ISE CWA DHCP renew/release

Does a user needs Admin right on his Windows laptop for the Central WebAuth DHCP Renew / Release to work?
Thanks.

Thank you Tariq for your prompt reply.
I'm don't understand how CoA fix the problem of the workstation.  CoA tells the swtich to assign a new VLAN, but it's not CoA per se that tells the workstation to reset the IP address, since CoA is between ISE and the switch only.  It must be ISE then that send a DHCP release / renew command to the workstation.  I presume that for a Guest user that is done in the browser by Activex.  So maybe the problem is that the web browser is not accepting ActiveX coding?  If you have any other information on the DHCP release / renew process wiith CWA, it would be appreciated.
Thank you again for all the great posts you are contributing to this forum.
Catherine

Similar Messages

  • ISE CWA Time Profiles

    Hi
    Trying to make ISE CWA with WLC2500 to work according to guest time profiles.
    - When suspend guest users in ISE they still can connect and it seems that there is no communications between WLC and ISE (i suspect that ISE will communicate to WLC regarding this)
    - Then creating a guest user with "OnlyFirstLogin".... the user is still connected after shutdown/restart..
    I'm aware of the WLC timeout settings, but not sure if there are in play with CWA
    Any who knows about these time profiles in ISE regards to WLC
    Thx
    Kasper

    Please review the below links which might be helpful:
    http://www.cisco.com/en/US/docs/solutions/Enterprise/Borderless_Networks/Smart_Business_Architecture/February2012/SBA_Ent_BN_BYOD-GuestWirelessAccessDeploymentGuide-February2012.pdf
    http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_guest_pol.html
    http://www.cisco.com/en/US/docs/security/ise/1.0.4/user_guide/ise10_guest_pol.pdf

  • How to Force Client's DHCP Renew on Mobility Event?

    Hi All,
    I have a (single) client (it is a cisco IOS router) behind a wireless workgroup bridge (cisco1242).
    The client's IP address is obtained via DHCP from the wired network.
    Now, when roaming occurs, the Client will never have knowledge about this event,
    and hence will not renew its IP address until lease expiers.
    This is not a problem of course when Layer 2 roam occurs, but with Layer 3
    roam it will interrupt the traffic.
    The cisco's IP Mobile implementation does have this issue addressed in DCCoA
    scenario: the WGB is configured to send an SNMP trap on its dotradio state change;
    the cisco mobile router is configured with snmp-server manager to process this trap
    and start DHCP renew on the Down/Up event. Unfortunately, this works in Mobile IP
    scenario only because I cannot make it work without the mobile router registered
    with a home agent.
    I wonder if someone could come up with an idea on how to force DHCP renew
    on a client (cisco IOS router) in such a situation - event scripting, SLA,  or ...?
    alex
    ============================

    Yes, George, I've looked at this.
    The problem with dynamic anchoring with static IP address is how
    the (new) WLC detects the IP address of the client. Remember that
    my client is cisco router with network(s) behind it. Snooping the
    ARP request will not work since ARP timeout in IOS is 4 hours.
    Orphan packet handling (I understand it is intercepting the IP
    packet from client without reply(?)) will most probably give erroneous
    result as this packet can be a packet from a network behind the router.
    alex
    ====================================

  • SFE2000P - Interface reset on DHCP renew?

    As anyone experienced this problem:
    Im running POE for Cisco 504G phones with a PC attached to the LAN switch port on the phone.  DHCP is being served through a Cisco 1800 series router.
    It seems that the interface will shutdown and come right back on at DHCP renewal obviously resetting the phone and causing the PC client to disconnect.  The only reason I noticed this is because it is right at the same time the lease is expiring.  Both the phone and the PC are on the same VLAN.
    Thanks
    Domenick

