 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 97
Logging guest users’ activity

ISE

inline devices with potential traffic visibility

data traffic
web portal traffic

BRKEWN-2284 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 98
Logging guest users’ activity

SYSLOG: IP XYZ sent this traffic

ISE

RADIUS accounting / SNMP:

user ABC, IP XYZ, etc.

inline devices with potential traffic visibility

data traffic

SIEM
BRKEWN-2284 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 99
Logging guest users’ activity

IP XYZ > user ABC “SYSLOG: IP XYZ sent this traffic”

so
“user ABC sent this ISE
traffic”

“RADIUS accounting: user ABC, IP XYZ, etc.”

inline devices with potential traffic visibility

data traffic
Configuring Integrated URL Logging and Reporting of Guest Traffic in a Cisco Network:
http://www.cisco.com/c/en/us/support/docs/security/nac-appliance-clean-access/110304-integrated-url-log.html

BRKEWN-2284 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 100
It’s never too late to read the guide
For your
reference

LTRWEN-2724 Be My Guest: Designing and Troubleshooting Wireless Guest Networks with Catalyst 9800 Wireless Controller
https://www.ciscolive.com/emea/learn/sessions/session-catalog.html?search=LTREWN-2724#/
Understand Catalyst 9800 Wireless Controllers Configuration Model
https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213911-understand-catalyst-9800-wireless-contro.html
Configure a Web Authentication SSID on Catalyst 9800 Wireless Controllers
https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213923-configure-a-web-authentication-ssid-on-c.html
Generate CSR for Third-Party Certificates and Download Chained Certificates to Catalyst 9800 Wireless Controllers
https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213917-generate-csr-for-third-party-certificate.html
Central Web Authentication (CWA) on Catalyst 9800 Wireless Controllers and ISE Configuration Example
https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213920-central-web-authentication-cwa-on-cata.html
Configure Mobility Anchor on Catalyst 9800 Wireless Controllers
https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213912-configure-mobility-anchor-on-catalyst-98.html
C9800 Technical References
https://www.cisco.com/c/en/us/support/wireless/catalyst-9800-series-wireless-controllers/products-technical-reference-list.html
C9800 Configuration Examples and Tech Notes
https://www.cisco.com/c/en/us/support/wireless/catalyst-9800-series-wireless-controllers/products-configuration-examples-list.html

BRKEWN-2284 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 101
 The path of a guest (rock)star
Understanding the environment/use case
Mastering tools and options

Caring for end users/visitors

BRKEWN-2284 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 102
Complete your Session Survey
• Please complete your session survey
after each session. Your feedback
is very important.
• Complete a minimum of 4 session
surveys and the Overall Conference
survey (open from Thursday) to
receive your Cisco Live t-shirt.
• All surveys can be taken in the Cisco Events Mobile App
or by logging in to the Session Catalog and clicking
the "Attendee Dashboard” at
https://www.ciscolive.com/emea/learn/sessions/session-catalog.html

BRKEWN-2284 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 103
Continue Your Education

Visit the Cisco Showcase for related demos.

Book your one-on-one Meet the Engineer meeting.

Attend any of the related sessions at the DevNet,

Capture the Flag, and Walk-in Labs zones.

Visit the On-Demand Library for more sessions

at ciscolive.com/on-demand.

BRKEWN-2284 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 104
Thank you