5760 v3.6 guest portal redirect to ISE

Similar Messages

• ISE Wired guest portal redirect even after authentication

  Hi
  I have configured both Wired and Wireless guest authentication via guest portal. Wireless is working fine, however the when trying with Wired, the redireciton page is keep getting even after user authenticated.
  I'm not seen the redirection authorization policy in my logs however I can see only the user authentication logs (successful). Attached is my configuration and logging output.
  Here is what I see on the interface
  ABQT-3FLR-ACC-01#sh authentication sessions interface gigabitEthernet 4/0/19
              Interface:  GigabitEthernet4/0/19
            MAC Address:  a0b3.ccca.2ab1
             IP Address:  10.1.3.16
              User-Name:  A0-B3-CC-CA-2A-B1
                 Status:  Authz Success
                 Domain:  DATA
         Oper host mode:  multi-auth
       Oper control dir:  both
          Authorized By:  Authentication Server
            Vlan Policy:  N/A
       URL Redirect ACL:  ACL-WEBAUTH-REDIRECT
           URL Redirect:  https://xxxx-TW-ISE-2.xxx.xxx.qa:8443/guestportal/gateway?sessionId=AC14011F000001571E52779F&action=cwa
        Session timeout:  N/A
           Idle timeout:  N/A
      Common Session ID:  AC14011F000001571E52779F
        Acct Session ID:  0x00000309
                 Handle:  0xE6000158
  Runnable methods list:
         Method   State
         dot1x    Failed over
         mab      Authc Success
  Here is the ACL
  Extended IP access list ACL-WEBAUTH-REDIRECT
      10 deny udp any any eq domain (1344 matches)
      20 deny ip any host 172.20.5.12 (8122 matches)
      30 deny ip any host 172.20.5.14
      40 permit tcp any any eq www (3124 matches)
      50 permit tcp any any eq 443 (202927 matches)
      60 permit tcp any any eq 8080 (114 matches)
      70 permit ip any any (8056 matches)

  Hi Mohannad,
  Thanks for your response.
  Actually the as per the configuration it should work, I'm still trying to find out what is what has gone wrong with this configuration. Infact I have tested with 3560 switch with the same config and it worked. only difference here is we used 2960S switch.
  We need to find out why the next Auth policy is not hitting once user is authenticated.
  Here is the port configuration and the authen status of the port.
  ABQT-3FLR-ACC-01#sh running-config interface gig4/0/19
  Building configuration...
  Current configuration : 427 bytes
  interface GigabitEthernet4/0/19
  switchport access vlan 103
  switchport mode access
  switchport voice vlan 135
  authentication event fail action next-method
  authentication host-mode multi-auth
  authentication order dot1x mab
  authentication priority dot1x mab webauth
  authentication port-control auto
  authentication violation restrict
  mab
  dot1x pae authenticator
  dot1x timeout tx-period 10
  spanning-tree portfast
  end
  ABQT-3FLR-ACC-01#
  Mar 31 12:32:14.127: %AAA-3-BADSERVERTYPEERROR: Cannot process accounting server type tacacs+ (UNKNOWN)
  ABQT-3FLR-ACC-01#
  ABQT-3FLR-ACC-01#sh atuh
  ABQT-3FLR-ACC-01#sh atu
  ABQT-3FLR-ACC-01#sh authe
  ABQT-3FLR-ACC-01#sh authentication se
  ABQT-3FLR-ACC-01#sh authentication sessions in
  ABQT-3FLR-ACC-01#sh authentication sessions interface gi
  ABQT-3FLR-ACC-01#sh authentication sessions interface gigabitEthernet 4/0/19
              Interface:  GigabitEthernet4/0/19
            MAC Address:  0015.c5b4.fd4a
             IP Address:  10.1.3.23
              User-Name:  00-15-C5-B4-FD-4A
                 Status:  Authz Success
                 Domain:  DATA
         Oper host mode:  multi-auth
       Oper control dir:  both
          Authorized By:  Authentication Server
            Vlan Policy:  N/A
       URL Redirect ACL:  ACL-WEBAUTH-REDIRECT
           URL Redirect:  https://ABQ-TW-ISE-2.abq.gov.qa:8443/guestportal/gateway?sessionId=AC14011F0000018A32B4D906&action=cwa
        Session timeout:  N/A
           Idle timeout:  N/A
      Common Session ID:  AC14011F0000018A32B4D906
        Acct Session ID:  0x00000394
                 Handle:  0x3E00018B
  Runnable methods list:
         Method   State
         dot1x    Failed over
         mab      Authc Success

