LWA Guest Access with ISE and WLC

Hi guys,
Our Company try to implement Guest Access with ISE dan WLC with Local Web Auth Method. But there is problem that comes up with the certificate. This is the scenario :
1. Guests try to connect wifi with SSID Guest
2. Once it connect, guests open the browser and try to open a webpage (example: cisco.com)
3. Because, guests didn't login, so it redirect to "ISE Guest Login Page" (url became :
https://ise-hostname:8443/guestportal/Login.action?switch_url=https://1.1.1.1/login.html&wlan=Guest&redirect=www.cisco.com/
4. If there is no ISE Guest Login Page installed, message Untrusted Connection message will appear, but it will be fine if they "Add Exception and install the certificate"
5. After that the Guest Login Page will appear, and guests input their username and password.
6. Login success and they will be redirected to www.cisco.com and there is pop up from 1.1.1.1 (WLC Virtual Interface IP) with logout button.
The problem happen in scenario 6, after login success, the webpage with ISE IP address and message certificate error for 1.1.1.1 is appear.
I know it happened when guests didn't have the WLC Login Page Certificate...
My Question is, is there a way to tunneling WLC Certificate on ISE ? Or what can we do to make ISE validate WLC Certificate, so guests doesn't need to install WLC Certificate/ Root Certificate before connect to Wifi ?
Thx 4 your answer and sorry for my bad English....

Thx for your reply Peter, your solution is right,
i don't choose CWA, because their DNS is not stable...
i've found the problem...
the third-party CA is revoked, so there is no way it will success until it fixed...
and there is no guarantee, they will fix it soon..
so solution that we choose is by disable "HTTPS" on WLC...
"config network web-auth secureweb disable".
"config network web-auth secureweb disable".
"config network web-auth secureweb disable".
"config network web-auth secureweb disable".
"config network web-auth secureweb disable"
thank you all...

Similar Messages

  • Guest WebAuth with ISE and WLC

    I have a couple of issues with this solution:
    a) Each time a user logs in, the untrusted certificate message appears twice. The first one with the WLC IP address, the second one with the ISE IP address. Is this a bug or some kind of mistake configuration?
    b) In the Guest Accounting report every guest session is reported twice. One with the correct log in and log out times, the second indicates the user is still on network even after several days he/she had been disconnected.
    I think the second issue is in some way related with the first one.
    Thanks in advance
    Daniel Escalante

    I am trying to figure out the protocol sequence:
    1) The PC client gets IP address from the DHCP (anchor WLC in this case)
    2) When the browser is open and a HTML request is send, the WLC intercepts it and redirect to ISE
    3) Before the Guest Authentication Portal is displayed in the browser PC, an untrusted certicate message coming from the ISE should be displayed.
    4) Once the untrusted certificate message is accepted (continue), the guest authentication portal is displayed
    5) The user type in its credentials
    6) the Successful Login message is received with the WLC IP address
    7) the user is able to browse the internet
    The problem appears in steps 3 and 4. The untrusted certificate message is first showed with the WLC Virtual IP address and then with the ISE IP address.
    I think the message with the WLC address should not be sent, only the ISE message.
    In Step 6 the successful login message should indicate the ISE IP address, no the WLC IP Virtual address.
    I will appreciate your assistance to clarify the event sequence and proper functionality
    Thanks in advance.
    Daniel Escalante.

  • Wireless guest access with CWA and ISE using mobility anchor

    My team is trying to demo wireless guest access using CWA with an ISE server.  We appear to be hitting an issue when combining this with mobility anchoring.
    When we don't use a mobility anchor the authentication goes off without a hitch seemingly proving that the ISE configuration is sound.  The test laptop associates and gets redirected, auths, moves to the RUN state and access to the network is granted.
    When the mobility anchor is enabled, the test laptop does get redirected, authentication is successful, but the process does not fully complete, as on the foreign controller the user is in RUN state whereas on the anchor the user is still stuck at CWA required.
    Now, I've read the L2 auth occurs between the foreign controller and ISE, and the L3 auth occurs between the anchor controller and ISE, but this does not appear to borne out in packet captures of the process where both parts of the auth seems to go to and from the foreign controller and ISE.
    I'm curious to know if anyone else has come across this issue, or has ideas where I should be looking in the config or debugs to find the root cause.
    When setting up the controllers and ISE this guide (linked below) was used and the controllers are 2504 controllers on 7.5 series software and ISE is on the latest 1.2 patches:
    http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bead09.shtml
    To me it seems to be mobility related, but the authentication flow does seem to be off compared with what the guide says.