    Hi Domenick,
    The question in my mind, is how would a lease renewal on a phone going to  cause the port to go down.  I'm not sure what you mean by .16, but if it is port number 16 no, should be no problem, it's not a special port.
    I'm guessing that the SFE2000P is not in stacking mode  or Layer 3 mode (checked via telnet or console). 
    By the sound of the error log when the link goes down and up again, sure sounds like the phone is going down and up.
    You have an option to see what the phone is doing by sysloging information from the phone to a syslog server, such as the kiwi-syslog daemon.
    Sure sounds like the phone is dropping and not the switch port, I may be wrong, a syslog of what's happening with the spa504G might be useful.
    I have attached the admin guide that shows how to set up the unit for local or remote  syslog server and sending debug messages to the syslog server.  This might be informative, but it sure sounds like you should open a call with the Small Business Support center  as well.
    http://www.cisco.com/en/US/support/tsd_cisco_small_business_support_center_contacts.html
    regards Dave

  • WAN Side DHCP Renewal

    My existing router (not the Actiontec) allows me to view all activity going on with my network.  I just noticed that the WAN DHCP renews every hour.  When I look at the lease time it shows the next renewal is coming up at 12:17pm. 
    Why is Verizon doing this?  

    jumpin68ny wrote:
    fortigate 3.0.  The WAN side is connected to the Ethernet Port of Verizon Fios service.
    Since this is FIOS, directly to the ONT (optical network terminal)?
    Google Image search for fios ont
    Because if not: that first router that is handling the public IP, is giving you a one hour lease.
    ^^
    In Verizon DHCP areas, I hear/read that the lease time is two hours.
    If you are the original poster (OP) and your issue is solved, please remember to click the "Solution?" button so that others can more easily find it. If anyone has been helpful to you, please show your appreciation by clicking the "Kudos" button.

