ISE Multiple SSIDs using CWA
I am using ISE 1.2.198 primarily to authenticate guest users.
I have 2 types of guest - day visitors and longer term visitors.
I am using 2 separate SSIDs on a 5760 controller.
On the ISE I have authentication conditions to differentiate between the different SSIDs and apply the relevant policy set.
I am using CWA with wireless MAB for both policy sets.
Everything is working fine using different portals for each SSID.
I have Sponsors set up to create accounts, to assign different roles (guest or partner) and to apply different time profiles. That all works and the account details get emailed to the recipient successfully.
The issue I have is that the sponsored account credentials can be used to authenticate a user on either SSID.
If the sponsor creates an account and assigns it to the guest role that user can authenticate successfully to both the guest and partner SSIDs with the same credentials. Similarly, if the account is assigned to the partner role, the user can again authenticate to both SSIDs.
There must be a way to differentiate between different roles within the authorization policies.
I can't find a way within the Policy Sets to separate the 2 types of users. Adding any conditions to the authorization rules that include the Network Access UseCase equals Guest Flow doesn't seem to have any affect.
Has anyone managed to do this type of thing successfully?
Roger,
If you are using Active Directory as your Identity Source, then that is your issue. As you know, ISE 1.2 is limited in AD Authentications. What I would suggest is to go to Administration > Identity Management > External Identity Sources and set up an LDAP connection to the AD group from which you would like to authenticate. One for each type of guest and choose only the AD Group that Guest type uses:
Once this is done, create an new Identity Source Sequence for each Guest type:
Then go to Administration > Web Portal Management > Settings and choose the Guest Portal you want to modify. Click The Authentication tab and choose the Identity Store Sequence you just created for that portal.
That should fix the issue.
Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question. Otherwise, feel free to post follow-up questions.
Charles Moreton
Similar Messages
-
OSX 10.10.1 with Cisco ISE guest portal using (CWA) central web authentication issue
We have Cisco Wireless with ISE (Identity Service Engine) to provide guest access with CWA (central web authentication). The idea is to provide guest access with open authentication, so anyone can connect. Then when the guest trying to browse the internet it will be redirected to guest protal for authentication. So only corporate guest with valid password can pass the portal authentication. This is been working fine for windows machine, android, and apple devices with earlier OS version (working on OSX 10.8.5). For clients that's been upgraded to OSX 10.10.1 or IOS 8 they can no longer load the CWA redirection page.
Please let us know if there's any setting under the OSX to solve the issue, or plan from apple to fix the issue on the next OSX/IOS release ?
thanks - ciscosxRobert,
Manual assignment has been made available in ISE 1.2 release.
M. -
ISE 1.2 Redirect using CWA Wireless
Once a wireless user is authenticated to a WLAN using CWA and ISE, what are the parameters that can cause the user to be deauthenticated and redirected to the web portal? The session timeout and user idle timeout in this scenario are set to 24 hours. What else could cause the user to be redirected to the portal?
Its a wireless controller bug. You will have to get an engineering build from Cisco to resolve.
CSCul43158
Description
Symptom:Wireless devices are randomly disconnected every 5-10 minutes with unknown policy timeout message in debug client - example:
*apfReceiveTask: Nov 07 14:27:32.113: 00:11:33:d2:ef:0c 192.168.25.165 RUN (20) Unknown Policy timeout
*apfReceiveTask: Nov 07 14:27:32.113: 00:11:33:d2:ef:0c 192.168.25.165 RUN (20) Pem timed out, Try to delete client in 10 secs.
Conditions:Clients using Central Web Authentication (CWA).
Workaround:none -
Using multiple SSID with AP 1100 (standalone mode).
Hi, need to configure 2 SSID on the same 1100 AP: open authentication and WPA2. It's possible to configure these 2 SSID without configuring VLAN's ?