    FOREIGN
    *apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Adding mobile on LWAPP AP 0c:d9:96:ba:7d:20(1)
    *apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Association received from mobile on BSSID 0c:d9:96:ba:7d:2f
    *apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Global 200 Clients are allowed to AP radio
    *apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Max Client Trap Threshold: 0  cur: 0
    *apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Rf profile 600 Clients are allowed to AP wlan
    *apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Applying Interface policy on Mobile, role Unassociated. Ms NAC State 0 Quarantine Vlan 0 Access Vlan 0
    *apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Re-applying interface policy for client
    *apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 0.0.0.0 START (0) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2164)
    *apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 0.0.0.0 START (0) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2185)
    *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 apfApplyWlanPolicy: Retaining the ACL recieved in AAA attributes 255 on mobile
    *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 apfApplyWlanPolicy: Apply WLAN Policy over PMIPv6 Client Mobility Type
    *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 In processSsidIE:4565 setting Central switched to TRUE
    *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 In processSsidIE:4568 apVapId = 1 and Split Acl Id = 65535
    *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 Applying site-specific Local Bridging override for station 00:1e:c2:c0:96:05 - vapId 1, site 'AP-Group-CHEC.default', interface 'management'
    *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 Applying Local Bridging Interface Policy for station 00:1e:c2:c0:96:05 - vlan 84, interface id 0, interface 'management'
    *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 processSsidIE  statusCode is 0 and status is 0
    *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 processSsidIE  ssid_done_flag is 0 finish_flag is 0
    *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 STA - rates (8): 140 18 152 36 176 72 96 108 0 0 0 0 0 0 0 0
    *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 suppRates  statusCode is 0 and gotSuppRatesElement is 1
    *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 apfProcessAssocReq (apf_80211.c:7830) Changing state for mobile 00:1e:c2:c0:96:05 on AP 0c:d9:96:ba:7d:20 from Idle to AAA Pending
    *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 Scheduling deletion of Mobile Station:  (callerId: 20) in 10 seconds
    *radiusTransportThread: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Username entry (00-1E-C2-C0-96-05) created for mobile, length = 253
    *radiusTransportThread: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Username entry (00-1E-C2-C0-96-05) created in mscb for mobile, length = 253
    *apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Received SGT for this Client.
    *apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Redirect URL received for client from RADIUS. Client will be moved to WebAuth_Reqd state to facilitate redirection. Skip web-auth Flag = 0
    *apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Resetting web IPv4 acl from 255 to 255
    *apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Resetting web IPv4 Flex acl from 65535 to 65535
    *apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Applying Interface policy on Mobile, role Unassociated. Ms NAC State 2 Quarantine Vlan 0 Access Vlan 84
    *apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Re-applying interface policy for client
    *apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 0.0.0.0 START (0) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2164)
    *apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 0.0.0.0 START (0) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2185)
    *apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 apfApplyWlanPolicy: Retaining the ACL recieved in AAA attributes 0 on mobile
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 apfApplyWlanPolicy: Apply WLAN Policy over PMIPv6 Client Mobility Type
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 Inserting AAA Override struct for mobile
    MAC: 00:1e:c2:c0:96:05, source 2
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 0.0.0.0 START (0) Initializing policy
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state START (0)
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 0.0.0.0 AUTHCHECK (2) Change state to L2AUTHCOMPLETE (4) last state AUTHCHECK (2)
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 Not Using WMM Compliance code qosCap 00
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 0.0.0.0 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP 0c:d9:96:ba:7d:20 vapId 1 apVapId 1 flex-acl-name:
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 0.0.0.0 L2AUTHCOMPLETE (4) Change state to DHCP_REQD (7) last state L2AUTHCOMPLETE (4)