  • ISE - CWA Redirection

    HI
    i am trying to implement guest portal and i have configure the ISE and switch to redirect guests and i see the whole process goes will when i issue
    show authentication session interface GigabitEthernet1/0/11
                Interface:  GigabitEthernet1/0/11
              MAC Address:  1078.d2fc.698c
               IP Address:  192.168.0.59
                User-Name:  10-78-D2-FC-69-8C
                   Status:  Authz Success
                   Domain:  DATA
           Oper host mode:  multi-domain
         Oper control dir:  both
            Authorized By:  Authentication Server
              Vlan Policy:  81
                  ACS ACL:  xACSACLx-IP-TEST-WEBAUTH-DACL-519b76ec
         URL Redirect ACL:  ACL-WEBAUTH-REDIRECT
             URL Redirect:  https://HDOFFISEP01.mycompany.com:8443/guestportal/gateway?sessionId=0A0A6518000000010006F2B5&action=cwa
          Session timeout:  N/A
             Idle timeout:  N/A
        Common Session ID:  0A0A6518000000010006F2B5
          Acct Session ID:  0x00000003
                   Handle:  0x0D000001
    Runnable methods list:
           Method   State
           mab      Authc Success
           dot1x    Not run
    my problem that the web browser does NOT direct automtically to the portal but it does manually when i copy the URL from the switch, any idea ?
    switch configuration
    boot-start-marker
    boot-end-marker
    logging monitor informational
    enable secret 5 $1$PO2h$G1BUFwkbkA8ywc89FhBso/
    username cisco privilege 15 password 0 cisco
    username ise-rad-alive password 0 CICSOISEalive123
    aaa new-model
    aaa authentication login local local
    aaa authentication dot1x default group radius
    aaa authorization network default group radius
    aaa authorization auth-proxy default group radius
    aaa accounting auth-proxy default start-stop group radius
    aaa accounting dot1x default start-stop group radius
    aaa server radius dynamic-author
    client 10.10.20.13 server-key myshared
    client 10.10.20.14 server-key myshared
    aaa session-id common
    switch 1 provision ws-c2960s-24ps-l
    ip dhcp snooping vlan 1-2000
    no ip dhcp snooping information option
    ip dhcp snooping
    ip domain-name mycompany.com
    ip name-server 192.168.10.40
    ip device tracking probe use-svi
    ip device tracking
    ip admission name Webauth proxy http inactivity-time 60
    vtp mode transparent
    epm logging
    dot1x system-auth-control
    fallback profile Webauth
    ip access-group ACL-WEBAUTH-REDIRECT in
    ip admission Webauth
    spanning-tree mode pvst
    spanning-tree extend system-id
    interface GigabitEthernet1/0/11
    switchport mode access
    switchport voice vlan 93
    ip access-group ACL-ALLOW in
    authentication event fail action next-method
    authentication event server dead action reinitialize vlan 777
    authentication event server dead action authorize voice
    authentication host-mode multi-domain
    authentication order mab dot1x
    authentication priority dot1x mab
    authentication port-control auto
    mab
    dot1x pae authenticator
    spanning-tree portfast
    interface Vlan1
    no ip address
    shutdown
    interface Vlan80
    ip address 10.10.101.24 255.255.255.0
    ip default-gateway 10.10.101.1
    ip http server
    ip http secure-server
    ip access-list extended ACL-AGENT-REDIRECT
    remark explicitly prevent DNS from being redirected to address a bug
    deny   udp any any eq domain
    remark redirect HTTP traffic only
    permit tcp any any eq www
    remark all other traffic will be implicitly denied from the redirection
    ip access-list extended ACL-ALLOW
    permit ip any any
    ip access-list extended ACL-DEFAULT
    remark DHCP
    permit udp any eq bootpc any eq bootps
    remark DNS
    permit udp any any eq domain
    remark Ping
    permit icmp any any
    remark PXE / TFTP
    permit udp any any eq tftp
    remark Drop all the rest
    deny   ip any any log
    ip access-list extended ACL-WEBAUTH-REDIRECT
    deny   ip any host 10.10.20.13
    deny   ip any host 10.10.20.14
    deny   ip any host 192.168.10.43
    deny   ip any host 192.168.10.40
    deny   ip any host 192.168.10.41
    deny   ip any host 192.168.10.42
    remark explicitly prevent DNS from being redirected to accommodate certain switches
    deny   udp any any eq domain
    remark redirect all applicable traffic to the ISE Server
    permit tcp any any eq www
    permit tcp any any eq 443
    ip radius source-interface Vlan80
    logging origin-id ip
    logging source-interface Vlan80
    logging host 10.10.20.11 transport udp port 20514
    logging host 10.10.20.12 transport udp port 20514
    radius-server attribute 6 on-for-login-auth
    radius-server attribute 6 support-multiple
    radius-server attribute 8 include-in-access-req
    radius-server attribute 25 access-request include
    radius-server dead-criteria time 5 tries 3
    radius-server host 10.10.20.13 auth-port 1812 acct-port 1813 key myshared
    radius-server host 10.10.20.14 auth-port 1812 acct-port 1813 key myshared
    radius-server vsa send accounting
    radius-server vsa send authentication

    Verify that the redirection URL specified in Cisco ISE via Cisco-av pair "URL Redirect" is correct
    CWA Redirection URL: https://ip:8443/guestportal/gateway?sessionId=SessionIdValue&action=cwa
    802.1X Redirection URL: url-redirect=https://ip:8443/guestportal/gateway?sessionId=SessionIdValue&action=cpp

  • ISE CWA with COA not work on 3750X.

