Wired Guest CWA with ISE

Having a heck of a time getting this to work.
First option is for the device to try and authenticate using Dot1X/EAP-TLS - for domain-connected devices only.
If that fails, they want the option to pop a CWA portal where they can enter either AD creds, or internal Guest user creds.
My challenge is the Policies and where to insert.
I'm using Policy Sets in ISE 1.2
Currently, I have these statements in the Default Policy Set:
Rule Name
Conditions
Permissions
Wired Guest Portal Auth
if Net Access:UseCase EQUALS Guest Flow
Permit Access
Wired Guest Redirect
if Wired_MAB
Wired CWA
What i figured is if they fail the .1X, they'll drop down here to Wired MAB, and that will initiate a redirect and Guest Flow.
Couple problems:
First, it does seem to try; a show auth sess shows the proper redirect URL getting sent to the switchport.
Unfortunately, my browser pop gives me a certificate not recognized error, and if i try to continue anyways, it doesn't do anything. Wireless Guest, which I copied works fine.
Second challenge is that it forces the redirect whether i have the switch (NAD) in Monitor Mode or Low Impact Mode.  This is a problem because there are multiple sites, and we're cutting each over to Low Impact progressively.
Does anyone have any insight, or a document laying out in step by step terms implementing this?
thanks in advance.

Hi Andrew! Yes, good job on fixing the portal issue!
And yes, the authorization rules are considered even in an open mode! And you are also correct that you will need to create different rules to account for NADs that are in production and for NADs that are in monitor mode. I have always liked using a separate Policy Set for Monitor Mode and a separate Policy Set for Production Mode. Then I used device location to match against these conditions. For each location I have two sub-groups: One for Monitor and one for Production. That way I can move a NAD from monitor mode to full production by simply changing its group.
Lastly, yes, your CWA rules should be at the bottom of your production authorization rules. 
Thank you for rating helpful posts!

Similar Messages

  • Wired guest vlan with ISE

    Hi all,
    For those that have travelled down the path of ISE, is it reliable to put the all switch ports into a guest vlan and rely on the NAM to change that of corporate users? We will be using the NAM any connect supplicant for corporate users, so they should automatically be changed into the corporate vlan on successful authentication. Is this correct and is this reliable?
    Testing now with all ports on the corporate vlan has guests still accessing the corporate vlan initially before they are changed by the java applet upon registering as a guest user.
    Thanks
    Sent from Cisco Technical Support iPad App

    I will try to answer all of your quesitons:
    1.     "With the standard port configuration, is it better to have the switch ports on vlan 40 (guest vlan) by default, and have the corporate users NAM supplicant change the vlan to 20 if successful, or the other way around and have the ports in default state on vlan 20 (corporate) and when a guest hits the web portal have their vlan changed to vlan 40"
              - I suppose the standard is to have the port in the regular/standard VLAN and only put failed           authentications in the guest VLAN. However, with that being said, it really depends on what you are           trying to accomplish, thus I suppose you could try doing it the other way around. I have never tested it nor           deployed it that way so I highly recommend you try that in the lab
    2.     "I wanted to know if the change of vlan for corporate users with NAM is reliable?"
              - Yes it is. Well at least for the most part Some "dumb" devices such as printers, badge readers, etc,           might not know that a VLAN was changed, thus never request a new IP address. As a result, they get           stuck in the guest VLAN. That is why I usually like to NOT use guest VLAN but send all failed           authentications through the guest portal. There you can control who is guest and who is not via dACLs.
    3.     " We also plan on implementing low impact mode, ie open authentication with a default ACL as there are things           like PXE booting that needs to happen"
              - So my guess is that the guest VLAN terminates on some interface such as FW DMZ. That interface           usually has some ACL that blocks all RFC 1918 and permits everything else. If that is the case and you           want to use Low-Impact mode, then you will need to grant the same access on the DMZ interface as the           one granted in the Low-Impact mode ACL otherwise things will break

  • Cannot Open the URL of CWA with ISE

    Hi Folks,
    I have a problem when doing the CWA with ISE so that I can Provide the access of the network for the guests.
    Everything goes fine except the URL of the CWA: When the guests open the explorer and enter a domain after connecting the SSID, they will be redirected to the URL like "https://hostname.demo.com:8443/guestportal/..................." which starts with the hostname of the ISE and the domain-name of the ISE, but for us, we don't have any AD and LAN DNS for our network so that we cannot translate the hostname.demo.com into the IP of the ISE, so can I just change the URL into IP type like "https://10.10.10.70:8443/guestportal"?