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 apfMsAssoStateInc
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 apfPemAddUser2 (apf_policy.c:333) Changing state for mobile 00:1e:c2:c0:96:05 on AP 0c:d9:96:ba:7d:20 from AAA Pending to Associated
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 apfPemAddUser2:session timeout forstation 00:1e:c2:c0:96:05 - Session Tout 1800, apfMsTimeOut '1800' and sessionTimerRunning flag is  0
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 Scheduling deletion of Mobile Station:  (callerId: 49) in 1800 seconds
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 Func: apfPemAddUser2, Ms Timeout = 1800, Session Timeout = 1800
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 Sending Assoc Response to station on BSSID 0c:d9:96:ba:7d:2f (status 0) ApVapId 1 Slot 1
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 apfProcessRadiusAssocResp (apf_80211.c:3066) Changing state for mobile 00:1e:c2:c0:96:05 on AP 0c:d9:96:ba:7d:20 from Associated to Associated
    *DHCP Socket Task: Jan 28 23:04:59.567: 00:1e:c2:c0:96:05 DHCP received op BOOTREQUEST (1) (len 308,vlan 84, port 13, encap 0xec03)
    *DHCP Socket Task: Jan 28 23:04:59.567: 00:1e:c2:c0:96:05 DHCP (encap type 0xec03) mstype 0ff:ff:ff:ff:ff:ff
    *DHCP Socket Task: Jan 28 23:04:59.567: 00:1e:c2:c0:96:05 DHCP dropping packet due to ongoing mobility handshake exchange, (siaddr 0.0.0.0,  mobility state = 'apfMsMmQueryRequested'
    *DHCP Socket Task: Jan 28 23:05:01.523: 00:1e:c2:c0:96:05 DHCP received op BOOTREQUEST (1) (len 308,vlan 84, port 13, encap 0xec03)
    *DHCP Socket Task: Jan 28 23:05:01.523: 00:1e:c2:c0:96:05 DHCP (encap type 0xec03) mstype 0ff:ff:ff:ff:ff:ff
    *DHCP Socket Task: Jan 28 23:05:01.523: 00:1e:c2:c0:96:05 DHCP dropping packet due to ongoing mobility handshake exchange, (siaddr 0.0.0.0,  mobility state = 'apfMsMmQueryRequested'
    *mmMaListen: Jan 28 23:05:02.362: 00:1e:c2:c0:96:05 0.0.0.0 DHCP_REQD (7) State Update from Mobility-Incomplete to Mobility-Complete, mobility role=ExpForeign, client state=APF_MS_STATE_ASSOCIATED
    *mmMaListen: Jan 28 23:05:02.362: 00:1e:c2:c0:96:05 apfMsRunStateInc
    *mmMaListen: Jan 28 23:05:02.362: 00:1e:c2:c0:96:05 0.0.0.0 DHCP_REQD (7) Change state to RUN (20) last state DHCP_REQD (7)
    *mmMaListen: Jan 28 23:05:02.362: 00:1e:c2:c0:96:05 0.0.0.0 RUN (20) Reached PLUMBFASTPATH: from line 5793
    *mmMaListen: Jan 28 23:05:02.362: 00:1e:c2:c0:96:05 0.0.0.0 RUN (20) Adding Fast Path rule
      type = Airespace AP Client
      on AP 0c:d9:96:ba:7d:20, slot 1, interface = 13, QOS = 0
      IPv4 ACL ID = 255, IPv6 ACL ID = 255,
    *mmMaListen: Jan 28 23:05:02.362: 00:1e:c2:c0:96:05 0.0.0.0 RUN (20) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 15206  Local Bridging Vlan = 84, Local Bridging intf id = 0
    *mmMaListen: Jan 28 23:05:02.363: 00:1e:c2:c0:96:05 0.0.0.0 RUN (20) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255, L2 ACL ID 255)
    *pemReceiveTask: Jan 28 23:05:02.364: 00:1e:c2:c0:96:05 Set bi-dir guest tunnel for 00:1e:c2:c0:96:05 as in Export Foreign role
    *pemReceiveTask: Jan 28 23:05:02.364: 00:1e:c2:c0:96:05 0.0.0.0 Added NPU entry of type 1, dtlFlags 0x4
    *pemReceiveTask: Jan 28 23:05:02.364: 00:1e:c2:c0:96:05 Skip Foreign / Export Foreign Client IP 0.0.0.0 plumbing in FP SCB
    *DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP received op BOOTREQUEST (1) (len 308,vlan 84, port 13, encap 0xec03)
    *DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP (encap type 0xec03) mstype 0ff:ff:ff:ff:ff:ff
    *DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP processing DHCP REQUEST (3)
    *DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP   op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 0
    *DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP   xid: 0xafea6bc9 (2951375817), secs: 5, flags: 0
    *DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP   chaddr: 00:1e:c2:c0:96:05
    *DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP   ciaddr: 0.0.0.0,  yiaddr: 0.0.0.0
    *DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP   siaddr: 0.0.0.0,  giaddr: 0.0.0.0
    *DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP   requested ip: 10.130.98.8
    *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP received op BOOTREPLY (2) (len 320,vlan 84, port 13, encap 0xec07)
    *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP processing DHCP ACK (5)
    *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP   op: BOOTREPLY, htype: Ethernet, hlen: 6, hops: 0
    *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP   xid: 0xafea6bc9 (2951375817), secs: 0, flags: 0
    *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP   chaddr: 00:1e:c2:c0:96:05
    *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP   ciaddr: 0.0.0.0,  yiaddr: 10.130.98.8
    *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP   siaddr: 10.30.4.173,  giaddr: 0.0.0.0