    Hello.
    I use ISE version 1.2.0.899 this patch number 4. I configure Central Web Auth for wired client.  In first time client open web brouser, and ISE redirect him to guest portal. User input correct credentionals, and after that switch ignor CoA packet. In ISE logs  "5417 Dynamic Authorization failed". If I use domain computer, authentification succecful whis use dot1x.  All on Port g1/0/1. I use 3750X this version IOS 15.0(2)SE2, 15.0(2)SE4, 15.0(2)SE5, 15.2(1). On all of this version ios I have this mistake.
    Config:
    3750X-ISE# sh running-configBuilding configuration...Current configuration : 9575 bytes!! No configuration change since last restart! NVRAM config last updated at 01:29:01 GMT Wed Mar 30 2011!version 15.0no service padservice timestamps debug datetime msecservice timestamps log datetime msecno service password-encryption!hostname 3750X-ISE!boot-start-markerboot-end-marker!!!username admin privilege 15 secret 5 ----username radius-test secret 5 -----aaa new-model!!aaa group server radius end!aaa group server radius ise server name ise3 server name ise4!aaa authentication login default localaaa authentication login CON noneaaa authentication enable default noneaaa authentication dot1x default group radiusaaa authorization network default group radiusaaa authorization network ise group radiusaaa accounting dot1x default start-stop group radius!!!!!aaa server radius dynamic-author client 192.168.102.53 server-key P@ssw0rd client 192.168.102.54 server-key P@ssw0rd client 192.168.102.51 server-key P@ssw0rd client 192.168.102.52 server-key P@ssw0rd server-key P@ssw0rd!aaa session-id commonclock timezone GMT 0 0switch 1 provision ws-c3750x-24psystem mtu routing 1500ip routing!!ip dhcp snooping vlan 701-710ip dhcp snoopingip domain-name com.ruip device trackingvtp mode transparent!!device-sensor filter-list dhcp list DHCP-LIST option name host-name option name default-tcp-ttl option name requested-address option name parameter-request-list option name class-identifier option name client-identifier option name client-fqdn!device-sensor filter-list cdp list CDP-LIST tlv name device-name tlv name address-type tlv name version-type tlv name platform-type tlv name power-type tlv name external-port-id-typedevice-sensor filter-spec dhcp include list DHCP-LISTdevice-sensor filter-spec cdp include list CDP-LISTdevice-sensor accountingdevice-sensor notify all-changes!license boot level ipservices!!!dot1x system-auth-control!spanning-tree mode rapid-pvstspanning-tree extend system-id!!!!!!!!!vlan internal allocation policy ascending!!vlan 102!vlan 701 name ISE-network1!!lldp run!!!!!!!!!!no macro auto monitor!interface FastEthernet0 no ip address no ip route-cache shutdown!interface GigabitEthernet1/0/1 switchport access vlan 701 switchport mode access switchport nonegotiate authentication event fail action next-method authentication open authentication order dot1x mab authentication priority dot1x mab authentication port-control auto mab snmp trap mac-notification change added snmp trap mac-notification change removed dot1x pae authenticator spanning-tree portfast!interface Vlan102 ip address 192.168.102.60 255.255.255.0!interface Vlan701 ip address 192.168.107.1 255.255.255.240 ip helper-address 192.168.102.50 ip helper-address 192.168.102.53!ip http serverip http secure-server!ip route 0.0.0.0 0.0.0.0 192.168.102.1!ip access-list extended ACL-WEBAUTH-REDIRECT deny   udp any any eq domain deny   tcp any host 192.168.102.51 deny   tcp any host 192.168.102.52 deny   tcp any host 192.168.102.53 deny   tcp any host 192.168.102.54 permit tcp any any eq www permit tcp any any eq 443!!!snmp-server community test ROsnmp-server community test2 RWsnmp-server trap-source Vlan102snmp-server source-interface informs Vlan102snmp-server enable traps snmp linkdown linkupsnmp-server enable traps mac-notification change movesnmp-server host 192.168.102.53 version 2c test2!radius-server attribute 6 on-for-login-authradius-server attribute 8 include-in-access-reqradius-server attribute 25 access-request includeradius-server dead-criteria time 5 tries 3radius-server host 192.168.102.53 auth-port 1812 acct-port 1813radius-server host 192.168.102.54 auth-port 1812 acct-port 1813radius-server host 192.168.102.54 key P@ssw0rdradius-server host 192.168.102.53 pac key P@ssw0rdradius-server key P@ssw0rd!!!line con 0 login authentication CONline vty 0 4 exec-timeout 60 0line vty 5 15 exec-timeout 60 0!ntp master 5ntp server 198.123.30.132 prefermac address-table notification changemac address-table notification mac-moveend
    Please, help me.