On CCO I've read the following:
http://www.cisco.com/en/US/products/hw/wireless/ps430/products_qanda_item09186a008009483e.shtml
Q. How many service set identifiers (SSIDs) can you have per VLAN?
A. You can have only one SSID per VLAN. The use of multiple SSIDs over a single VLAN is not supported with Aironet APs.
It's also true with the latest IOS release ?Hi Roberto,
Hopefully the attached docs will answer your question:
Cisco Aironet 1100 Series
Using VLANs with Cisco Aironet Wireless Equipment
Deprecated versions of Cisco Aironet software permit binding multiple SSIDs to one VLAN. Current versions do not.
http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801d0815.shtml#
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points, 12.2(15)JA
Configuring Multiple SSIDs
vlan vlan-id
(Optional) Assign the SSID to a VLAN on your network. Client devices that associate using the SSID are grouped into this VLAN. You can assign only one SSID to a VLAN.
http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_guide_chapter09186a00802085c4.html
Hope this helps!
Rob
Please remember to rate helpful posts....... -
Multiple SSIDs: what firmware to use?
I have a WRT54GL, and I've heard some of those open-source firmwares allow you to create multiple SSIDs. I have some computers that use WPA, and one computer that uses WEP. So I'd like to be able to create one SSID for WPA clients, and another SSID for WEP clients. And also a third SSID for guests. What firmware will allow me to do that easily?
I am not sure that Open Source Firmware work properly or not .....
-
We would like to set up a voice only SSID for Cisco 7925 wireless phones. We are running version 1.1 of ISE and 7.0.116 on older lan controllers.
Obviously we can do things to discourage other users/devices from connecting to this SSID but we would really like to restrict devices to just Cisco wireless phones. There seems to be no checks in ISE for 7925s.
Anyone have any relevant experience and/or suggestions ?
BobAccording to documentation, 7925G do support EAP-TLS, so you use certificates to authenticate them
http://www.cisco.com/en/US/docs/voice_ip_comm/cuipph/7925g/7_0/english/administration/guide/7925cfgu.html#wp1376129
Then on ISE you could use a certificate dictionary to look for the common name to start with "CP-7925" or whatever that IP Phone uses to identify itself
The following links is a great guide to use certificates with IP Phones and Cisco ACS
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/config_guide_c17-605524.html
PLease rate if it helps. -
Authentication with Multiple SSIDs AP521G, using Autonomous
I have an AP521G access point that I am trying to setup authentication for multiple SSIDs. One SSID is for domain users with WPA/TKIP authentication to a radius server and the other SSID is for guest to have access to Internet with no authentication. Is there a way to setup both SSIDs on the AP for this configuration?
Security option for an SSID can be unique and can be configured when you configure a SSID or under VLAN . Note that each vlan is uniquely mapped to induvidual SSID.
-
Using multiple SSIDs with same name but different PSKs
I have a central WLC 2504 controller that is being used for remote site FlexConnect 1141 APs. They all advertise three different SSIDs. One SSID is a global SSID that is the same at every office. One is a hidden SSID using 802.1x machine auth.
The one I am trying to get working is the local office guest network. These SSIDs are all the same at each office but should have different PSKs. They are local to the office, therefore would only ever be applied to a specific FlexConnect group.
I understand why in theory this is generally not a good idea but given these are for remote sites I'd like it to be possible. I always get this message though:
"WLAN with duplicate SSID and L2 security policy found"
Is there a way around this? New WLC code that allows it maybe?I was able to configure three (more I think possible) WLANs with same SSID name and all are WPA2-AES-PSK on the same WLC and all are enabled at hte same time.
Note that you can not have any of those broadcasting on same AP group. Each WLAN can be only broadcasted on a separate AP group. For your sites, It will probably need you to define an AP group for each site to broadcast different WLANs on different sites.
You can do that if all your WLANs have an ID of 17 or higher. (the reason is, WLANs of 1-16 are by default broadcasted on the default AP group. and because those can not be on the same AP group - including the default one - then you can't have them with WLAN IDs 1-16. i.e on same - default - AP group)
HTH
Amjad
rating useful replies is more useful than saying "Thank you" -
ISE Authentication cache in CWA for Guest
Ciao,
do you known how I can cache a guest authentication ?