    *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP   server id: 1.1.1.2  rcvd server id: 1.1.1.2
    *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) DHCP Address Re-established
    *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Reached PLUMBFASTPATH: from line 6978
    *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Replacing Fast Path rule
      type = Airespace AP Client
      on AP 0c:d9:96:ba:7d:20, slot 1, interface = 13, QOS = 0
      IPv4 ACL ID = 255, IPv6 ACL ID
    *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 15206  Local Bridging Vlan = 84, Local Bridging intf id = 0
    *DHCP Socket Task: Jan 28 23:05:03.888: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255, L2 ACL ID 255)
    *DHCP Socket Task: Jan 28 23:05:03.888: 00:1e:c2:c0:96:05 Assigning Address 10.130.98.8 to mobile
    *DHCP Socket Task: Jan 28 23:05:03.888: 00:1e:c2:c0:96:05 DHCP success event for client. Clearing dhcp failure count for interface management.
    *DHCP Socket Task: Jan 28 23:05:03.888: 00:1e:c2:c0:96:05 DHCP success event for client. Clearing dhcp failure count for interface management.
    *DHCP Socket Task: Jan 28 23:05:03.888: 00:1e:c2:c0:96:05 DHCP successfully bridged packet to STA
    *pemReceiveTask: Jan 28 23:05:03.889: 00:1e:c2:c0:96:05 Set bi-dir guest tunnel for 00:1e:c2:c0:96:05 as in Export Foreign role
    *pemReceiveTask: Jan 28 23:05:03.889: 00:1e:c2:c0:96:05 10.130.98.8 Added NPU entry of type 1, dtlFlags 0x4
    *pemReceiveTask: Jan 28 23:05:03.890: 00:1e:c2:c0:96:05 Skip Foreign / Export Foreign Client IP 10.130.98.8 plumbing in FP SCB
    *apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 Received SGT for this Client.
    *apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 Resetting web IPv4 acl from 0 to 255
    *apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 Resetting web IPv4 Flex acl from 65535 to 65535
    *apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 AAA redirect is NULL. Skipping Web-auth for Radius NAC enabled WLAN.
    *apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 apfApplyWlanPolicy: Retaining the ACL recieved in AAA attributes 255 on mobile
    *apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 apfApplyWlanPolicy: Apply WLAN Policy over PMIPv6 Client Mobility Type
    *apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 Inserting AAA Override struct for mobile
    MAC: 00:1e:c2:c0:96:05, source 2
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Setting session timeout 3600 on mobile 00:1e:c2:c0:96:05
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Session Timeout is 3600 - starting session timer for the mobile
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Applying cached RADIUS Override values for mobile 00:1e:c2:c0:96:05 (caller pem_api.c:2307)
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Setting session timeout 3600 on mobile 00:1e:c2:c0:96:05
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Session Timeout is 3600 - starting session timer for the mobile
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Applied RADIUS override policy
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Replacing Fast Path rule
      type = Airespace AP Client
      on AP 0c:d9:96:ba:7d:20, slot 1, interface = 13, QOS = 0
      IPv4 ACL ID = 255, IPv6 ACL ID
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 15206  Local Bridging Vlan = 84, Local Bridging intf id = 0
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255, L2 ACL ID 255)
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Not Using WMM Compliance code qosCap 00
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Plumbed mobile LWAPP rule on AP 0c:d9:96:ba:7d:20 vapId 1 apVapId 1 flex-acl-name:
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Change state to RUN (20) last state RUN (20)
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 apfMsAssoStateInc
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 apfPemAddUser2 (apf_policy.c:333) Changing state for mobile 00:1e:c2:c0:96:05 on AP 0c:d9:96:ba:7d:20 from AAA Pending to Associated
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 apfPemAddUser2:session timeout forstation 00:1e:c2:c0:96:05 - Session Tout 3600, apfMsTimeOut '1800' and sessionTimerRunning flag is  1
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Scheduling deletion of Mobile Station:  (callerId: 49) in 3600 seconds
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Func: apfPemAddUser2, Ms Timeout = 1800, Session Timeout = 3600
    *apfReceiveTask: Jan 28 23:05:18.718: 00:1e:c2:c0:96:05 Sending Assoc Response to station on BSSID 0c:d9:96:ba:7d:2f (status 0) ApVapId 1 Slot 1
    *apfReceiveTask: Jan 28 23:05:18.718: 00:1e:c2:c0:96:05 apfProcessRadiusAssocResp (apf_80211.c:3066) Changing state for mobile 00:1e:c2:c0:96:05 on AP 0c:d9:96:ba:7d:20 from Associated to Associated
    *pemReceiveTask: Jan 28 23:05:18.720: 00:1e:c2:c0:96:05 Set bi-dir guest tunnel for 00:1e:c2:c0:96:05 as in Export Foreign role
    *pemReceiveTask: Jan 28 23:05:18.720: 00:1e:c2:c0:96:05 10.130.98.8 Added NPU entry of type 1, dtlFlags 0x4

