Endpoints that connect to the network may not have 802.1x capabilities, Web Authenticaiton can be used as a fall back similar to MAC Authentication Bypass.
Endpoints are presented with a portal requesting a username and password.
The username and password submitted through the web portal are sent from the switch (or wireless controller) to a RADIUS server in a standard RADIUS access-request packet.
The switch sends this request as it is authenticating on behalf of the endpoint.
WebAuth is only suitable for users and not devices as it requires a manual entry of a username and password.
There are two types of WebAuth, Local Web Authentication and Centralised Web Authentication with Cisco ISE.
Local Web Authentication
Local Web Authentication is the first form of Web Authentication that was created.
This type of WebAuth, the switch or wireless controller will redirect web traffic to a locally hosted web portal where a user can enter a username and password.
When login credentials are entered, the switch will send a RADIUS access-request message along with the login credentials to a RADIUS server.
It is important to remember that when the switch switches the login credentials on behalf of the user, it considered to be a Local Web Authentication.
Local Web Authentication is not customisable on Cisco switches.
Cisco Switches also have no support for advanced services such as an acceptable use policy, acceptance pages, password changing capabilities, device registration and self-registration.
Local Web Authentication does not support
Centralised Web Authentication with Cisco ISE
Cisco created Centralised Web Authentication to make up for the lack of features in Local Web Authentication.
Centralised Web Authentication supports Change of Authorisation for posture profiling. CWA can assign dACL and VLAN authorisation options too.
Centralised Web Authentication can support advanced services such as password changing, client provisioning, posture assessments, acceptable use policies, self-registration and device registration.
Authentication is a different process for Centralised Web Authentication in comparison to Local Web Authentication:
- The endpoint entering the network does not have a configured supplicant or the supplicant is misconfigured
- The switch performs MAC Authentication Bypass, sending the RADIUS access-request to the Cisco ISE
- The Authentication server sends the RADIUS result, including the URL redirection, to the centralised portal on ISE itself
- The endpoint is assigned an IP address, DNS server, and default gateway using DHCP
- The end user opens their browser and enters credentials into the centralised web portal. The credentials are stored in ISE and are tied together using MAC Authentication Bypass on the switch
- ISE sends an re-authentication change of authorisation (CoA-reauth) to the switch
- The switch sends a new MAB request with the same session ID to ISE. ISE will return the final authorisation result to the switch for the end user, including an authorisation option such as downloadable ACL.