    Use these Cisco IOS commands to monitor and troubleshoot CoA functionality on the switch:
    •debug radius
    •debug aaa coa
    •debug aaa pod
    •debug aaa subsys
    •debug cmdhd [detail | error | events]
    •show aaa attributes protocol radius

  • [ISE + CWA] Redundant Guestportal

    Hello Community,
    I try to configure a redundant guest access with 2 ISE und 2 guests anchors. ISE Management and the sponsor portal are connected to eth0 (gig0) with hostname ise1.mydomain.com (ise2.mydomain.com for 2nd ISE). Eth0 is reachable from company network. The web authentication, where guests must enter their login credentials, is only reachable via eth1 (gig1) with hostname ise1-pub.mydomain.com (ise2-pub.mydomain.com for 2nd ISE). 
    The main problem is, that ISE always redirects to ise1.mydomain.com, which is on eth0 and therefore not reachable for wireless guests. I can configure a static hostname for redirection (which is cluster wide), but then I have no redundancy (there is no balancer reachable). So ISE must chose the correct hostname for the redirection URL depending on the ISE who authenticates the guest.
    I tried to define an alias for both ISE on CLI:
    ip host 10.1.1.1 ise1-pub ise1-pub.mydomain.com on primary ISE and
    ip host 10.1.1.2 ise2-pub ise2-pub.mydomain.com on secondary ISE
    and deleted the static ip/host entry in my authorization profile. But ISE always redirects to ise1.mydomain.com (or ise2.mydomain.com). My understanding was, that if I configure an alias, ISE will redirect to the alias IP. 
    Any hints?
    ISE is version 1.2.1 Patch 4
    Guest Anchors are 5760 with 3.6.1

    Instead of having just one authz rule for the cwa redirect as normal, you can create one for each of the servers (still configured on the primary of course).
    What you do is create one rule where your authz profile has the static host redirect set to ise1-pub.mydomain.com and the condition : server : ise1
    Then create a copy of that rule, where you redirect to ise2-pub.mydoamin.com, and use the condition server : ise2
    This will redirect to different names, depending on which of the ise servers the radius request was received by.
    I attached a screenshot of the rules.

  • ISE CWA WebAuth with WLC

    Hi all,
    I have a few questions regarding WebAuth or Guest access with ISE. I have setup a guest portal to do CWA and use ISE guest portal
    as the redirect page.
    I'm using ISE 1.1.2 and WLC version 7.3.101
    1- I have an issue authenticating with Chrome on W7 and android. I receive the splash page, i can authenticate but i always receive this error message. With IE and firefox i can accept and add an exception and authenticate successfully.

    Hi,
    Your best bet is to run true CWA and not use the redirect feature on the controller. Just allow dns and access to port 8443 in the ACL that is referenced by ISE when it sends the CWA redirect. You can use mac filtering as your L2 authentication.
    This will help in your redundant scenario so that when one ise goes down the second ise can send the CWA over to it.
    As far as certs if you are using mobile devices you may want to consider 3rd party certs.
    Let me know if that helps.
    Tarik Admani
    *Please rate helpful posts*

  • ISE CWA FLEXCONNECT - No url redirect

    Hi,
    I'm setting up a LAB environment for CWA with ISE(1.2.1), vWLC(8.0.100), ASA5505(9.1.X) and a 2602 AP in flexconnect mode.
    Unfortunately I'm running into problems.
    The AP, WLC and ISE is all running in vlan 1 which terminates in the 5505 as a inside interface. 
    Vlan 2 is a guest network terminating on a separate interface in the ASA.
    The problem that I'm facing is that the url-redirect from the ISE dosent' work. If i check the client summery on the vWLC I can see that the client get applyes the redirect flexconnect ACL and that the URL is present. I've verified that it's not a DNS issue and I'm able to manually connect to ISE so there is no ACL blocking me. The client just dosen't get the redirect. I've tired with multiple devices (windows,ios,android) and it's all the same.
    I've followed the following guides:
    http://www.drchaos.com/flexconnect-local-switching-guestbyod/
    http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116087-configure-cwa-wlc-ise-00.html#anc11
    Currently I'm at work but I can provide some debug output later. 
    Have anyone seen this behavior before?