  • Guest access with CWA on ISE

    Hi support community
    we just implemented CWA for wireless guest access using ISE. however we have an issue, the redirect URL is a name, not an IP address, and the guest dhcp scope use public DNS servers, so CWA doesn't work unless we set the company DNS servers.
    so my question... is there a way to configure ISE to send the ip address instead the name for redirection in CWA?
    Many thanks in advance...

    Hi, thanks for answering...
    Yes the problem is that public DNS servers obiously can't resolve ISE servers names. Additionaly the guest VLAN has an ACL blocking all the traffic destined to internal resourses with some exceptions (DHCP, DNS and ISE port for CWA).
    however, guest can access to some company services, but as if they were located on internet, ie through the public ip address, so if we use internal servers, they resolve the internal ip address and connections fails. the Muhammad suggestions could be the solution for the problem....but now is something to discuss with the DNS server administrator...
    thanks

  • ISE and WLC SRE module compatibilty matrix

    Hi all,
    We are running SRE module on router with code of 6.x release .Is there any compatibilty matrix available for ISE and WLC code to support CWA . because as of now , the wireless clients are not redirecting to the ISE login page.
    Kindly suggest.
    Thanks,
    Regards,
    Vijay

    The doc is for wireless guest using CWA. For wired guest, I don't know since you can do wired guest from a WLC that supports it or from a switch.
    Sent from Cisco Technical Support iPhone App

  • Wired guest access with 5508

    Hi
    I have setup wireless guest access for a customer with a single 5508 and web authentication no problem at all. He then wanted to test wired guest access. The 5508 is currently connected to a single 3560 switch. The wired clients get a DHCP address OK but cannot reslove DNS and thus don't get redirected to teh guest login portal. I have even tried turning of all L3 security to no avail. The setup is as follows
    VLAN 101 access points and 5508 management interface
    VLAN 102 wired guest access dynamic ingress (L2 config only no SVI on 3560)
    VLAN 103 wireless guest dynamic egress nterface L3 network with SVI on switch
    VLAN 104 wired guest dynamic egress interface L3 network with SVI on switch
    There are two DHCP pools setup on the WLC one for the VLAN 103 and one for the VLAN 104 subnets.
    The internet router is also connected to the 3560 on a sepearte VLAN with an SVI. the 3560 has a default route to teh internet router and teh DHCP pools give the DHCP clients a default gateway of the IP address of dynamic interface 103 or 104. The Internet routre can ping the WLC on both these addresses.
    LAG is enabled on teh WLC and VLANs 101-104 are trunked to it from the 3560.
    I even tried making the wired guest egress interface the same one as for wireless. The wired clientys now got an IP address on the wireless range but still couldnt pass any traffic. It's like the intrenal bridging on teh WLC between VALN 102 and 104 (or 103) is broken. Tried both the lates 6.x and 7.x software on the WLC. Any ideas ? All the problems I can find with this seem to relate to not gettingas far as a DHCP address but that works fine.
    Thanks
    Pat

    Hi
    Yes got it resolved. It turns out that the connection from the wired guest access port to the WLC must be L2. That is the switch that the wired guest acces sport is connected and WLC are connected to must be L2 only. We were using a single switch to do the testing and it was also doing the routing for the test LAN. Even though there was no L3 VLAN interface configured for the VLAN that the guest access port was on for some reason this breaks it. Absolu Didnt have chance to work out the exact limitations of this as we simply made the switch L2 only and configured an 802.1Q trunk to the Internet router and made subinterfaces on the router for the wired and wireless egress ports and it worked then. No config change was needed on the WLC at all.
    The only thing I can think of is that it's something about the way the WLC joins the wired guest access ingress VLAn and egress VLAN. The WLC isn't a reall router it says so in the documentation. I think the packet coming from the wired access port is being bridged to the egress VLAn not routed and this is what screws it up (remeber with a router the source and destination MAC addresses would be changed with a bridge they aren't). Got to be something along those lines. If you have a bigger newtork with a guest anchor WLC handling this function you dont run into this as the traffic is coming over an EOIP tunnle from the remote WLC so the switch with the guest anchor WLC doesnt see the MAC address of the wired guest PC.