For example a Guest connect to guest SSID (open); authenticate using CWA (ISE and WLC). After that every time the guest logoff and login, no authentication is required during the same days.
ThanksYou can find "Automatically register guest devices /Allow guests to register devices" option here -> Guest Access > Configure > Guest Portals > Create, Edit or Duplicate > Portal Behavior and Flow Settings > Guest Device Registration Settings.
using this option -Automatically create an endpoint for the device from which the guest is accessing this portal. The endpoint will be added to the endpoint identity group specified for this portal and is subject to the identity group's purge policy.
An authorization rule can now be created to allow access to endpoints in that identity group, so that web authentication is no longer required.
And you have "ActivatedGuest" option in 1.2 -
Multiple SSID's on the same subnet?
Can you have Multiple SSID's on the same subnet?
SSID1 authenticates clients via radius.
Our corporation bought printers with wireless cards that only support WPA-PSK so we created SSID2 for the printers. We can connect to both SSID's and ping from SSID1 to SSID2 but we can not perform other functions such as view the printer management interface with a browser. Should it be possibe to communicate between SSID1 and SSID2 on the same subnet?Yes you should have no issue, but the only thing is that you are using a lower security method... so either you put them on different subnets so you can control the traffic via acl's or might as well use the same security method to make it easier. The fact that you can ping sounds like you should be able to http to the device.
-
Single access point with multiple ssids and single channel possible?
Hi everybody.
I have this silly question.
Let say we have three vlans, vlan1,2,3 and they are mapped to wlans as follows:
Vlan 1 ssid1
Vlan 2 ssid2
Vlan3 ssid 3
AP --------trunk------Switchted network.
Our Ap has mobile devices in three wlans, i.e ssid1ssid2 and ssid3
Since AP uses half duplex mode, mobile devices need positive ack from ap before they can send data, therefore once channel let say channel 3( assuming 802.11b is used) can be shared by all mobile devices in three wlans.
Is my understanding correct?
Thanks and have a great weekend.Hii ,
Yes ,that is pretty much possible as suggested by other experts on board. Depending on your access point you will have 1 (2.4 GHz) or both 2.4 & 5GHz radios.
You can configure multiple SSIDs (up to 16 ) known as MBSSID mode in autonomous environment. In Controller based architecture you can configure up to 512 WLAN (SSID) and transmit any 16 of them per AP (using AP group feature). However , it is recommended to keep multiple SSID count below 8 as for each SSID separate beacon will be sent on air which consumes more air time.
Hope this helps
Thanks
Vinay -
Multiple SSID with different Login Web authority pages
Our current setup is one Anchor control and then several WLC’s, I want to know if I can have multiple SSID and use different Web Auth pages form them, so I can have a SSID that requires a password to Authentication access and another SSID that requires pass through Authentication but they would have different web authentication pages and go to different pages once Authenticated.
Is this possible to ?Hi,
If you are running WLC software 4.2 and above then u can do this on per WLAN basis.. here is the link which tells on how to do it..
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008067489f.shtml#A1
Lemme know if this answered ur question and please dont forget to rate the usefull posts!!
Regards
Surendra -
Is it possible to do multiple ssids and encryptions on an autonomous AP without vlans?
I got a customer who just has autonomous APs. They are upgrading from 1210s to 1262s. They are currently running a config that is wide open with no authentication or encryption and using a VPN tunnel on the wireless clients for security. They want to switch to using WPA2/PSK with the new APs. They have existing clients that have to continue to work during the upgrade to the new APs. They run 3 shifts so it is a 24 hr operation with no downtime. What I was thinking would be to configure the 1262 with multiple SSIDs, one with their existing settings and one with the new. Then I could swap the APs one at a time and it would only impact service for a short period of time while I was mounting the new AP. Then once all the new APs are installed I could transition the clients over to the new SSID and encryption then disable the old SSID once all the clients are switched over. I've done this before with a WLC but not with an autonomous APs. The only config examples I can find uses VLANs. This customer is not using VLANs. Is there anyway to use multiple SSIDs with different encryption on a single radio on an autonomous 1262 without VLANs?