• ISE Guest Portal redirection not working

  I have built a lab at home. I have a Win2008 Server for AD/DNS, ISE 1.2 (VM trial), a 3560-cg switch, 2500 WLC and 2602i AP. I have configured everything as per the documentations online. My issue is that when I connect to the open SSID, it gets connected and has the dns server populated as well, but the redirection never takes place. I can search for google or cnn.com but it just stays at looking up host or something. However, if i take the redirect URL from the WLC and then do it on the browser, it does go to the guest portal. Let me know what issues I can see and if there is any other information I can provide.

  Issue resolved.
  Since my lab environment didnt have access to the internet and hence dns servers 8.8.8.8 would not resolve any public ips. But when an address is resolvable by a dns then it redirects nicely. For test I created a dns entry on the dns server itself and tested it.
  Sent from Cisco Technical Support Android App

• Cisco ISE guest portal redirect not working after successful authentiation and URL redirect.

  Hi to all,
  I am having difficulties with an ISE deployment which I am scratching my head over and can't fathom out why this isn't working.
  I have an ISE 3315 doing a captive webportal for my guest users who are on an SSID.  The users are successfully redirected by the WLC to the following URL:https://x.x.x.x:8443/guestportal/Login.action?portalname=XXX_Guest_Portal
  Now when the user passes through the user authentication splash screen they get redirected to https://x.x.x.x:8443/guestportal/guest/redir.html and recieve the following error:
  Error: Resource not found.
  Resource: /guestportal/
  Does anyone have any ideas why the portal is doing this?
  Thanks
  Paul

  Hello,
  As you are not able to  get the guest portal, then you need to assure the following things:-
  1) Ensure that the  two  Cisco av-pairs that are configured on the  authorization profile should  exactly match the example below. (Note: Do  not replace the "IP" with the  actual Cisco ISE IP address.)
  –url-redirect=https://ip:8443/guestportal/gateway?...lue&action=cpp
  –url-redirect-acl=ACL-WEBAUTH-REDIRECT (ensure that this ACL is also  defined on the access switch)
  2) Ensure that the URL redirection portion of the ACL have been  applied  to the session by entering the show epm session ip   command on the switch. (Where the session IP is the IP address  that is  passed to the client machine by the DHCP server.)
  Admission feature : DOT1X
  AAA Policies : #ACSACL#-IP-Limitedaccess-4cb2976e
  URL Redirect ACL : ACL-WEBAUTH-REDIRECT
  URL Redirect :
  https://node250.cisco.com:8443/guestportal/gateway?sessionId=0A000A72
  0000A45A2444BFC2&action=cpp
  3) Ensure that the preposture assessment DACL that is enforced from  the  Cisco ISE authorization profile contains the following command  lines:
  remark Allow DHCP
  permit udp any eq bootpc any eq bootps
  remark Allow DNS
  permit udp any any eq domain
  remark ping
  permit icmp any any
  permit tcp any host 80.0.80.2 eq 443 --> This is for URL redirect
  permit tcp any host 80.0.80.2 eq www --> Provides access to internet
  permit tcp any host 80.0.80.2 eq 8443 --> This is for guest portal
  port
  permit tcp any host 80.0.80.2 eq 8905 --> This is for posture
  communication between NAC agent and ISE (Swiss ports)
  permit udp any host 80.0.80.2 eq 8905 --> This is for posture
  communication between NAC agent and ISE (Swiss ports)
  permit udp any host 80.0.80.2 eq 8906 --> This is for posture
  communication between NAC agent and ISE (Swiss ports)
  deny ip any any
  Note:- Ensure that the above URL Redirect has the proper Cisco ISE FQDN.
  4) Ensure that the ACL with the name "ACL-WEBAUTH_REDIRECT" exists on  the switch as follows:
  ip access-list extended ACL-WEBAUTH-REDIRECT
  deny ip any host 80.0.80.2
  permit ip any any
  5) Ensure that the http and https servers are running on the switch:
  ip http server
  ip http secure-server
  6) Ensure that, if the client machine employs any kind of personal  firewall, it is disabled.
  7) Ensure that the client machine browser is not configured to use any  proxies.
  8) Verify connectivity between the client machine and the Cisco ISE IP  address.
  9) If Cisco ISE is deployed in a distributed environment, make sure  that  the client machines are aware of the Policy Service ISE node FQDN.
  10) Ensure that the Cisco ISE FQDN is resolved and reachable from the  client machine.
  11) Or you need to do re-image again.