    It is possible that you are hitting the following bug:
    https://tools.cisco.com/bugsearch/bug/CSCue68065
    One thing this bug does not mention is that there is another resolution outside of disabling local switching. The alternative is:
    1. Create a standar ACL on the controller that is named exactly as the FlexConnect ACLs
    2. The standard ACL does not have to have any ACE in it
    I have ran into this issue before and the above workaround has worked for me. The issue was supposed be addressed in version 8.x of the WLC but I think it is still worth giving it a try. 
    Thank you for rating helpful posts!

  • ISE CWA redirect redundancy

    Hi
    If in a CWA authorization profile the IP address option is used for the redirection, how will this impact on redundancy ? For instance in my implementation with 2 ISE appliances, on the Primary Admin Node the CWA profile is configured with an IP address of x.x.x.110 which is the address of the Primary ISE appliance. When the primary appliance fails how will the secondary appliance handle the above cause the x.x.x.110 ip address will then be unavailable and the new ip should be x.x.x.109....? 

    If you check that box and set an IP address manually then all CWA requests will go to that IP/Host Name. If you want to have redundancy then you should leave that box unchecked. Doing that will allow ISE to use the FQDN of the Radius server that is currently serving that SSID. 
    I hope this helps!
    Thank you for rating helpful posts!

  • ISE CWA redirection problem for Apple devices

    Hi,
    I'm testing some guest scenarios (CWA) in my lab using ISE1.3 and WLC2504 (7.6.130).
    I have noticed that redirection to ISE portal doesn't work for apple devices (iOS 7 and later).All other devices like laptops,androids etc work fine.
    Seems that the workaround on WLC that bypasses the CNA on iDevices doesn't work in my case.The device tries to open the ISE portal and shows just a blank page (attached photo)
    The problem doesn't appear for devices with iOS 6 but only for newer versions.
    I've also tried with version 8.0 on WLC without success.
    Any advise?
    Regards. 

    Captive portal/wispr support for apple ios7
    CSCuj18674
    Description
    Symptom:
    When attempting to access the Guest Portal with an Apple iOS 7 device while the WLC "Captive Portal Bypass" feature is enabled, the web sheet on the device still appears, preventing the user from continuing the flow.
    Conditions:
    The Apple device is running Apple iOS 7.
    Workaround:
    In the ACL on the WLC used for captive portal redirection and exemption of special traffic for the Guest Portal, add exemptions for the IP resources that resolve from "www.appleiphonecell.com" and "captive.apple.com" FQDNs.
    IMPORTANT NOTE: These IP addresses are associated with the FQDNs of "www.appleiphonecell.com" and "captive.apple.com" and are subject to change by the entities hosting those domains. If the IP addresses do change, the ACL would need to reflect that.

  • ISE and dhcp snooping

    Hi all,
    The ISE configuration validator says we should have DHCP snooping enabled on our network access devices (switches) so we do it. However I have never understood what this accomplishes. (In terms of ISE/NAC. I understand what DHCP snooping is).
    Can anyone explain? Thanks.