    Screenshot of a screenshot (sorry) attached.
    Basically it's in authorization policy, allows you to use a static DNS or IP address

  • LWA Guest Access with ISE and WLC

    Hi guys,
    Our Company try to implement Guest Access with ISE dan WLC with Local Web Auth Method. But there is problem that comes up with the certificate. This is the scenario :
    1. Guests try to connect wifi with SSID Guest
    2. Once it connect, guests open the browser and try to open a webpage (example: cisco.com)
    3. Because, guests didn't login, so it redirect to "ISE Guest Login Page" (url became :
    https://ise-hostname:8443/guestportal/Login.action?switch_url=https://1.1.1.1/login.html&wlan=Guest&redirect=www.cisco.com/
    4. If there is no ISE Guest Login Page installed, message Untrusted Connection message will appear, but it will be fine if they "Add Exception and install the certificate"
    5. After that the Guest Login Page will appear, and guests input their username and password.
    6. Login success and they will be redirected to www.cisco.com and there is pop up from 1.1.1.1 (WLC Virtual Interface IP) with logout button.
    The problem happen in scenario 6, after login success, the webpage with ISE IP address and message certificate error for 1.1.1.1 is appear.
    I know it happened when guests didn't have the WLC Login Page Certificate...
    My Question is, is there a way to tunneling WLC Certificate on ISE ? Or what can we do to make ISE validate WLC Certificate, so guests doesn't need to install WLC Certificate/ Root Certificate before connect to Wifi ?
    Thx 4 your answer and sorry for my bad English....

    Thx for your reply Peter, your solution is right,
    i don't choose CWA, because their DNS is not stable...
    i've found the problem...
    the third-party CA is revoked, so there is no way it will success until it fixed...
    and there is no guarantee, they will fix it soon..
    so solution that we choose is by disable "HTTPS" on WLC...
    "config network web-auth secureweb disable".
    "config network web-auth secureweb disable".
    "config network web-auth secureweb disable".
    "config network web-auth secureweb disable".
    "config network web-auth secureweb disable"
    thank you all...

  • Limit the number of session per user in the Wired dot1x environment with ISE 1.2

    Hello,
    I need to check if there is any configuration/workaround to limit the number of sessions/access per user in the Wired dot1x configuration.
    I need to check if this feature is available or not to solve the following scenario:
    I have 2 SW ports configured to use dot1x authentication with ISE 1.2 server.
    If user A connects to the 1st port and authenticated then he will placed on a VLAN based on the authorization profile.
    The case, that I need to deny the same user to connect on a different machine with the same credentials.
    The ISE itself does not have this feature currently,  the only feature available is to limit the number of sessions for the guest user.
    Is there any workaround on the Cisco switches to solve this? Cisco WLC has this feature and for the VPN we can limit the number of sessions also from the ASA itself.
    Thanks.