  • CWA with ISE and 5760

    Hi,
    we have an ISE 1.2 (Patch 5), two 5760 Controllers (3.3), one acting as Primary Controller (named WC7) for the APs and the other as Guest Anchor (named WC5).
    I have trouble with the CWA. The Guest is redirected and enters the correct credentials. After that, the CoA fails with error-cause(272) 4 Session Context Not Found. I have no idea why....
    aaa authentication login Webauth_ISE group ISE
    aaa authorization network cwa_macfilter group ISE
    aaa authorization network Webauth_ISE group ISE
    aaa accounting network ISE start-stop group ISE
    aaa server radius dynamic-author
    client 10.232.127.13 server-key 0 blabla
    auth-type any
    radius-server attribute 6 on-for-login-auth
    radius-server attribute 31 send nas-port-detail mac-only
    wlan test4guests 18 test4guests
    aaa-override
    accounting-list ISE
    client vlan 1605
    no exclusionlist
    mac-filtering cwa_macfilter
    mobility anchor
    nac
    no security wpa
    no security wpa akm dot1x
    no security wpa wpa2
    no security wpa wpa2 ciphers aes
    security dot1x authentication-list Webauth_ISE
    no shutdown
    wc5# debug aaa coa
    Feb 27 12:19:08.444: COA: 10.232.127.13 request queued
    Feb 27 12:19:08.444: RADIUS:  authenticator CC 33 26 77 56 96 30 58 - BC 99 F3 1A 3C 61 DC F4
    Feb 27 12:19:08.444: RADIUS:  NAS-IP-Address      [4]   6   10.232.127.11
    Feb 27 12:19:08.444: RADIUS:  Calling-Station-Id  [31]  14  "40f308c3c53d"
    Feb 27 12:19:08.444: RADIUS:  Event-Timestamp     [55]  6   1393503547
    Feb 27 12:19:08.444: RADIUS:  Message-Authenticato[80]  18
    Feb 27 12:19:08.444: RADIUS:   22 F8 CF 1C 61 F3 F9 42 01 E4 36 77 9C 9B CC 56            [ "aB6wV]
    Feb 27 12:19:08.444: RADIUS:  Vendor, Cisco       [26]  41
    Feb 27 12:19:08.444: RADIUS:   Cisco AVpair       [1]   35  "subscriber:command=reauthenticate"
    Feb 27 12:19:08.444: RADIUS:  Vendor, Cisco       [26]  43
    Feb 27 12:19:08.444: RADIUS:   Cisco AVpair       [1]   37  "subscriber:reauthenticate-type=last"
    Feb 27 12:19:08.444: RADIUS:  Vendor, Cisco       [26]  49
    Feb 27 12:19:08.444: RADIUS:   Cisco AVpair       [1]   43  "audit-session-id=0aea2001530f2e1e000003c6"
    Feb 27 12:19:08.444: COA: Message Authenticator decode passed
    Feb 27 12:19:08.444:  ++++++ CoA Attribute List ++++++
    Feb 27 12:19:08.444: 92FB84A0 0 00000001 nas-ip-address(600) 4 10.232.127.11
    Feb 27 12:19:08.444: 92FB87EC 0 00000081 formatted-clid(37) 12 40f308c3c53d
    Feb 27 12:19:08.444: 92FB8820 0 00000001 Event-Timestamp(445) 4 1393503547(530F2D3B)
    Feb 27 12:19:08.444: 92FB8854 0 00000001 reauthenticate-type(756) 4 last
    Feb 27 12:19:08.444: 92FB8888 0 00000081 audit-session-id(819) 24 0aea2001530f2e1e000003c6
    Feb 27 12:19:08.444: 92FB88BC 0 00000081 ssg-command-code(490) 1 32
    Feb 27 12:19:08.444:
    Feb 27 12:19:08.444:  ++++++ Received CoA response Attribute List ++++++
    Feb 27 12:19:08.444: 92FB84A0 0 00000001 nas-ip-address(600) 4 10.232.127.11
    Feb 27 12:19:08.444: 92FB87EC 0 00000081 formatted-clid(37) 12 40f308c3c53d
    Feb 27 12:19:08.444: 92FB8820 0 00000001 Event-Timestamp(445) 4 1393503547(530F2D3B)
    Feb 27 12:19:08.444: 92FB8854 0 00000001 reauthenticate-type(756) 4 last
    Feb 27 12:19:08.444: 92FB8888 0 00000081 audit-session-id(819) 24 0aea2001530f2e1e000003c6
    Feb 27 12:19:08.444: 92FB88BC 0 00000081 ssg-command-code(490) 1 32
    Feb 27 12:19:08.444: 92FB88F0 0 00000002 error-cause(272) 4 Session Context Not Found
    Feb 27 12:19:08.444:
    wc5#

    Reason for this are two bugs which prevent this from working:
    https://tools.cisco.com/bugsearch/bug/CSCul83594
    https://tools.cisco.com/bugsearch/bug/CSCun38344
    This is embarrassing because this is a really common scenario. QA anyone?
    So, with ISE and 5760 CWA is not working at this time. 

  • ISE and WLC

    Dear friends,
    We are using ISE and WLC integrity in our network, we have Corporate and Guest SSID, we configured it but client cant connect to this ssid and cant be authenticated, please see attached files and tell me if i done something wrong in configuration of WLC
    10.10.17.201 is ISE
    Thank you for attention

    Hi,
    After viewing the Trap logs it seems you have checked on validate machine.
    On the client side, make sure you don't check validate machine and then try.

  • Snmp error for guest access ticket on two WLC

    Hi,
    I have one wcs (5.0.56.2) and two wlc 4400 ( 5.0.148.2). When i try to create a ticket for guest access on the two wlc without time restriction, it works well. But when I defined time restriction for the ticket, i have a snmp error on the passive wlc (snmp operation to device failed, attempt to set conflicting attribute value) and not on the active xlc.
    Thks.

    The lobby ambassador can specify the amount of time that the guest user accounts remain active. After the specified time elapses, the guest user accounts expire automatically.
    The local user database is limited to a maximum of 2048 entries and is set to a default value of 512 entries (on the Security > General page). This database is shared by local management users (including lobby ambassadors), net users (including guest users), MAC filter entries, and disabled clients. Together these cannot exceed the configured database size.
    For the configuration following URL may help you
    http://www.cisco.com/en/US/docs/wireless/controller/5.0/configuration/guide/c5users.html

  • Rogue AP - Not in sync with WCS and WLC

    WCS - 7.0.164.0 and WLC - 7.0.98.0.
    For some reason, I am seeing rogue ap alert on WLC and am not seeing on WCS.   How do I clean up database and sync with WCS and WLC.
    I am seeing same thing with coverage holes.
    - Allen -

    Allen,
         On the WLC go to Management > SNMP > Trap Controls, make sure that you have the traps checked.
    HTH,
    Steve
    *Please remember to rate helpful posts*

  • Wireless Guest Access with 802.1X (PEAP/MSCHAPv2) and ISE?

