Skip to main content
Versa Networks

Configure CWA Redirect Authentication for SD-LAN

  1. Last updated
  2. Save as PDF

Versa-logo-release-icon.pngFor supported software information, click here.

Central Web Authentication (CWA) authenticates users and provides them access to an enterprise network. You can use CWA to redirect Web browser requests to a login page where users must enter a username and password. On successful authentication, the user is allowed access to the network based on policy rules that you define for access control.

CWA redirect authentication is useful for providing network access to temporary or guest users, such as visitors at a corporate site, who try to access the network. It is also useful for environments that require flexible, browser-based user interaction without installing client software, and when 802.1X authentication is not feasible or required.

You can place the user in a guest segment before they are fully authenticated with CWA, and give them access to allowed URLs. To do this, you configure a walled garden, which is a controlled environment for you to limit access to websites and services. You configure a list of allowed websites or domains, with all other URLs blocked, by adding the list of URLs in URL categories and then associating this category with NGFW security rules. You can also apply this to new access points (AP). For example, while onboarding a new AP, its MAC address is not registered in the Active Directory (AD) or any repository. The new AP connects using 802.1X but it cannot be authenticated because it does not have the required certificates. To obtain the necessary certificates, a walled garden configuration allows the AP to access a predefined list of URLs while it is in the guest segment. Instead of redirecting all traffic, the switch allows traffic to specific URLs to bypass the portal. This way, when the AP attempts to access a URL on the walled garden list, the request is allowed without redirection. This allows the AP to download the necessary certificates and complete the onboarding process. After onboarding, the AP can reconnect and fully authenticate using 802.1X.

CWA Redirect Authentication Flow

The process flow for CWA redirect authentication is as follows:

  1. A guest user connects their device to the network through a switch Ethernet port.
  2. The switch initiates MAC authentication bypass (MAB) authentication, and sends a RADIUS Access-Request message to the RADIUS server.
  3. The user is placed in an "unknown" segment until the authentication completes.
  4. The switch receives a RADIUS Access-Accept message from the RADIUS server, which contains the guest user segment assignment and redirect URL to the RADIUS server guest portal.
  5. The switch places the user into the guest segment.
  6. The guest device initiates a DHCP exchange.
  7. The user device performs a DNS exchange for an external website.
  8. The user sends (through a browser) an HTTP or HTTPS request to the website.
  9. The switch intercepts the HTTP request and returns the redirect URL from the Access-Accept message.
  10. The switch sends the redirect URL to the user. 
  11. The user device performs a DNS query for the RADIUS server guest portal domain.
  12. The user sends (through a browser) an HTTPS request to the redirected URL.
  13. The switch forwards the HTTPS request to the RADIUS server guest portal.
  14. The user accesses the portal and completes login or registration with a username and password.
  15. The RADIUS server sends a change of authorization (CoA) request without a redirect URL and Permit-Internet filter ID.
  16. The switch removes the redirect URL for the user and places the user in the Permit-Internet segment.
  17. The switch sends a CoA acknowledgement (ACK) to the RADIUS server.
  18. The switch grants the user access to the internet.

Configure CWA Redirect Authentication

To configure CWA redirect authentication, you do the following:

  • Configure the RADIUS server and associate it with an authentication profile to define how the switch connects to the RADIUS server.
  • Enable MAB authentication. The switch uses MAB to initiate the authentication process. 
  • Create scalable group tags (SGTs) to define the guest user segment. 
  • Configure Layer 2 ACL ingress and NGFW policy rules for the switch to forward traffic to the CPU. This enables redirect authentication and the walled garden for users in the guest segment.
  • Configure URL filtering for the walled garden.

This section provides a configuration example for CWA redirect authentication. 

Configure RADIUS Server

To configure the RADIUS server (for example, here ISE1) for the switch to communicate with the RADIUS server:

  1. In Director view:
    1. Select the Administration tab in the top menu bar.
    2. Select Appliances in the left menu bar.
    3. Select a device name in the main pane. The view changes to Appliance view.
  2. Select the Configuration tab in the top menu bar.
  3. Select Object and Connectors > Connectors > Users/Groups > RADIUS Servers in the left menu bar.
  4. Click + Add or select an existing RADIUS server (for example, here ISE1). The Add/Edit Radius Servers window displays.

    radius-server.png
  5. Enter the required details. For more information, see Configure RADIUS Servers.
  6. Click OK.