    limit number of session per user using wired dot1x is not available in 1.3

  • CWA with ISE and 5760

    Hi,
    we have an ISE 1.2 (Patch 5), two 5760 Controllers (3.3), one acting as Primary Controller (named WC7) for the APs and the other as Guest Anchor (named WC5).
    I have trouble with the CWA. The Guest is redirected and enters the correct credentials. After that, the CoA fails with error-cause(272) 4 Session Context Not Found. I have no idea why....
    aaa authentication login Webauth_ISE group ISE
    aaa authorization network cwa_macfilter group ISE
    aaa authorization network Webauth_ISE group ISE
    aaa accounting network ISE start-stop group ISE
    aaa server radius dynamic-author
    client 10.232.127.13 server-key 0 blabla
    auth-type any
    radius-server attribute 6 on-for-login-auth
    radius-server attribute 31 send nas-port-detail mac-only
    wlan test4guests 18 test4guests
    aaa-override
    accounting-list ISE
    client vlan 1605
    no exclusionlist
    mac-filtering cwa_macfilter
    mobility anchor
    nac
    no security wpa
    no security wpa akm dot1x
    no security wpa wpa2
    no security wpa wpa2 ciphers aes
    security dot1x authentication-list Webauth_ISE
    no shutdown
    wc5# debug aaa coa
    Feb 27 12:19:08.444: COA: 10.232.127.13 request queued
    Feb 27 12:19:08.444: RADIUS:  authenticator CC 33 26 77 56 96 30 58 - BC 99 F3 1A 3C 61 DC F4
    Feb 27 12:19:08.444: RADIUS:  NAS-IP-Address      [4]   6   10.232.127.11
    Feb 27 12:19:08.444: RADIUS:  Calling-Station-Id  [31]  14  "40f308c3c53d"
    Feb 27 12:19:08.444: RADIUS:  Event-Timestamp     [55]  6   1393503547
    Feb 27 12:19:08.444: RADIUS:  Message-Authenticato[80]  18
    Feb 27 12:19:08.444: RADIUS:   22 F8 CF 1C 61 F3 F9 42 01 E4 36 77 9C 9B CC 56            [ "aB6wV]
    Feb 27 12:19:08.444: RADIUS:  Vendor, Cisco       [26]  41
    Feb 27 12:19:08.444: RADIUS:   Cisco AVpair       [1]   35  "subscriber:command=reauthenticate"
    Feb 27 12:19:08.444: RADIUS:  Vendor, Cisco       [26]  43
    Feb 27 12:19:08.444: RADIUS:   Cisco AVpair       [1]   37  "subscriber:reauthenticate-type=last"
    Feb 27 12:19:08.444: RADIUS:  Vendor, Cisco       [26]  49
    Feb 27 12:19:08.444: RADIUS:   Cisco AVpair       [1]   43  "audit-session-id=0aea2001530f2e1e000003c6"
    Feb 27 12:19:08.444: COA: Message Authenticator decode passed
    Feb 27 12:19:08.444:  ++++++ CoA Attribute List ++++++
    Feb 27 12:19:08.444: 92FB84A0 0 00000001 nas-ip-address(600) 4 10.232.127.11
    Feb 27 12:19:08.444: 92FB87EC 0 00000081 formatted-clid(37) 12 40f308c3c53d
    Feb 27 12:19:08.444: 92FB8820 0 00000001 Event-Timestamp(445) 4 1393503547(530F2D3B)
    Feb 27 12:19:08.444: 92FB8854 0 00000001 reauthenticate-type(756) 4 last
    Feb 27 12:19:08.444: 92FB8888 0 00000081 audit-session-id(819) 24 0aea2001530f2e1e000003c6
    Feb 27 12:19:08.444: 92FB88BC 0 00000081 ssg-command-code(490) 1 32
    Feb 27 12:19:08.444:
    Feb 27 12:19:08.444:  ++++++ Received CoA response Attribute List ++++++
    Feb 27 12:19:08.444: 92FB84A0 0 00000001 nas-ip-address(600) 4 10.232.127.11
    Feb 27 12:19:08.444: 92FB87EC 0 00000081 formatted-clid(37) 12 40f308c3c53d
    Feb 27 12:19:08.444: 92FB8820 0 00000001 Event-Timestamp(445) 4 1393503547(530F2D3B)
    Feb 27 12:19:08.444: 92FB8854 0 00000001 reauthenticate-type(756) 4 last
    Feb 27 12:19:08.444: 92FB8888 0 00000081 audit-session-id(819) 24 0aea2001530f2e1e000003c6
    Feb 27 12:19:08.444: 92FB88BC 0 00000081 ssg-command-code(490) 1 32
    Feb 27 12:19:08.444: 92FB88F0 0 00000002 error-cause(272) 4 Session Context Not Found
    Feb 27 12:19:08.444:
    wc5#

    Reason for this are two bugs which prevent this from working:
    https://tools.cisco.com/bugsearch/bug/CSCul83594
    https://tools.cisco.com/bugsearch/bug/CSCun38344
    This is embarrassing because this is a really common scenario. QA anyone?
    So, with ISE and 5760 CWA is not working at this time. 