• Guest Portal Access using ISE

  I’m having an issue setting up the Guest Port Access for our wireless network.
  I’m trying to setup an SSID anchored in the DMZ for internet access only. The authentication to this would be granted via the ISE Guest Access Portal.
  I’ve got the SSID created and tested working with no authentication.
  When I enable the Guest Portal (per these instructions http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080bba10d.shtml), I can login and create a guest account. Have the guest go to the portal, login, hit ‘I accept’, but then instead of redirecting them to whatever page they tried to access, it sends them back to the guest login page (with still no access to the network resources).
  Am I missing a simple setting somewhere? Please let me know if this should be reposted in the security/ISE forum instead of here.
  Thanks,
  Pete

  Is this related?
  11036
  ERROR
  RADIUS
  The Message-Authenticator RADIUS attribute is invalid.
  A RADIUS packet having an invalid Message-Authenticator attribute has been received. Make sure that the client device is compatible with AD Agent, has been configured properly, and is functioning properly. Make sure that the same RADIUS shared secret has been properly configured, both in the client device and in AD Agent.
  Reference: http://www.cisco.com/en/US/docs/security/ibf/setup_guide/ibf10_log_msgs.html

• HTTPS Guest Portal Redirection

  Dears,
  We have Guest Portal on ISE server, when our guests connect to Guest SSID they automatically redirected to WEB portal
  it works only with http websites
  if user writes in his browser for example facebook.com or some websites with https redirection doesnt happens
  thank you

  It's new:) the first version of 8.0.100.0 wasn't great if you ask me. v8.0.110.0 is MR1 and fixes some issues but it's new. I would wait for MR2/3 before going into production unless you really need to go to v8.0. You can always downgrade. You need to make sure your AP's support this code and if you have WCS/NCS/PI and or MSE. Here is the compatibility matrix:
  http://www.cisco.com/c/en/us/td/docs/wireless/compatibility/matrix/compatibility-matrix.html
  -Scott

• ISE-Guest Portal Redirection

  Dears
  i have configured everything right for the Gusset login and everything is going the way i want except one thing that the switch doesn’t force the quest to web directed to the ISE login paged however the ouput of the below command looks perfect and when i copy the url manually it works .. so how can i make it automatically ?
  ISE-SWITCH#sh authen se int f0/12 
              Interface:  FastEthernet0/12
            MAC Address:  c80a.a96a.47b1
             IP Address:  Unknown
              User-Name:  C8-0A-A9-6A-47-B1
                 Status:  Authz Success
                 Domain:  DATA
        Security Policy:  Should Secure
        Security Status:  Unsecure
         Oper host mode:  multi-auth
       Oper control dir:  both
          Authorized By:  Authentication Server
             Vlan Group:  N/A
                ACS ACL:  xACSACLx-IP-CENTRAL_WEB_AUTH-50683952
       URL Redirect ACL:  ACL-WEBAUTH-REDIRECT
           URL Redirect:  https://EG1SHQ06.HEIWAY.NET:8443/guestportal/gateway?sessionId=0A8B080600000005001ECF63&action=cwa
        Session timeout:  N/A
           Idle timeout:  N/A
      Common Session ID:  0A8B080600000005001ECF63
        Acct Session ID:  0x00000007
                 Handle:  0xD9000005
  Runnable methods list:
         Method   State
         mab      Authc Success
         dot1x    Not run
  ISE-SWITCH#sh ip access-l
  Extended IP access list ACL-WEBAUTH-REDIRECT
      10 deny ip any host 10.139.8.216
      11 permit tcp any any eq www
      12 permit tcp any any eq 443
  Extended IP access list Auth-Default-ACL-OPEN
      10 permit ip any any (314 matches)
  Extended IP access list xACSACLx-IP-CENTRAL_WEB_AUTH-50683952 (per-user)
      10 permit udp any any eq domain
      20 permit icmp any any
      30 permit tcp any any eq www
      40 permit tcp any any eq 443
      50 permit tcp any host 10.139.8.216 eq 8443