The site has about 30 APs and 100 clients. Yes I know a controller would be preferred for a site of this size but that is a question for sales and why they didn't see them a controller. I just get stuck with what they sell them.
thanksHi Don,
Im afraid on the autonmous platform you can not map multiple WLANS to a single vlan.
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
"I'm in a serious relationship with my Wi-Fi. You could say we have a connection." -
1242AG Wireless Access Point - Cannot Get DHCP IP for BVI1 interface - Multiple SSIDs...
Hello,
I am attempting to set up three Cisco 1242AG Wireless Access Points with multiple SSID's. I used the web interface and directions online to set up the two networks I want and at least one of the networks work wirelessly.
However, I have two problems:
The first, which is the most important, is that the "management" interface, BVI1, doesn't get an ip address from our DHCP server. I set the VLAN 60 (which you'll see in the documenation below) to be the native VLAN on the device as well as on the switch that the device is connected to as well as other settings in the configeration file below. Because of this, I can only manage the device via the console port which would be a huge pain once all of the devices are mounted.
The second problem is that I am not sure how to get both wireless networks broadcasting their SSID's. I have to manually type in the SSID for the second wireless network I have which I would prefer I don't have to. Anyway I can enable broadcasting on all of the SSID's?
Thank you for your time.
Regards,
Christopher Koeber
Using 7916 out of 32768 bytes
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname AP-18.wesleysem.edu
enable secret {Number Here} {Encrypted Password Here}
enable password {Number Here} {Encrypted Password Here}
aaa new-model
aaa session-id common
dot11 syslog
dot11 vlan-name Kresge vlan 20
dot11 vlan-name Library vlan 30
dot11 vlan-name Public vlan 60
dot11 vlan-name Secure_Public vlan 70
dot11 vlan-name Secure_Seminary vlan 80
dot11 vlan-name Server_Room vlan 1
dot11 vlan-name Straughn vlan 40
dot11 vlan-name Trott vlan 10
dot11 vlan-name Web_Room vlan 50
dot11 ssid (Secure) Wesley Campus
vlan 80
authentication open
authentication key-management wpa version 2
wpa-psk ascii {Number Here} {WPA Key Here}
dot11 ssid Public
vlan 60
authentication open
mobility network-id 60
username Cisco password {Number Here} {Encrypted Password Here}
username admin privilege 15 secret {Number Here} {Encrypted Password Here}!
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
encryption vlan 80 mode ciphers aes-ccm
ssid (Secure) Campus
ssid Public
mbssid
station-role root
interface Dot11Radio0.1
encapsulation dot1Q 1
no ip route-cache
bridge-group 254
bridge-group 254 block-unknown-source
no bridge-group 254 source-learning
no bridge-group 254 unicast-flooding
bridge-group 254 spanning-disabled
interface Dot11Radio0.10
encapsulation dot1Q 10
no ip route-cache
bridge-group 10
bridge-group 10 subscriber-loop-control
bridge-group 10 block-unknown-source
no bridge-group 10 source-learning
no bridge-group 10 unicast-flooding
bridge-group 10 spanning-disabled
interface Dot11Radio0.20
encapsulation dot1Q 20
no ip route-cache
bridge-group 20
bridge-group 20 subscriber-loop-control
bridge-group 20 block-unknown-source
no bridge-group 20 source-learning
no bridge-group 20 unicast-flooding
bridge-group 20 spanning-disabled
interface Dot11Radio0.30
encapsulation dot1Q 30
no ip route-cache
bridge-group 30
bridge-group 30 subscriber-loop-control
bridge-group 30 block-unknown-source
no bridge-group 30 source-learning
no bridge-group 30 unicast-flooding
bridge-group 30 spanning-disabled