  • Wired guest access with 5508

    Hi
    I have setup wireless guest access for a customer with a single 5508 and web authentication no problem at all. He then wanted to test wired guest access. The 5508 is currently connected to a single 3560 switch. The wired clients get a DHCP address OK but cannot reslove DNS and thus don't get redirected to teh guest login portal. I have even tried turning of all L3 security to no avail. The setup is as follows
    VLAN 101 access points and 5508 management interface
    VLAN 102 wired guest access dynamic ingress (L2 config only no SVI on 3560)
    VLAN 103 wireless guest dynamic egress nterface L3 network with SVI on switch
    VLAN 104 wired guest dynamic egress interface L3 network with SVI on switch
    There are two DHCP pools setup on the WLC one for the VLAN 103 and one for the VLAN 104 subnets.
    The internet router is also connected to the 3560 on a sepearte VLAN with an SVI. the 3560 has a default route to teh internet router and teh DHCP pools give the DHCP clients a default gateway of the IP address of dynamic interface 103 or 104. The Internet routre can ping the WLC on both these addresses.
    LAG is enabled on teh WLC and VLANs 101-104 are trunked to it from the 3560.
    I even tried making the wired guest egress interface the same one as for wireless. The wired clientys now got an IP address on the wireless range but still couldnt pass any traffic. It's like the intrenal bridging on teh WLC between VALN 102 and 104 (or 103) is broken. Tried both the lates 6.x and 7.x software on the WLC. Any ideas ? All the problems I can find with this seem to relate to not gettingas far as a DHCP address but that works fine.
    Thanks
    Pat

    Hi
    Yes got it resolved. It turns out that the connection from the wired guest access port to the WLC must be L2. That is the switch that the wired guest acces sport is connected and WLC are connected to must be L2 only. We were using a single switch to do the testing and it was also doing the routing for the test LAN. Even though there was no L3 VLAN interface configured for the VLAN that the guest access port was on for some reason this breaks it. Absolu Didnt have chance to work out the exact limitations of this as we simply made the switch L2 only and configured an 802.1Q trunk to the Internet router and made subinterfaces on the router for the wired and wireless egress ports and it worked then. No config change was needed on the WLC at all.
    The only thing I can think of is that it's something about the way the WLC joins the wired guest access ingress VLAn and egress VLAN. The WLC isn't a reall router it says so in the documentation. I think the packet coming from the wired access port is being bridged to the egress VLAn not routed and this is what screws it up (remeber with a router the source and destination MAC addresses would be changed with a bridge they aren't). Got to be something along those lines. If you have a bigger newtork with a guest anchor WLC handling this function you dont run into this as the traffic is coming over an EOIP tunnle from the remote WLC so the switch with the guest anchor WLC doesnt see the MAC address of the wired guest PC.

  • ISE Guest CWA with Smart Phones

    I've configured the Guest Web Authentication in the ISE and I've tested and every thing is working fine. I got the redirect url, I could authentication and then got an access. However, If I got the redirect url and then disconnect from the guest SSID and connect to another SSID on the same WLC (not associated to the ISE) and then connect back to the guest SSID, I'm not getting the redirect url.
    I've checked the ISE and I noticed that the radius session is not terminated if I disconnected  from the SSID. I tried to add an attribute in the authorization profile to have radius idle timeout, it did work and the ISE initiate new session ID, but the smartphone is not getting the url.
    Anyone have/had this issue ?       

    I've done a test with CWA + open SSID and I don't see the problem. (iPod, latest SW update, pretty old HW)
    My steps:
    1) connected to CWA SSID and it asked me to register, provided my username and password to see if they are correct
    2) disconnected (connected to openSSID) without registering.
    3) Checked reachablity over openSSID
    4) reconnected to the CWA one.
    5) Got redirected automatically.
    Did I miss anything? Any more steps you've done?
    M.

  • 3750-X Dot1x for wired switch ports with ISE 1.2 doing eap-tls

    Hi,
    I currently have an authentication and authorization policy in ISE to allow machines that authenticate successfully with machine certificates to have full access.  If they fail, then they are denied.  And this works correctly.  However, the customer does not want to deny them access if they fail, but instead he would like the machines that fail authentication to have access only to the Internet.  I'm looking for some suggestions on what would be the best way to do this from a policy standpoint?  Also, this would be for devices that are IT devices, or part of the organization, as well as for devices that aren't, for example for contractors or guest and may or may not have wired dot1x services enabled on their laptop that they will be plugging in.  Any help is appreciated.
    Thanks....