  i did this changes and even upgraded the switch IOS to 12.2(58)SE2 but no luck ,
  any other idea?
  ISE-SWITCH#sh ip access-l               
  Extended IP access list ACL-DEFAULT
      10 permit udp any eq bootpc any eq bootps
      20 permit udp any any eq domain
      30 permit icmp any any
      40 permit udp any any eq tftp
      50 permit tcp any host 10.139.8.216 eq www
      60 permit tcp any host 10.139.8.216 eq 443
      70 permit tcp any host 10.139.8.216 eq 8443
      80 permit tcp any host 10.139.8.216 eq 8905
      90 permit udp any host 10.139.8.216 eq 8905
      100 permit udp any host 10.139.8.216 eq 8906
      110 permit tcp any host 10.139.8.216 eq 8080
      120 permit udp any host 10.139.8.216 eq 9996
      130 deny ip any any log
  Extended IP access list ACL-POSTURE-REDIRECT
      10 deny udp any any eq domain
      20 deny udp any host 10.139.8.216 eq 8905
      30 deny udp any host 10.139.8.216 eq 8906
      40 deny tcp any host 10.139.8.216 eq 8443
      50 deny tcp any host 10.139.8.216 eq 8905
      60 deny tcp any host 10.1.252.21 eq www
      70 permit ip any any
  Extended IP access list ACL-WEBAUTH-REDIRECT
      10 deny ip any host 10.139.8.216
      20 permit tcp any any eq www
      30 permit tcp any any eq 443
  Extended IP access list Auth-Default-ACL-OPEN
      10 permit udp any eq bootpc any eq bootps
      20 permit udp any any eq domain
      30 permit icmp any any
      40 permit udp any any eq tftp
      50 permit tcp any host 10.139.8.216 eq www
      60 permit tcp any host 10.139.8.216 eq 443
      70 permit tcp any host 10.139.8.216 eq 8443
      80 permit tcp any host 10.139.8.216 eq 8905
      90 permit udp any host 10.139.8.216 eq 8905
      100 permit udp any host 10.139.8.216 eq 8906
      110 permit tcp any host 10.139.8.216 eq 8080
      120 permit udp any host 10.139.8.216 eq 9996
      130 deny ip any any
  Extended IP access list xACSACLx-IP-CENTRAL_WEB_AUTH-50683952 (per-user)
      10 permit udp any any eq domain
      20 permit icmp any any
      30 permit tcp any any eq www
      40 permit tcp any any eq 443
      50 permit tcp any host 10.139.8.216 eq 8443

• Guest portal certificate on ise

  Background:
        Customer don't have an internal DNS server. We are using the google DNS server, which doesn't resolve the internal guest ISE server name. Hence, we are directly using the ip-address in redirect URL and guest authentication portal.
  Question:
     Which certificate I need to use for the guest login portal to avoid the cert error. We tried ipaddress(10.1.1.1) in cert common name , Firefox showed cert error(invalid - for not matching-10.1.1.1:8443 ). Then, we tried DNS name as common name and IP address as subject alternate name. Most of the browsers worked fine. Internet explorer gave certificate error. Do you think of any other solution?

  There are several things that need to be setup correctly for clients to see a certificate as valid.
  1. The redirect needs to use a DNS name that the client can resolve
  2. DNS name used above must be in the certificate as CN or a SAN
  3. If the redirect uses a fully qualified domain name then this also needs to be in the certificate
  4. Client needs to have the ROOT cert and any required intermediates in it certificate store.
  Using IP address in the SAN should work but if you want to use a publicly signed cert on ISE then you cannot use IP address because the certificate authorities will no long support this.
  You could try using 10.1.1.1:8443 in the SAN to see if this works but you will still need to ensure that the client device has the certificates ROOT and intermediates in its certificate store.
  Hope this helps

• Guest portal redirection with mulple PSNs

  Hi All
  In a distributed deployment where there is more than one PSN's how do we have a common url for guest redirection when doing a CWA (assuming no load balancer is used for the PSNs)? usually the redirection url would be 'https://<ise01.fqdn/guetsportal" or 'https://<ise02.fqdn/guetsportal" and we can only specify one in the wlc guest ssid?
  Thanks