    Thanks for the reply, Vattulu.
    Interesting article/section, but I don't see where it says anything about the relationship between dhcp snooping and profiling. It seems to be talking about the use of dhcp snooping option 82 to convey the 802.1x user info to the dhcp server. The dhcp server can then act on this information to assign specific IPs to specific users. I can see how ISE would get this information via ip-helper or maybe by snmp bulk query, but don't understand how that would assist with profiling. I mean, ISE already has the 802.1x user identity from the radius request, right? Maybe you can enlighten me.
    Googling around I found this article/section:
    http://www.cisco.com/c/en/us/td/docs/security/ise/1-1-1/user_guide/ise_user_guide/ise_sw_cnfg.html#wp1059679
    which seems to imply that dhcp snooping info can be used when applying DACLs. Interesting, because I thought that was based on the ip device tracking table only. But, it says that dhcp snooping is optional, and doesn't go into any detail.
    Still digging, I would like to understand this. Thanks for your help.

  • Cisco ISE - CWA AD Authentication

    Hello,
    I'm using a Cisco ISE on 1.3 and have a CWA portal setup for AD Auth. When a user connects to a particular SSID (from a WLC) that is setup for mac filtering, it redirects to a CWA via the Auth Policy. the CWA is disabled, they login, the device registers, etc.. and all is well. The next policy checks to see if the device is registered, and if so, bypasses the Auth. Which also works. However, any AD account can authenticate against the CWA, not the particular AD account I want. I don't know where to put the Auth Policy or what it looks like. Any help would be appreciated. I've tried a few combinations to no avail.
    Below are my current Auth Policies, as I mention above. They work, but the CWA validates any AD credential, not the group I want. Should a NetworkAccess:UseCase=GuestFlow go between the 2 policies perhaps?

    Hi Marc, what I meant by "desired_permissions" is what your environment/situation calls for. With that being said, returning back only "access_accept" with your "authorization profile" would work but at the same time it will give the authorized users/devices full access. So unless you have an ACL to Firewall off the guest users, you would need to return some additional attributes when trying to restrict/limit guest users/devices. 
    For instance, I like to use Policy Sets and dedicate a policy set per SSID and then either a general Policy Set for Wired or one Policy Set for Corporate Wired and one for Guest Wired. If  you don't use policy sets, then you should create one "authorization rule for Guest_Wired and one for Guest_Wireless. 
    For the Guest_Wired, you will need to return "access_accept" and then a "DACL Name" that you can create locally in ISE.
    For the Guest_Wireless, you will need to return "access_accept" and then a "Airspace ACL Name" That ACL is not a DACL (WLCs do not support DACLs). Instead, that is an ACL that you configure locally on the WLC, thus, the name must match on both ends and it is case sensitive! 
    Both the DACL and the "Airspace ACL" would contain rules that fit your environment/security requirements. Typically though you would have:
    1. Permit DNS- Needed for DNS resolution
    2. Permit access to ISE - Needed for the guest pages to properly load) 
    3. Deny any private/RFC 1918 addresses - Blocks guests from accessing internal hosts
    4. Permit everything else - Needed for general internet browsing
    I hope this helps!
    Thank you for rating helpful posts!

  • Cisco ISE - CWA Redirect

    Why are the ISE nodes needed to be defined in the web authentication redirect acl that is configured locally on the switch?
    All the documentation that I've found states this. I've setup my 2yr old ISE environment this way and was advised in the beginning to do so. But after thinking the whole authentication process through and then testing out my theories I don't understand why the ISE nodes need to be defined in the switch redirect acl. I am now testing with a simple "redirect www & 443" acl and it is working as expected.
    The client connects to the network and, for our environment, is requested to do dot1x until that times out and then it shifts to mab. At which point, I do not have an authz rule defined for my test machine and therefore matches my catch-all authz rule of CWA which sends a CWA DACL. The switch lays the acls on the interface in this order: 1. Redirect 2. DACL 3. PACL. In my DACL I have access to the ISE nodes allowed (just to be safe) and the redirection still works because my test machine is not sending any www/443 traffic to the ISE nodes that I'm aware of (CWA is 8443).
    Can someone explain (in detail) why a client machine would send www/443 traffic to the ISE nodes and therefore need to be defined in the CWA redirect acl local to the switch.