    Hello. I can think of two solutions to your requirement:
    #1 (Preferred): Configure CWA (Central Web Authentication) to be your last method of authentication/authorization. That way any devices that fail both dot1x and mab would be send to the guest/web portal hosted by ISE. There users can login with either their AD credentials and/or their guest credentials. That way you can actually provide better/more access to AD type users vs true guests
    #2 (Less preferred): You can use the following command to authorize users/devices that fail dot1x to a "Guest/Internet" VLAN. Keep in mind though that if you use that then there is no "next method" so you cannot utilize mab:
      (config-if)#authentication event fail action authorize vlan  guest_vlan_id
    Thank you for rating helpful posts! 

  • Wired 802.1X with ISE | Some computers cannot be authenticated

    Hi,
    We have a customer which is using ISE with 802.1X in order to authenticate computers. All the computers have their own certificate and most of them can be authenticated fine! The issue is that some computers cannot be authenticated.
    The port configuration the authenticator (Cisco WS-C4510R+E IOS 151-1) are configured exactly the same:
    interface GigabitEthernet2/19
    switchport access vlan 999
    switchport mode access
    authentication event no-response action authorize vlan 111
    authentication host-mode multi-domain
    authentication port-control auto
    mab
    dot1x pae authenticator
    dot1x timeout tx-period 5
    But for some reason some PC cannot be authenticated. A wireshark capture on the computer not working shows that the computer receives a EAP Request Identity and also send a Response Identity to the switch but then nothing happens more:
    So the process is stucked in the EAP-Response/identity. I attach a debug capture on the switch for one of the computer which cannot be authenticated.
    It is really wired as most of the computer can be authenticated without any issues.
    Thanks in advance for your help.
    /Laurent

    I continued the debugging with the following debugs:
    debug dotx1 all
    debug authentication events
    And now I see the following interesting difference between the 2 clients:
    This one works:
    Aug 30 09:12:06.245: dot1x-ev(Gi3/34): New client detected, issuing Start Request to AuthMgr
    Aug 30 09:12:06.245: AUTH-EVENT (Gi3/34) Received 'START_REQUEST', current method is dot1x (handle 0x00000003)
    Aug 30 09:12:06.245: AUTH-EVENT (Gi3/34) Start request by method "dot1x" for bc5f.f439.21ca
    Aug 30 09:12:06.245: AUTH-EVENT: auth_mgr_idc_insert_key_in_record: update mac bc5f.f439.21ca
    Aug 30 09:12:06.245: AUTH-EVENT (Gi3/34) Sending NEW_MAC to dot1x (handle 0x5E0001D2)
    !! output suppressed - results in success
    This one does NOT work:
    Aug 30 09:14:22.247: dot1x-ev(Gi3/34): New client detected, issuing Start Request to AuthMgr
    Aug 30 09:14:22.247: AUTH-EVENT (Gi3/34) Received 'START_REQUEST', current method is dot1x (handle 0x00000003)
    Aug 30 09:14:22.247: AUTH-EVENT (Gi3/34) Start request by method "dot1x" for 3860.775d.cf06
    Aug 30 09:14:22.247: AUTH-EVENT (Gi3/34) MAC 3860.775d.cf06 moved from Gi1/2
    Aug 30 09:14:22.247: AUTH-EVENT (Gi3/34) MAC move action is deny
    !! output supressed - results in failure
    Both clients are testet one at a time on interface Gi3/34.
    The inteface that denies the MAC move action is Gi1/2. This is an interface connected to another network that both of the clients was previously connected to, before connecting them to the Dot1X network (In this case, interface Gi3/34)
    So now the question is what the MAC move action tries to do, and why it is denied...
    If i do a MAC-address table lookup of the affected address, it gives nothing! The MAC is not associated to interface Gi1/2 int the MAC table, even though this is where the auth-manager tries to move it from:
    SW_3.sal#sh mac add add 3860.775d.cf06     
    No entries present.
    If the MAC is not present in the address-table, how can it be associated to Gi1/2 ?
    I found out that the following command clear "whatever state" is inconsistent:
    clear authentication sessions mac xxxx.xxxx.xxxx
    And now the client can access the network!