  Fully Qualified Domain Name in URL Redirection
  When Cisco ISE builds an authorization profile redirect (for central web authentication, device registration web authentication, native supplicant provisioning, mobile device management, and client provisioning and posture services), the resulting cisco-av-pair includes a string similar to the following:
  url-redirect=https://ip:port/guestportal/gateway?sessionId=SessionIdValue&action=cwa
  When processing this request, Cisco ISE substitutes actual values for some keywords in this string. For example, SessionIdValue is replaced with the actual session ID of the request. For eth0 interface, Cisco ISE replaces the IP in the URL with the FQDN of the Cisco ISE node. For non-eth0 interfaces, Cisco ISE uses the IP address in the URL. You can assign a host alias(name) for interfaces eth1 through eth3, which Cisco ISE can then substitute in place of IP address during URL redirection. To do this, you can use the ip host command in the configuration mode from the Cisco ISE CLI:
  ISE /admin(config)# ip host IP_address host-alias FQDN-string
  where IP_address is the IP address of the network interface (eth1 or eth2 or eth3)
  host-alias is the name that you assign to the network interface
  FQDN-string is the fully qualified domain name of the network interface
  Using this command, you can assign a host-alias or an FQDN-string or both to a network interface.
  Here is an example:
  ISE/admin(config)# ip host a.b.c.d sales sales.amer.xyz.com
  After you assign a host alias to the non-eth0 interface, you must restart the application services on Cisco ISE using the application start ise command.
  Use the no form of this command to remove the association of the host alias with the network interface:
  ISE/admin(config)# no ip-host IP_address host-alias FQDN-string
  Use the show running-config command to view the host alias definitions.
  If you provide the FQDN-string, Cisco ISE replaces the IP address in the URL with the FQDN. If you provide only the host alias, Cisco ISE combines the host alias with the configured IP domain name to form a complete FQDN, and replaces the IP address in the URL with the FQDN. If you do not map a network interface to a host alias, then Cisco ISE uses the IP address of the network interface in the URL.
  When you make use of non-eth0 interfaces for client provisioning or native supplicant or guest flows, you have to make sure that the IP address or host alias for non-eth0 interfaces should be configured appropriately in the Policy Service node certificate's SAN fields.

• How to use ISE Guest Portal for AD users

  Hi there,
  As  subject explains all, I want to use ISE Guest Portal for my domain  users. I have tried many different ways to authenticate users and  finally I came to the conclusion that ISE CWA works pretty well and is  very stable. WLC Webauth sucks alot, does not redirect to the login page  always.
  Can  you please share what other ways are stable ways to authenticate AD  users? I know about WPA 802.1x authentication but that requires a CA in  the network which is not available at the moment. So can you please  Suggect?
  Otherwise,  I want to use ISE Guest Portal for my AD users as well. AD is already  integrated to ISE, the issue happens when I attempt to athenticate using  AD user account, the user gets authenticated but the Guest Portal  redirects me to Device Provissioning page and there it shows an error  saying "there is not policy to register the device, contact system  admin"
  Am I missing something??
  I am running WLC 5760 with ISE 1.2
  Thanks in advance..

  Hi,
  Can you post a screenshot of your current policies? Also for 802.1x authentication although it is best practices you do not have to have an internal CA to make this solution work. You can disable the option to "validate server certificate" or you can use a trusted CA to sign the certificate for the eap interface.
  In most cases 802.1x is the method to go because it provides dynamic authentication without forcing users to redirected to a web page multiple times throughout the day, scenarios such as computers that sleep or users that are mobile will not have connectivity until they redirect to the portal if one of the scenarios exist. You also gain WPA encryption on your WLAN, if you are using strictly layer 3 web auth you run into issues where encryption is not used and rely on encryption from the application as your method of data integrity and security.
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• ISE Guest Access- Redirect to URL after successful logon

  Currently, when guest users attempt to browse they get redirected to the guest portal.  After login, they get a message that they can now access the original URL.  Is there a way to automatically redirect to the URL they were trying to access, or remember the URL after they login?