After you configure the RADIUS server, associate it with an authentication profile to define how the switch connects to the RADIUS server.

To associate a RADIUS server with an authentication profile: 

  1. In Director view:
    1. Select the Administration tab in the top menu bar.
    2. Select Appliances in the left menu bar.
    3. Select a device in the main pane. The view changes to Appliance view.
  2. Select Others > Organization >Authentication Profiles in the left menu bar. The main pane displays the Authentication Profiles that are already configured.
  3. Click the Add icon. The Add Authentication Profile popup window displays.

    add-authentication-profile-general-tab-radius.png
  4. In the Name field, enter a name for the authentication profile.
  5. In the Type field, click RADIUS, and enter information for the following fields. Note that when you click RADIUS, the RADIUS Attributes tab displays in the popup window.
  6. Click the Add icon and select the RADIUS server (here, the RADIUS server you configured above) from the drop-down list.
  7. For information about configuring other parameters, see Configure RADIUS for User Authentication.
  8. Click OK.  

Enable MAB

  1. In Director view:
    1. Select the Administration tab in the top menu bar.
    2. Select the Appliances in the left menu bar.
    3. Select a device name in the main panel. The view changes to Appliance view.
  2. Select the Configuration tab in the top menu bar.
  3. Select Others > Organization > dot1x > Authentication Control in the left menu bar, and the select the MAB Authentication tab in the horizontal menu bar.

    mab-authentication-tab-new.png
  4. Click the edit-pencil-icon-black-on-white-22-v2.png Edit icon. The MAB Authentication popup window displays.

    mab-authentication.png
  5. Click Enable to enable MAB authentication.
  6. For information about configuring other parameters, see Configure 802.1X Authentication Control in Configure IEEE 802.1X Device Authentication
  7. Click OK.

Configure SGTs

To match parameters in NPU and NGFW policy rules to microsegments, you create scalable group tags (SGTs). In this example, three SGTs (sgt-pre-auth, sgt-post-auth, and sgt-unassigned) are configured to use in NPU and NGFW policy rules. For more information about configuring SGTs, see Create an SGT Object.

sgt-main.png

Configure Layer 2 ACL Ingress

To place users into the guest segment, you must configure Layer 2 ACL ingress policy rules. To enable redirection and walled garden features, you configure these rules for the switch to direct traffic to the CPU for further processing. 

To configure a Layer 2 ingress ACL policy:

  1. In Director View:
    1. Select the Configuration tab in the top menu bar.
    2. Select Devices > Devices in the horizontal menu bar.
    3. Click the name of an appliance. The view changes to Appliance view.
  2. Select the Configuration tab in the top menu bar.
  3. Select Networking > NPU > Layer 2 ACL Ingress in the left menu bar.
  4. Select the Rules tab. For more information, see Configure NPU Policy-Based Forwarding

    npu-layer2-acl-ingress-rules-new.png
  5. Click + Add or select an existing rule. The Add/Edit window displays. 

Example Rules

This section includes example NPU Layer 2 ACL rules for guest traffic authentication. You can change the rule names and values as needed to define your own rules. In these examples, the following pre-authorization rules are configured to forward traffic to the CPU:

  • port-initialization—This rule handles unknown traffic segments. If users are unassigned or unknown, and the user bridge domain is from the one specified in this rule, traffic is allowed. To configure:
    1. In the Add/Edit Rules window, select the Match tab.

      edit-rules-match-tab-port-initialization-rule.png
    2. In the Source SGT ID field, select sgt-unassigned (for unassigned traffic segments), and then select the routing instance with the required bridge domain.
    3. Select the Set tab.

      edit-rules-set-tab-port-initialization-rule.png
    4. In the Action field, select Allow to allow traffic.
    5. For information about configuring other parameters, see Configure Layer 2 Ingress ACLs.
    6. Click OK.
       