  • Guest WebAuth with ISE and WLC

    I have a couple of issues with this solution:
    a) Each time a user logs in, the untrusted certificate message appears twice. The first one with the WLC IP address, the second one with the ISE IP address. Is this a bug or some kind of mistake configuration?
    b) In the Guest Accounting report every guest session is reported twice. One with the correct log in and log out times, the second indicates the user is still on network even after several days he/she had been disconnected.
    I think the second issue is in some way related with the first one.
    Thanks in advance
    Daniel Escalante

    I am trying to figure out the protocol sequence:
    1) The PC client gets IP address from the DHCP (anchor WLC in this case)
    2) When the browser is open and a HTML request is send, the WLC intercepts it and redirect to ISE
    3) Before the Guest Authentication Portal is displayed in the browser PC, an untrusted certicate message coming from the ISE should be displayed.
    4) Once the untrusted certificate message is accepted (continue), the guest authentication portal is displayed
    5) The user type in its credentials
    6) the Successful Login message is received with the WLC IP address
    7) the user is able to browse the internet
    The problem appears in steps 3 and 4. The untrusted certificate message is first showed with the WLC Virtual IP address and then with the ISE IP address.
    I think the message with the WLC address should not be sent, only the ISE message.
    In Step 6 the successful login message should indicate the ISE IP address, no the WLC IP Virtual address.
    I will appreciate your assistance to clarify the event sequence and proper functionality
    Thanks in advance.
    Daniel Escalante.

  • CWA with ISE 1.2 on WLC 7.6

    Hi,
    I referred to the below document from Cisco but still struggling to get the CWA working. The mab status is sucessfull, but the wireless user isnt getting an IP address. 
    the SSID prompts up with "unable to join network" while in the background the MAB authentication is successful.
    redirection acl's are set on the WLC but i don't see any hits on them.
    http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html
    any suggestions or expert advise is much appreciated.

    Hello,
    Can you publish here screenshot your policy sets authorization, and results profiles
    And, i try help you

  • CWA with WLC Firmware 7.0.228 and ISE 1.1.1

    Hi,
    Does Cisco ISE central web authentication supports on WLC version 7.0.228 ?
    My customer has many access points which are support only for firmware code 7.0.228.
    Cisco ISE version 1.1.1
    WLC 5500 Series but the existing access point is cannot support to 7.3
    Thanks,
    Pongsatorn Maneesud

    Tarik is correct, you need 7.2.x and later to use CWA with ISE. Here is a general summary of features supported on ISE on 7.0 and 7.2 versions of code:
    Scenarios                                                          WLC 7.0                                             7.2 
    802.1X Auth                                                     Yes                                                      Yes
    802.1X + Posture                                            Yes                                                      Yes
    802.1X + Profiling                                           Yes                                                      Yes
    Web Auth + Posture                                       No *                                                   Yes
    Web Auth + Profiling                                      Inventory only *                         Yes
    Central Web Auth(CWA)                               No *                                                   Yes
    Local Web Auth(LWA)                                   Yes                                                      Yes

  • Ask the Experts: Wired Guest Access

    Sharath K.P.
    Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions on wired guest access with expert Sharath K.P. Wired guest access enables guest users to connect to the guest access network from a wired Ethernet connection designated and configured for guest access. Sharath K.P. is a Customer Support Engineer specialized in wireless and switching technologies at the Technical Assistance Center in Cisco Bangalore. He has been troubleshooting wireless and switching networks and management tools since 2009. Sharath has a bachelor's degree in Electrical Electronics Engineering from P.E.S College of Engineering (PESCE), VTU at Belgaum. India. He holds CCNP certifications in R&S and Wireless.
    Remember to use the rating system to let Sharath know if you have received an adequate response. 
    Sharath might not be able to answer each question due to the volume expected during this event.
    Remember that you can continue the conversation on the Wireless and Mobility sub-community discussion forum shortly after the event. This event lasts
    through January 27, 2012. Visit this forum often to view responses to your questions and the questions
    of other community members.