  ISE guest flow :
  The user associates to the web authentication Service Set Identifier (SSID).
  The user opens the browser.
  The WLC redirects to the guest portal (such as ISE or NGS) as soon as a URL is entered.
  The user authenticates on the portal.
  The guest portal redirects back to the WLC with the credentials entered.
  The WLC authenticates the guest user via RADIUS.
  The WLC redirects back to the original URL

• ISE, guest portal on WLC

  Hi,
  Currently we have wireless guest login through a guest portal in the WLC. Is it possible to implement ISE and keep the guest portal in the WLC?
  Example:
  User connects to a SSID with an laptop. That laptop is profiled as not belogning to the company network and is then redirected to the WLC guest portal.
  All the guides I find is about having the guest portal in the ISE.
  Regards
  Philip

  You can use LWA for this . he WLC redirects  the HTTP traffic to an internal or external server where the user is prompted to  authenticate. The WLC then fetches the credentials (sent back via an HTTP GET  request in the case of external server) and makes a RADIUS authentication. In  the case of a guest user, an external server (such as Identity Service Engine  (ISE) or NAC Guest Server (NGS)) is required as the portal provides features  such as device registering and self-provisioning.
  Refer to the following link for  configuration  example
  http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bead09.shtml

• ISE HTTP GUEST PORTAL

  Hello,
  We have some disconfort with Guest web authentication. When WLC redirects a guest user, he views certificate error.
  Can I use http instead https for guest portal?
  Thanks,
  Oleg

  Hi,
  Is your guest portal on the ISE ? In the ISE , there is only HTTPS port allowed to configure under Guest portal and no option of http port is there , So I dont think so. You also might be using port 8443 in the external web-auth redirection URL under security tab.
  Now even if you put a valid certificate on the ISE which hosts external guest portal , still you would receive certificate warning as long as you use local web server of the controller which is its virtual ip address.This is because even if the external web server where page is hosted for example has a valid certificate , even then internal virtual ip address is presented to the client.
  So
  > either you trust them in your browser so that you dont receive certificate warnings
  >or else have a valid certificate on the controller and external web server. 
  > or use http for web authentication in the controller and also http to external hosted page, then also you can get rid of these certificates.
  Regards
  Dhiresh

• ISE Guest Portal

  Hello Everyone
  Is it possible to have a WLC 4402 and a WLC 5508 working with the Guest portal of the ISE at the same time?
  I know that for the WLC 5508, it works fine and i can implement this as CWA, but for the WLC 4402? i read something about change the certificate in the ISE in order to have it as LWA, but can this affect the CWA implemmentation?
  Thanks for any suggestion.

  Sending LWA and CWA authentications to the same guest portal won't be a problem.To keep things nice and clean though you can create a second HTML portal so you can dedicate one per each process but it is not necessary. 
  Hope this helps!
  Thank you for rating helpful posts!

• Cisco ISE 1.2 Guest Portal customization with vWLC redirect

  Hello Support Community,
  we have a problem regarding customized web authentication on ISE 1.2 with Package ISE12CustomPortalPackage-v4.zip. We have a Virtual Wireless Controller where we do a redirect to ISE. When we use default guest portal on https://x.x.x.x:8443/guestportal/Login.action authentication and authorization works fine. When we do redirect to Cisco templates on https://x.x.x.x:8443/guestportal/portals/example/Login.html customized login page is displayed and after correct authentication guest successful page is displayed but we can't go to any webserver although ISE shows authentication and authorization as successful. When we try to reach a webserver after successful authentication we get redirected to customized login site. Virtual Wireless Controller shows client aus "Webauth Required" after successful authentication. Central Web Authentication isn't possible because we have a different AAA Server for 802.1X and only use wired guest access on a particular VLAN from WLC. Are there any known issues regarding customization template or is there something wrong regarding our redirect?
  I hope somebody can help us.
  Best Regards
  Benjamin

  Hello Neno,
  1. I attached screenshots below.
  2. There is nothing related to this client.
  3. I attached Debug below.
  We are currently using MAB on our switches as a fallback to our 802.1X on our wired access. Order and Priority currently is 802.1X/MAB/Auth-Fail-VLAN. CWA is based on a failed MAC-Authentication which leads to an Authorization Profile to permit access with Webauth.
  If you configure Wired guest access on WLC there isn't a possibility to configure MAC-Authentication.
  CWA on our switches isn't possible because we are currently using failed MAC-Authentication to direct clients to our Auth-Fail-VLAN which has restricted access secured by SVI-ACL which allows us HTTP Access to printers (manual Cert Deployment) and automated Cert enrollment to our computers.
  Best Regards
  Benjamin