    Hi,
    I have a setup based on WLC 5508, Catalyst 3750-X and AP3600i.
    The WLCs are running 7.3 and ISE is 1.1.1
    I'm trying to setup wireless guest access, where the guests connect to a SSID with 802.1X using PEAP/MSCHAPv2.
    They should receive their username/password either from a sponsor directly (corporate AD user which prints the credentials) or through a SMS.
    The credentials will be created by the sponsor, using the sponsor portal on the ISE.
    Now to the questions:
    Is it correct that the foreign WLC (i.e. the WLC within the internal corporate network), should be set to no L2 and L3 security on the guest WLAN, to avoid having the foreign WLC contact the ISE and all traffic be forwarded directly to the anchor WLC?
    Is it correct that the anchor WLC (i.e. the WLC in the DMZ), should be configured with 802.1X/WPA2 L2 security and the ISE servers as the RADIUS servers on the guest WLAN, to ensure that the client is correctly authenticated/authorized by the ISE?
    When a guest logs on, how can I ensure that only one device (MAC address) is allowed per user?
    As it is now, a guest is able to log on with (I assume) an unlimited number of devices, using the credentials they have received.
    Thankyou very much :-)
    Best Regards,
    Niels J. Larsen

    Hi,
    I have a setup based on WLC 5508, Catalyst 3750-X and AP3600i.
    The WLCs are running 7.3 and ISE is 1.1.1
    I'm trying to setup wireless guest access, where the guests connect to a SSID with 802.1X using PEAP/MSCHAPv2.
    They should receive their username/password either from a sponsor directly (corporate AD user which prints the credentials) or through a SMS.
    The credentials will be created by the sponsor, using the sponsor portal on the ISE.
    Now to the questions:
    Is it correct that the foreign WLC (i.e. the WLC within the internal corporate network), should be set to no L2 and L3 security on the guest WLAN, to avoid having the foreign WLC contact the ISE and all traffic be forwarded directly to the anchor WLC?
    Is it correct that the anchor WLC (i.e. the WLC in the DMZ), should be configured with 802.1X/WPA2 L2 security and the ISE servers as the RADIUS servers on the guest WLAN, to ensure that the client is correctly authenticated/authorized by the ISE?
    When a guest logs on, how can I ensure that only one device (MAC address) is allowed per user?
    As it is now, a guest is able to log on with (I assume) an unlimited number of devices, using the credentials they have received.
    Thankyou very much :-)
    Best Regards,
    Niels J. Larsen

  • Guest Cert problems ISE and Anchor WLC

    I'm setting up new Guest Wireless, I have 2 internal foreign 5508 WLC's talking to 2 DMZ anchor WLC's. The guest connects to Guest SSID and the anchor controllers acts as a DHCP server, the Guest interface configured on the WLC is the in the range of the DHCP scope I've setup. The DHCP scope is using the anchor WLC Mgmt interface as the DHCP server.
    Guest SSID - is setup for Webauth and Guest is redirected to the ISE server https://wlc.company.com/login...., when the page is presented to the Guest they get cert problem because the cert is not trusted (its an Internal Cert), Guest logins in ok and the AUP says "cert not trusted" 1.1.1.1 name of the WLC wlc.company.com.
    In the browser Guest has https://wlc.company.com/loginredirecthttps://1.1.1.1........
    1.1.1.1 is the Virtual interface of the Anchor WLC.
    How can I get the client to stop using the Virtual Interface for cert. Why is the WLC doing this? I gather something to do with DHCP?
    My plan is to apply a External Cert on the ISE for Guests, that way they will automatically trust a cert from Geotrust for example. But I'm going to still run into this Cert "not trusted" problem where the Guest is not trusting the WLC anchor  Virtual Interface 1.1.1 . Why is the guest using the Virtual interface error 1.1.1.1. I've even added the ISE name of the cert to the Virtual interface, same problem, instead its just says  wlc.company.com not trusted. I have also imported the cert onto the WebAuth cert on anchor WLC, still doesn't work.
    Hopefully I've explained this ok.....any ideas? but if the Guest page keeps getting presented with
    https://wlc.company.com/loginredirecthttps://1.1.1.1........ it will never work.

