Example for Configuring CWA Authentication

Owned by Tracy Yang
Jul 18, 2024
5 min read

Networking Requirements

As shown in Figure 1, the terminals in the visitor area are connected to the company's internal network through the Switch. Unauthorized access to the internal network can damage the company's service system and cause leakage of key information assets. Therefore, the administrator employs the CWA on the Switch and on the Web Authentication Server of the AAA to control the users' network access rights to ensure internal network security.

Prerequisite

Ensure that PICA8 Switch is properly connected to the AAA server. In this example, the switch uses the management port Eth0 to connect to the AAA server.

Configuration on the AAA Server

The configuration roadmap on the Web Authentication Server is as follows. For details, refer to the solution document Configuring Pica8 Switches with ClearPass Guest Central Web Authentication in Typical Configuration of NAC.

  • Configure the Eth0 IP address of the switch to establish a connection to the switch.
  • Configure the username and password on the AAA server for Web authentication.
  • Configure a dynamic VLAN which is used to access the network normally after the user successfully authenticates.
  • Configure other Web authentication attributes for Web authentication.

Configuration on the Switch

  • Configure the 802.1X authentication server and Web authentication server on the Switch.
  • The Web authentication process relies on MAB authentication. If you want to deploy Web authentication, enable MAB authentication on the switch first.
  • Configure block VLAN and dynamic VLAN.
  • Configure CoA authorization client.

Figure 1. Networking Diagram for Configuring CWA Authentication

Procedure

Step1         Configure the access port to trunk mode.

admin@XorPlus# set interface gigabit-ethernet ge-1/1/1 family ethernet-switching port-mode trunk

Step2         Configure the MAB and Web authentication modes. The Web authentication process relies on MAB authentication. If you want to deploy Web authentication, enable MAB authentication on the switch first.

admin@XorPlus# set protocols dot1x interface ge-1/1/1 auth-mode mac-radius
admin@XorPlus# set protocols dot1x interface ge-1/1/1 auth-mode web

Step3         Configure IP address of RADIUS server and the DNS server.

admin@XorPlus# set protocols dot1x aaa radius authentication server-ip 10.10.51.4 shared-key pica8
admin@Xorplus# set system dns-server-ip 192.168.10.1

NOTE:

  • Configuring DNS server IP is required for CWA authentication.
  • Make sure to configure the mapping of the domain name of the redirect URL to the IP address on the DNS server.

Step4         Configure the NAS IP address to the IP address of Eth0 interface which is connected to the AAA server.

admin@XorPlus# set protocols dot1x aaa radius nas-ip 10.10.51.100

This command is used to set the nas-ip field in RADIUS access-request message. If you use the management interface eth0/eth1 to connect to the RADIUS server, the IP address of the management interface eth0/eth1 should be used for the NAS IP address configured here.

Step5         Configure block VLAN. This step is required for Web authentication.

admin@XorPlus# set protocols dot1x block-vlan-id 10
admin@XorPlus# set interface gigabit-ethernet ge-1/1/1 family ethernet-switching port-mode trunk
admin@XorPlus# set interface gigabit-ethernet ge-1/1/2 family ethernet-switching native-vlan-id 10
admin@XorPlus# set vlans vlan-id 10 l3-interface vlan10
admin@XorPlus# set l3-interface vlan-interface vlan10 address 10.10.51.10 prefix-length 24

Step6         Configure a RADIUS dynamic authorization client from which the switch accepts Change of Authorization (CoA) messages. This step is required for CoA and Web authentication.

admin@Xorplus# set protocols dot1x aaa radius dynamic-author client 10.10.10.1 shared-key pica8123

Step7         Configure the host mode for NAC authentication interface.

admin@XorPlus# set protocols dot1x interface ge-1/1/1 host-mode multiple

Step8         Commit the configuration.

admin@Xorplus# commit

Step9         Verify the configuration. 

a)      After starting the browser and entering any Web address, the user is redirected to the Web authentication login page. Run command run show dot1x interface gigabit-ethernet <interface-name> to check the CWA authentication configurations.

admin@Xorplus# run show dot1x interface gigabit-ethernet ge-1/1/1
Interface ge-1/1/1:
============================================================
  Client MAC                : 10:11:01:39:1a:00
  Status                    : unauthorized
  Redirect URL              : https://www.clearpass.com/guest/weblogin.php/2?&mac=10:11:01:39:1a:00
============================================================
  Client MAC                : a1:31:a1:b9:6a:0c
  Status                    : unauthorized
  Redirect URL              : https://www.clearpass.com/guest/weblogin.php/2?&mac=a1:31:a1:b9:6a:0c
============================================================
  Client MAC                : a2:e1:55:78:1a:33
  Status                    : unauthorized
  Redirect URL              : https://www.clearpass.com/guest/weblogin.php/2?&mac=a2:e1:55:78:1a:33
============================================================

 b)      The user then enters the user name and password for authentication. If the user name and password are correct, an authentication success message is displayed on the Web authentication page. The user can then access the network.

 c)      Run the run show dot1x interface or run show dot1x interface gigabit-ethernet <interface-name> to check the CWA authentication configurations. The command output (WEB = enable) shows that the CWA authentication has been enabled on the interface ge-1/1/1 and MAC addresses 10:11:01:39:1a:00, a1:31:a1:b9:6a:0c and a2:e1:55:78:1a:33 are successfully authenticated.

admin@Xorplus# run show dot1x interface
Interface  802.1x   MAC-RADIUS  WEB   HOST-MODE   CLIENT-MAC  CLIENT-STATUS
-------------------------------------------------------------------------------------
ge-1/1/1  disable  enable   enable   multiple(3) 10:11:01:39:1a:00  authorized
                                                 a1:31:a1:b9:6a:0c  authorized
                                                 a2:e1:55:78:1a:33  authorized
 
admin@Xorplus# run show dot1x interface gigabit-ethernet ge-1/1/1
Interface ge-1/1/1:
============================================================
  Client MAC               : 10:11:01:39:1a:00
  Status                   : authorized
  Success Auth Method      : MAB
  Dynamic VLAN ID          : 100 (active)
============================================================  
  Client MAC               : a1:31:a1:b9:6a:0c
  Status                   : authorized
  Success Auth Method      : MAB
  Dynamic VLAN ID          : 100 (active)
============================================================  
  Client MAC               : a2:e1:55:78:1a:33
  Status                   : authorized
  Success Auth Method      : MAB
  Dynamic VLAN ID          : 100 (active)
============================================================




Copyright © 2024 Pica8 Inc. All Rights Reserved.