  • cpu-pre-auth forward—Before users are authenticated and assigned to appropriate internet segments, they are in pre-authentication phase. The RADIUS server shares the pre-authentication segment details through the URL and the user microsegment. This segmentation is based on the user MAC address. To configure:
    1. In the Add/Edit Rules window, select the Match tab. 

      edit-rules-match-tab-pre-auth-fwd-rule.png
    2. In the Source SGT ID field, select sgt-pre-auth to apply this rule to users in the pre-auth segment.
    3. Select the Set tab.

      edit-rules-set-tab-pre-auth-fwd-rule.png
    4. In the Action field, select Service PIC to send packets to the CPU for further processing. If a user is in pre-auth segment, the traffic is forwarded to the CPU to process.
    5. For information about configuring other parameters, see Configure Layer 2 Ingress ACLs.
    6. Click OK.
       
  • cpu-pre-auth reverse—This rule is similar to cpu-pre-auth forward. Here, the packets are sent to the pre-auth segment in the reverse direction and also traffic is sent to CPU for processing. To configure:
    1. In the Add/Edit Rules window, select the Match tab.

      edit-rules-match-tab-pre-auth-rev-rule.png
    2.  In the Destination SGT ID field, select sgt-pre-auth to apply this rule to users in the pre-auth segment.
    3. Select the Set tab.

      edit-rules-set-tab-pre-auth-fwd-rule.png
    4. In the Action field, select Service PIC (process in CPU).
    5. For information about configuring other parameters, see Configure Layer 2 Ingress ACLs.
    6. Click OK.
       
  • route-pre-auth deny—This is a deny rule that denies traffic from devices in certain segments. For example, you can deny entry to onboarded devices that lose credibility and are removed from the database. To configure:
    1. In the Add/Edit Rules window, select the Match tab.

      edit-rules-match-tab-pre-auth-deny-rule.png
    2. In the Source SGT ID field, select sgt-pre-auth.
    3. Create a routing instance and select the VLANs that include devices that are disallowed.
    4. Select the Set tab.

      edit-rules-set-tab-pre-auth-deny-rule.png
    5. In the Action field, select Deny to disallow this traffic.
    6. For information about configuring other parameters, see Configure Layer 2 Ingress ACLs.
    7. Click OK.

The following four example rules are for internet-bound traffic:

  • allow-management-traffic—Allows all management traffic. To configure:
    1. In the Add/Edit Rules window, select the Match tab.

      edit-rules-match-tab-allow-mgmt-traffic-rule.png
    2. Create or edit a routing instance with bridge domain lists that include management VLANs to be allowed.
    3. Select the Set tab.

      edit-rules-set-tab-port-initialization-rule.png
    4. In the Action field, select Allow to allow traffic.
    5. For information about configuring other parameters, see Configure Layer 2 Ingress ACLs.
    6. Click OK.
       
  • allow-control-eap—Allows all Extensible Authentication Protocol (EAP) traffic, which is dot1x traffic. To configure:
    1. In the Add/Edit Rules window, select the Match tab.

      edit-rules-match-tab-allow-control-eap-rule.png
    2. In the Ethertype field, select Ethertype Value and enter the appropriate value in the Ethertype Value field.
    3. Select the Set tab.
    4. In the Action field, select Allow to allow EAP traffic.
    5. For information about configuring other parameters, see Configure Layer 2 Ingress ACLs.
    6. Click OK.
       
  • allow-internet-fwd and allow-internet-rev: Allow authenticated users. Traffic need not be sent to the CPU and can be processed at the switch level. To configure:
    1. In the Add/Edit Rules window, select the Match tab.

      edit-rules-match-tab-allow-internet-fwd-rule.png
    2. In the Forwarding Type field, select L3 Routed.
    3. For allow-internet-fwd rule, in the Source SGT ID field, select sgt-post-auth for users who are in post-authentication section.
    4. For allow-internet-reve rule, in the Destination SGT ID field, select sgt-post-auth.
    5. Select the Set tab.
    6. In the Action field, select Allow to allow EAP traffic.
    7. For information about configuring other parameters, see Configure Layer 2 Ingress ACLs.
    8. Click OK.

Configure NGFW Rules

You configure NGFW rules to add allow and deny pre-authentication access policy rules. 