    I followed Richard's advice and started from scratch, removing LWA and implementing CWA -MAB. It didn't take too long to setup CWA and get authentication working, I appled a Preauth ACL on WLC's and on ISE under Authorization pofile (CWA)
    This is when the problems started happening, I was using the default ISE Authorization profile
    cisco-av-pair = url-redirect=https://ip:8443/guestportal/gateway?sessionid=SessionValueIdValue&action=cwa.which is not what I want, again the certificate is the server cert which is not an external Cert that the guest wants to see. The user can login fine, unlike LWA, with Firefox or IE it would accept the cert and login so at least I had a working Guest wifi solution. Though there was a cert error symbol at the end of the browser url.
    The next step I tried was to change the Authorization Profile to
    (wireless.company.com which is a C-NAME for ISE box and has this Alias in the cert, this was a test before I apply the external cert)
    cisco-av-pair = url-redirect=https://wireless.company.com:8443/guestportal/gateway?sessionid=SessionValueIdValue&action=cwa
    I applied the change and the new page appeared on the users laptop, great, but this time users were declined access via live Authentications, reason "Cannot login due to session id expiry, please login a again", I created a new user a/c, same problem. Not good. Ok so I thought well if I want clear all these stale session id's that appartenly exist I'll stop/start the application which I did from the command line, still the same error "Cannot login due to session id expiry". hmmm, whats going on here.
    I then rebooted the ISE (this must clear all the sessions!), reboot I performed from home and now for some reason I cannot login to the ISE front end GUI with the admin account or my account. Tried resetting the GUI password for admin and other admin users, the message "Error: cannot reset password this can only be performed on Standalone or Primary node" Well what have I done, just rebooted ISE nothing else apart from changing authorization profile. This box is a Standalone node. Without seeing if the clients connect due t no GUI access, I have referred this issue to TAC!
    Also I don't like the fact that your have to install a external cert against the internal node name, epsecially when its external. But again I haven't reached this part yet.

  • WLC 7.5 Sleeping clients with ISE and Central WEB Auth(CWA)

    Hi there,
    Is it possibe to use sleeping clients when using ISE and CWA?
    I was thinking of enabling layer3 auth with web auth on mac auth failure, but will that work with CWA?
    Or is the only solution to use LWA?

    Controller-> General-> User Idle Timeout (seconds) = 50 000 sec.
    And your users will be connected all this time even if they going in sleepmode
    be carefull with CPU loading

  • Cisco ISE and WLC Access-List Design/Scalability

    Hi,
    I have a scenario whereby wireless clients are authenticated by the ISE and different ACLs are applied to it based on the rules on ISE. The problem I seems to be seeing is due to the limitation on the Cisco WLC which limit only 64 access-list entries. As the setup has only a few SVI/interfaces and multiple different access-lists are applied to the same interface base on the user groups; I was wondering if there may be a scalable design/approach whereby the access-list entries may scale beside creating a vlan for each user group and applying the access-list on the layer 3 interface instead? I have illustrated the setup below for reference:
    User group 1 -- Apply ACL 1 --On Vlan 1 
    User group 2 -- Apply ACL 2 -- On Vlan 1
    User group 3 -- Apply ACL 3 -- On Vlan 1
    The problem is only seen for wireless users, it is not seen on wired users as the ACLs may be applied successfully without any limitation to the switches.
    Any suggestion is appreciated.
    Thanks.

    Actually, you have limitations on the switch side as well. Lengthy ACLs can deplete the switch's TCAM resources. Take a look at this link:
    http://www.cisco.com/c/en/us/support/docs/switches/catalyst-3750-series-switches/68461-high-cpu-utilization-cat3750.html
    The new WLCs that are based on IOS XE and not the old Wireless/Aironet OS will provide the a better experience when it comes to such issues. 
    Overall, I see three ways to overcome your current issue:
    1. Shrink the ACLs by making them less specific
    2. Utilize the L3 interfaces on a L3 switch or FW and apply ACLs there
    3. Use SGT/SGA
    Hope this helps!
    Thank you for rating helpful posts!

  • WLC 2100 guest access with local web authentification

    Hello I tried to create a guest acces with local web authentification.
    My Laptop is connected to the Wlan but My Browser don't ask my login and password

    Please refer to the following links:
    http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/69340-web-auth-config.html
    http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/115951-web-auth-wlc-guide-00.html

Maybe you are looking for

  • Fixing a US7ASCII - WE8ISO8859P1 Character Set Conversion Disaster

    In hopes that it might be helpful in the future, here's the procedure I followed to fix  a disastrous unintentional US7ASCII on 9i to WE8ISO8859P1 on 10g migration. BACKGROUND Oracle has multiple character sets, ranging from US7ASCII to AL32UTF16. US

  • Where is the GDM setup gone?

    Hi, I've just upgraded my system to Gnome 2.28 and basically it runs just fine. During the upgrade process pacman told me that the new GDM config file /etc/gdm/custom.conf is saved as /etc/gdm/custom.conf.pacnew. As I haven't written anything critica

  • CS3 Premium - Windows 8.1

    Buongiorno ho una licenza Adobe CS3 Premium. Dovrei cambiare sistema operativo e passare a Windows 8.1. Posso mantenere la stessa licenza o devo fare un upgrade del prodotto Adobe? Windows 8.1 è compatibile con CS3 Premium? Grazie ciao :-)

  • How do I find my Quicktime reg key? Downloadable purchases is greyed out?!

    I purchased Quicktime Pro a few years ago. Now I want to re-register it on my pc it doesn't allow me the option of going into 'my account' and selecting 'downloadable purchases' to see my Quicktime Pro activation key. Does the Quicktime Pro registrat

  • Business Rules Database Table

    Hi, What is/are the tables that stores business rules information in the database? Thanks, lakshmi.