    Poonam,
    I appreciate the response. I understand the process and flow of CWA but I still don't see why the ISE nodes need to be defined (as deny statements or at all) in the redirect acl that is locally configured on the switch. Let me try to explain it better (sorry for the novel):
    1. a default PACL is statically applied to an unused interface. For my environment our PACL is a simple "permit ip any any" which allows an open fallback in case communication to ISE fails.
    2. A client plugs in and the switch begins talking dot1x to the client. During this time the PACL is the ONLY acl that is applied to the interface/client.
    3. The client does not run dot1x and therefore the switch eventually fails over to mab. At this time, the CWA authz rule comes into effect and ISE sends the DACL to the switch via radius and also references which RACL (redirect acl) to use.
    4. Not many people seem to understand this part....The switch then rebuilds the ACL that is applied to the interface/user. The switch creates an ACL that consists of ALL THREE ACLs. The first portion of this ACL is the RACL with permit statements (which are the deny RACL statements configured on the switch) and then redirect statements (which are the permit RACL statements configured on the switch) and then the DACL from ISE is the next portion of this new ACL and then the very last portion is the original static PACL that is configured on the port.
    Again, I've tested this out over and over again on several different platforms (6500, 3700, 3800) and because, during the stage where the interface is in CWA state, the ACL that is applied to the interface is ALL THREE ACLs in the order of RACL>DACL>PACL....it doesn't seem to make sense that you need to define the ISE nodes in the RACL because all you need to define is what traffic you want to redirect. You define what traffic you want allowed in the DACL which is where you state access to the ISE nodes (either complete access or only 8443 access).
    Let me give you this example. Say I have the following confgured:
    CONFIGURED SWITCH INTERFACE ACL (PACL)
      ip access-list standard ACL-ALLOW
       permit ip any any
    CONFIGURED SWITCH REDIRECT ACL (RACL)
      ip access-list extended ACL-WEBAUTH-REDIRECT
       permit tcp any any eq www 443
    CONFIGURED ISE DOWNLOADABLE ACL (DACL)
      permit tcp any host <psn01> eq 8443
      permit udp any host <dns01> eq 53
      deny ip any any
    Then the process would look like this:
    1. During dot1x negotiation the acl that is used is this:
    permit ip any any     <<<<<PACL
    2. Once CWA is in effect then the acl looks like this:
    redirect tcp host <host ip> any eq www 443             <<<<<<RACL
    permit tcp host <host ip> host <psn01 ip> eq 8443       <<<<<<DACL
    permit udp host <host ip> host <dns01 ip> eq 53       <<<<<<DACL
    deny ip any any      <<<<<<DACL
    permit ip any any      <<<<<<PACL

Maybe you are looking for

  • Is it possible to see cash flow statement in sap fico ? ;How

    Is it possible to see cash flow statement in sap fico ? ;How

  • Problem - NSP - SAP NetWeaver 7.0 - connection

    Hi All, I have installed SAP NetWeaver 7.0  abap trial version, installation went well, but unable to connect , getting the following probleem partner '127.0.0.1:sapdp00' not reached' some one please let me know how to solve it. Thanks jag

  • Authorization group/Authorization object

    Hello Friends, I have a situation where one site accountant is posting on other sites cost So If we restrict the user from posting to other WBS which is not his site, this will sort out the problem Please advise what to do in this case. Thanks. Sunil

  • A query opened in 7.0 instead of 3.5, transporting didnt save me

    Hi, I have opened a query that i shouldnt open in 7.0. It is a kind of very important query, now i dont know how to open it in 3.5.I transported same query from my test system but it gives the same message this component was edited with a recent vers

  • Change quantity in PR already released

    Dear SAP gurus, I'm using MRP to generate PR. These PRs then are subject to release strategy. When the PR is still not released, i can change the quantity. However when the PR is already released, I cannot change the quantity (the quantity is . Note