Configure Authorization Policy on Cisco® ISE Server

Configure Centralized Web Authentication (CWA) to integrate with a Cisco® ISE server:

  1. Configure the Authorization Profile (CWA_WebAuth) on the Cisco® ISE server. This profile references the role (ACL_WEBAUTH_Redirect) that was configured on ExtremeCloud IQ Controller.
    1. Go to Policy > Policy Elements > Results.
    2. Select Authorization > Authorization Profiles.
    We have configured CWA_WebAuth. Notice the reference to the policy rule configured on ExtremeCloud IQ Controller: ACL_WEBAUTH_Redirect.
    Click to expand in new window
    CWA_WebAuth Authorization Profile Configuration
  2. Define the policy set.
    Go to Policy > Policy Set. We have configured AH-CWA. The Policy Set includes the Authorization Profile CWA_WebAuth that was configured in Step 1.
    Add an Authorization Policy that includes the condition: Radius-Called-Station-ID – Contains – x, where x is the SSID of the network. The Authorization Policy assigns the Authorization Profile (CWA_WEBAUTH) that references the redirection Role on ExtremeCloud IQ Controller (ACL_WEBAUTH_REDIRECT).
    Click to expand in new window
    Condition to match on SSID
    Click to expand in new window
    CWA Policy Set – Profile CWA_WebAuth
  3. To view the Authorization Policy that was configured in Step 1, select Policy Set AH-CWA, and then select the Authorization Policy drop-down.
  4. The Authorization Profile on the CWA server will return the role ACL_WEBAUTH_Redirect and the redirection URL.
    Click to expand in new window
    Attributes that the CWA server returns to ExtremeCloud IQ Controller
  5. On the Cisco® ISE server, go to Authorization > Authorization Profile.
  6. Create an allow Authorization Profile that is assigned to the user after the user is authenticated through the captive portal.
    Click to expand in new window
    Allow Authorization Profile
    Allow Authorization Profile on a Cisco® ISE server
    • In the Common Tasks section, select Airespace ACL Name. The field must match the final Authenticated Role on ExtremeCloud IQ Controller.
    • In the Attribute Details section, the Cisco® ISE server returns: Access Type = ACCESS_ACCEPT, and Airespace-ACL-Name = x where x is the name of the authenticated role on ExtremeCloud IQ Controller (AH-ALLOW).
  7. On the Cisco® ISE server, go to Policy > Policy Sets, an open the policy set AH-CWA (described in Step 2).
  8. Create an Authorization Policy that returns the Authorization Profile described in Step 6 with the following condition:
    Click to expand in new window
    Allow Condition to match on Endpoint Identity
    Allow Condition to match on Endpoint Identity on a Cisco® ISE server
    Note

    Note

    Place this condition at the top of the conditions list.
9038919-00 Rev. AA