To configure NGFW security policy rules:

  1. In Director view:
    1. Select the Administration tab in the top menu bar.
    2. Select Appliance in the left menu bar.
    3. Select the device in the main pane. The view changes to Appliance view.
  2. Select the Configuration tab in the top menu bar.
  3. Select Services > Next Gen Firewall > Security > Policies in the left menu bar, and select the Rules tab. The following screen displays. For more information, see Configure Next-Gen Firewall (NGFW).

    ngfw-security-policies-main.png
  4. Click + Add to add a rule or select an existing rule. The Add/Edit URL Category window displays.

Example Rules

This section includes example NGFW security policy rules. You can change the rule names and values as needed to define your own rules. 

  • allow-pre-auth-radius—Allows all traffic sent for RADIUS pre-authentication.
  • allow-pre-auth-mist—Allows traffic to an access point (here, Mist). In this example, any traffic that to "mist.com" is allowed and by adding it as a URL category, which is part of walled garden. In the following example shows a URL category (url-pre-auth-mist) that includes the URL patterns, .*mist.com.* and .*mistsys.net.*, and this category is used in the allow-pre-auth-mist for allow traffic to these URL patters. For more information about URL categories, see Configure URL Objects.  

    edit-url-category-url-patterns-tab-mist.png
  • allow-pre-auth-rev and allow-pre-auth-rev—Allows the services under Service List in the Headers/Schedule tab. A few pings, http, and the authentication (for user to fill credentials) are allowed. In the following example, tcp-port-8443 is to reach the RADIUS server.

    edit-ngfw-rule-ap-allow-pre-auth-fwd-headers-tab.png
  • deny-https-pre-auth—Rejects https traffic so that user browser is redirected to the to the authentication portal. For example, in this sample rule, Service List under Headers/Schedule tab select tcp-dst-443 for traffic to HTTPS. 

    edit-ngfw-rule-ap-deny-https-pre-auth-headers-tab.png
  • deny-pre-auth—Rejects any traffic other than those that allowed under NGFW security policy. For example, for this rule, the Scalable Group Tag selects sgt-pre-auth in the Source tab to disallow traffic for this SGT. 

    edit-ngfw-rule-ap-deny-pre-auth-source-tab.png
  • allow-all—Allows traffic that does not belong to the guest network.

Configure the Walled Garden

To configure a walled garden, you configure global URL filtering settings. For more information, see Configure Global URL-Filtering Settings:

  1. In Director view:
    1. Select the Configuration tab in the top menu bar.
    2. Select an organization in the horizontal menu bar.
    3. Select the Configuration tab in the top menu bar. 
      • To make the global URL-filtering settings permanent, select Templates > Device Templates in the horizontal menu bar.
      • To have the global URL-filtering settings apply to an individual device, select Devices > Device in the horizontal menu bar. Then, in the main pane, select the device name.
  2. Select Services > Next-Gen Firewall > Security Settings > URL Filtering in the left menu bar. The main pane displays the URL Filtering pane.

    url-filtering-menu.png
  3. Click the edit-icon.png Edit icon. The Edit URL Filtering popup window displays.

    edit-url-filtering-walled-garden-tab.png
  4. Select the Walled Garden tab.
  5. Click the + Add icon in the URL Category section, and then enter the URL categories that are allowed categories for the walled garden. For more information, see Configure Global URL-Filtering Settings.

View CWA Redirect Authentication Information

  1. In Director view:
    1. Select the Administration tab in the top menu bar.
    2. Select the Appliances in the left menu bar.
    3. Select a device name in the main panel. The view changes to Appliance view.
  2. Select the Monitor tab in the top menu bar.
  3. Select an organization in the left menu, and then select the Services tab in the horizontal menu.
  4. Select the Networking > 802.1X tab to view the interface details and other statistics. You can select the level of detail to view using the drop-down list. For more information see Verify 802.1x Authentication Information.

    minotor-8021x-tab.png

    The following screenshot displays the redirected URL. After the user accesses the URL, logs in, and connects, the user status changes from pre-auth to post-auth on the Monitor screen. The screenshot below displays the URL to which user is redirected.

    monitor-redirect-url.png

Supported Software Information 

Releases 22.1.4 and later support all content described in this article.

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Page type
    Topic
  2. Tags
    This page has no tags.