interface Dot11Radio0.40
encapsulation dot1Q 40
no ip route-cache
bridge-group 40
bridge-group 40 subscriber-loop-control
bridge-group 40 block-unknown-source
no bridge-group 40 source-learning
no bridge-group 40 unicast-flooding
bridge-group 40 spanning-disabled
interface Dot11Radio0.50
encapsulation dot1Q 50
no ip route-cache
bridge-group 50
bridge-group 50 subscriber-loop-control
bridge-group 50 block-unknown-source
no bridge-group 50 source-learning
no bridge-group 50 unicast-flooding
bridge-group 50 spanning-disabled
interface Dot11Radio0.60
encapsulation dot1Q 60 native
no ip route-cache
bridge-group 1
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface Dot11Radio0.70
encapsulation dot1Q 70
no ip route-cache
bridge-group 70
bridge-group 70 subscriber-loop-control
bridge-group 70 block-unknown-source
no bridge-group 70 source-learning
no bridge-group 70 unicast-flooding
bridge-group 70 spanning-disabled
interface Dot11Radio0.80
encapsulation dot1Q 80
no ip route-cache
bridge-group 80
bridge-group 80 subscriber-loop-control
bridge-group 80 block-unknown-source
no bridge-group 80 source-learning
no bridge-group 80 unicast-flooding
bridge-group 80 spanning-disabled
interface Dot11Radio1
no ip address
no ip route-cache
shutdown
encryption vlan 80 mode ciphers aes-ccm
dfs band 3 block
channel dfs
station-role root
interface Dot11Radio1.1
encapsulation dot1Q 1
no ip route-cache
bridge-group 254
bridge-group 254 block-unknown-source
no bridge-group 254 source-learning
no bridge-group 254 unicast-flooding
bridge-group 254 spanning-disabled
interface Dot11Radio1.10
encapsulation dot1Q 10
no ip route-cache
bridge-group 10
bridge-group 10 subscriber-loop-control
bridge-group 10 block-unknown-source
no bridge-group 10 source-learning
no bridge-group 10 unicast-flooding
bridge-group 10 spanning-disabled
interface Dot11Radio1.20
encapsulation dot1Q 20
no ip route-cache
bridge-group 20
bridge-group 20 subscriber-loop-control
bridge-group 20 block-unknown-source
no bridge-group 20 source-learning
no bridge-group 20 unicast-flooding
bridge-group 20 spanning-disabled
interface Dot11Radio1.30
encapsulation dot1Q 30
no ip route-cache
bridge-group 30
bridge-group 30 subscriber-loop-control
bridge-group 30 block-unknown-source
no bridge-group 30 source-learning
no bridge-group 30 unicast-flooding
bridge-group 30 spanning-disabled
interface Dot11Radio1.40
encapsulation dot1Q 40
no ip route-cache
bridge-group 40
bridge-group 40 subscriber-loop-control
bridge-group 40 block-unknown-source
no bridge-group 40 source-learning
no bridge-group 40 unicast-flooding
bridge-group 40 spanning-disabled
interface Dot11Radio1.50
encapsulation dot1Q 50
no ip route-cache
bridge-group 50
bridge-group 50 subscriber-loop-control
bridge-group 50 block-unknown-source
no bridge-group 50 source-learning
no bridge-group 50 unicast-flooding
bridge-group 50 spanning-disabled
interface Dot11Radio1.60
encapsulation dot1Q 60 native
no ip route-cache
bridge-group 1
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface Dot11Radio1.70
encapsulation dot1Q 70
no ip route-cache
bridge-group 70
bridge-group 70 subscriber-loop-control
bridge-group 70 block-unknown-source
no bridge-group 70 source-learning
no bridge-group 70 unicast-flooding
bridge-group 70 spanning-disabled
interface Dot11Radio1.80
encapsulation dot1Q 80
no ip route-cache
bridge-group 80
bridge-group 80 subscriber-loop-control
bridge-group 80 block-unknown-source
no bridge-group 80 source-learning
no bridge-group 80 unicast-flooding
bridge-group 80 spanning-disabled
interface FastEthernet0
ip dhcp client update dns
no ip address
no ip route-cache
duplex auto
speed auto
interface FastEthernet0.1
encapsulation dot1Q 1
no ip route-cache
bridge-group 254