    Hi Daniel ,
    Wonderful observation and great question .
    Yes, we dont find any recommendation or inputs in Cisco Docs on scenarios  where  we  have multiple foriegn WLC's present .When we go through the Cisco Doc available for Wired Guest Access
    http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00808ed026.shtml
    Two separate solutions are available to the customers:
    A single WLAN controller (VLAN Translation mode) - the access switch  trunks the wired guest traffic in the guest VLAN to the WLAN controller  that provides the wired guest access solution. This controller carries  out the VLAN translation from the ingress wired guest VLAN to the egress  VLAN.
    Two WLAN controllers (Auto Anchor mode) - the access switch trunks  the wired guest traffic to a local WLAN controller (the controller  nearest to the access switch). This local WLAN controller anchors the  client onto a DMZ Anchor WLAN controller that is configured for wired  and wireless guest access. After a successful handoff of the client to  the DMZ anchor controller, the DHCP IP address assignment,  authentication of the client, etc. are handled in the DMZ WLC. After it  completes the authentication, the client is allowed to send/receive  traffic.
    So  as per Cisco best pratices using multiple foreign controllers for the same wired guest VLAN is not supported and the results will be unpredictable
    I do understand the confusion regarding such scenario's as this( Multiple foriegn WLC's) is a very general setup which customer would like to deploy .
    We have already opened a bug for the same (Little late though )
    BUG ID :CSCtw44999
    The WLC Config Guide should clarify our support for redundancy options for wired guest
    Symptom:
    Do not trunk a wired guest VLAN to multiple foreign controllers.  This is not supported, and will
    generate unpredictable results.
    Some of the other tthat changes we will be making as a part of doc correction would be
    http://www.cisco.com/en/US/docs/wireless/controller/7.0MR1/configuration/guide/cg_user_accts.html#wp1066125
    1. The WiSM2 needs to be added as a supported controller.  (Not sure about the 7500, check with PM)
    2. Where it says "Do not attempt to trunk a guest VLAN on the Catalyst 3750G ...", this should read:
    "Do not trunk a wired guest VLAN to multiple foreign controllers.  This is not supported, and will
    generate unpredictable results."
    3. Add at least a line mentioning support for multiple anchors for a guest wired LAN.
    Now  if you already have such deployments , ther criteria would be that nearest WLC on the broadcast domain (Layer 2) would  respond to the client associtation request .
    Cisco Controller) >Tue Sep 11 13:27:42 2007: 00:0d:60:5e:ca:62 Adding mobile on Wired Guest 00:00:00:00:00:00(0)
    Tue Sep 11 13:27:42 2007: 00:0d:60:5e:ca:62 apfHandleWiredGuestMobileStation (apf_wired_guest.c:121) Changing state for mobile
    00:0d:60:5e:ca:62 on AP 00:00:00: 00:00:00 from Idle to Associated .
    I hope the above explanation could clarify your doubts to certain extent and also keep you
    informed on Cisco's  roadmap on this feature .
    Regards ,
    Sharath K.P.

  • ISE with CWA and wired guest access via WLC Anchor

    Can an Anchor WLC (WLCa) provide a wired guest LAN service if the wlan guest access is using CWA?
    We are deploying a WLAN only ISE solution (it is a full license ISE though) but they just want a few wired guest ports.  I was hoping to add L2 switch to the DMZ where the WLCa is and that the L2 switch wouldnt need any other config as the WLCa just bridges the wired to the wlan vlan.  This Im sure i have done before.
    So now I have set wiredguest the same as i have done before ISE and my wired clients get an IP address, but when they redirect, the URL they get is different, and the redirect just doesnt work.
    It comes out as:
    https://my_ise_ip:8443/guestportal/Login.action?switch_url=https://my_ise_host/login.html&wlan=my_wired_guest_lan&redirect=www.google.co.uk
    So does my simple L2 only switch need an ISE config on it or should the WLCa be handling or the redirection just as it would for a wlan device.

    The ISE never receives an auth entry, so i dont believe the redirect is working for the wired client.  So even though the clients browser gets a redirect url which fails connection, the client info in the WLCa doesnt have a redirect ACL listed like a wlan client would

Maybe you are looking for