no bridge-group 254 source-learning
bridge-group 254 spanning-disabled
interface FastEthernet0.10
encapsulation dot1Q 10
no ip route-cache
bridge-group 10
no bridge-group 10 source-learning
bridge-group 10 spanning-disabled
interface FastEthernet0.20
encapsulation dot1Q 20
no ip route-cache
bridge-group 20
no bridge-group 20 source-learning
bridge-group 20 spanning-disabled
interface FastEthernet0.30
encapsulation dot1Q 30
no ip route-cache
bridge-group 30
no bridge-group 30 source-learning
bridge-group 30 spanning-disabled
interface FastEthernet0.40
encapsulation dot1Q 40
no ip route-cache
bridge-group 40
no bridge-group 40 source-learning
bridge-group 40 spanning-disabled
interface FastEthernet0.50
encapsulation dot1Q 50
no ip route-cache
bridge-group 50
no bridge-group 50 source-learning
bridge-group 50 spanning-disabled
interface FastEthernet0.60
encapsulation dot1Q 60 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
interface FastEthernet0.70
encapsulation dot1Q 70
no ip route-cache
bridge-group 70
no bridge-group 70 source-learning
bridge-group 70 spanning-disabled
interface FastEthernet0.80
encapsulation dot1Q 80
no ip route-cache
bridge-group 80
no bridge-group 80 source-learning
bridge-group 80 spanning-disabled
interface BVI1
ip address dhcp client-id FastEthernet0
no ip route-cache
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
bridge 1 route ip
line con 0
line vty 0 4
endI am using a third party DHCP server which is our Windows Domain Controller. I have the ip helper-address set for the native vlan of the Access Point through a layer 3 distribution switch (a Catalyst 4506) that the current switch connects to.
I didn't see any event on the logs for the AP.
Let me know if I need to do something else.
Thanks. -
WAP200 and .1x/radius authentication with multiple SSIDs
Apparently it's not possible to define more than a single radius server when using multiple SSIDs with WAP200. Unfortunately WAP200 doesn't add the name of the SSID as a radius attribute, so it's not possible to make distinction whether the user is trying to log in to SSID A or B. Does anyone have any ideas or workarounds for this limitation? Of course the best solution would be if Cisco/Linksys fixed the firmware so that the SSID of the logging in user would be sent to the radius server as an extra attribute or appended to the client mac address.
Security option for an SSID can be unique and can be configured when you configure a SSID or under VLAN . Note that each vlan is uniquely mapped to induvidual SSID.
Maybe you are looking for
-
I have 25 gb of music. 20 gb of movies. 5 gb of pictures. 10 gb of apps. 102 gb of "back up. and 85 gb of "other. which leaves less than 70 gb open on my harddrive.. Why? What is that almost 200 gb of memory? How Do i pinpoint it? I use time machine
-
How can I have an instance of mx.controls.List in a SWF from Flash?
How can I have an instance of mx.controls.List component in a Flash, and import its SWF into a Flex application so it can controll it? Is it possible to do this either at author-time or runtime? I see plenty of examples of how you can import a SWC i
-
Help! how do I view an epub file?
-
I have been struggeling for days to update my Iphone software to V5.1. On my desktop PC with uninterrupted ADSL I received a message "error in connection" and operation tmed out" I have used my laptop (with no previous Itunes programs) installed It
-
Dummy Profit Center in Balance Sheet Account
Hi Profit Center Guru, I have a lot dummy profit center posting from B/S accnts from the below kind of type: 1) Bank Account 2) Inventory Account 3) WIP Account 4) customer/vendor reconciliation account 5) Tax account 6) Accrual Income account 7) Ot