LWA guest portal ISE & 4400 7.0.x

Has anyone managed to guest LWA working with ISE for wireless guest portal access?  Examples seem to skip bits and I can't find anyone that has managed to get it working.  I have Cisco 4400 WLCs running latest 7.0 code and ISE 1.1.2.
All guest portal examples seem to be CWA which only works on 7.2 code.
Am I without hope getting this working on 7.0 code?

We got LWA guest portal to work between ISE & 4400 7.0, before we migrated to CWA w/ a 5508.
Can't remember exactly which documents we used, but your best bet is the TrustSec 2.0 (not 2.1) guide:
http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/TrustSec_2.0/trustsec_2.0_dig.pdf
and the WLC example:
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076f974.shtml
Keep in mind if you use LWA, you'll need two SSL certs - one on WLC, and one on ISE.
With CWA, only one cert is needed on ISE.

Similar Messages

  • Dynamic Authorization Failed - Posture with Guest Portal - ISE - WLC

    Hello everybody,
    I'm implementing a NAC solution based on Cisco ISE. Unfortunately, I'm facing a problem related to the CoA (Change of Authorization).
    The guest can authenticate successfully via portal and then he is redirected to the page of client provisioning.
    When he is compliant with the policy he gets access without any problem and this means that CoA works perfectly. The issue occurs when he has to remediate (download the file from ISE and install it). In this case, we need a change of authorization profile.
    The authentication logs show that the posture status changed from non-compliant to compliant but the users doesn't obtain access .
    Here are details :
    Authentication Details
    Source Timestamp
    2015-04-30 18:43:13.179
    Received Timestamp
    2015-04-30 18:43:13.18
    Policy Server
    ISE-CISCO
    Event
    5417 Dynamic Authorization failed
    Failure Reason
    11213 No response received from Network Access Device after sending a Dynamic Authorization request
    Resolution
    Check the connectivity between ISE and Network Access Device. Ensure that ISE is defined as Dynamic Authorization Client on Network Access Device and that CoA is supported on device.
    Root cause
    No response received from Network Access Device after sending a Dynamic Authorization request
    Username
    User Type
    Endpoint Id
    E0:9D:31:07:**:**
    Endpoint Profile
    IP Address
    Identity Store
    Identity Group
    Audit Session Id
    ca0019ac00000003ae674255
    Authentication Method
    Authentication Protocol
    Service Type
    Network Device
    WLC-1
    Device Type
    Location
    NAS IP Address
    172.25.0.202
    NAS Port Id
    NAS Port Type
    Authorization Profile
    Posture Status
    Compliant
    Security Group
    Response Time
    15002
    Other Attributes
    ConfigVersionId
    4
    RadiusPacketType
    CoARequest
    Event-Timestamp
    1430415778
    AcsSessionID
    50149c2f-08fb-4f9d-b1b5-f655e71d039f
    StepLatency
    3=15001
    Device IP Address
    172.25.0.202
    CiscoAVPair
    subscriber:command=reauthenticate
    audit-session-id
    ca0019ac00000003ae674255
    Session Events
    2015-04-30 18:43:13.18
    Dynamic Authorization failed
    2015-04-30 18:41:44.159
    Dynamic Authorization failed
    2015-04-30 18:35:42.64
    Guest Authentication Passed
    2015-04-30 18:34:39.214
    RADIUS Accounting start request

    You can use LWA for this . he WLC redirects  the HTTP traffic to an internal or external server where the user is prompted to  authenticate. The WLC then fetches the credentials (sent back via an HTTP GET  request in the case of external server) and makes a RADIUS authentication. In  the case of a guest user, an external server (such as Identity Service Engine  (ISE) or NAC Guest Server (NGS)) is required as the portal provides features  such as device registering and self-provisioning.
    Refer to the following link for  configuration  example
    http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bead09.shtml

  • ISE 1.2 Guest Portal - Device registration portal

    Hello,
    I have a problem with the following setup:
    - Cisco ISE 1.2 (latest patch)
    - Cisco WiSM with 7.0.220.0 (first generation)
    I have build Guest access via ISE. Because the WiSM's highest version is 7.0.X I used LWA with a redirect to the ISE guest portal. When using the Guest SSID with a iPad the client is redirected to the ISE guest portal and the user can enter his credentials (deliverd by the Sponsor). After clicking "Sign On" the client is forwarded to the "Device Registration Portal" of ISE and need to register his MAC address.
    We have try a lot of differend settings but we cannot switch off the forward to the "Device Registration Portal". We only want to use the Guest User portal.
    Please can someone help me to find a solution for this problem?
    Thank you in advance.

    I know this might be reaching, but have you turned off the My Devices portal?
    If so, an idea of the different settings you have already tried might help.
    Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.
    Charles Moreton

  • ISE Guest Portal

    Hello Everyone
    Is it possible to have a WLC 4402 and a WLC 5508 working with the Guest portal of the ISE at the same time?
    I know that for the WLC 5508, it works fine and i can implement this as CWA, but for the WLC 4402? i read something about change the certificate in the ISE in order to have it as LWA, but can this affect the CWA implemmentation?
    Thanks for any suggestion.

    Sending LWA and CWA authentications to the same guest portal won't be a problem.To keep things nice and clean though you can create a second HTML portal so you can dedicate one per each process but it is not necessary. 
    Hope this helps!
    Thank you for rating helpful posts!

  • ISE, guest portal on WLC

    Hi,
    Currently we have wireless guest login through a guest portal in the WLC. Is it possible to implement ISE and keep the guest portal in the WLC?
    Example:
    User connects to a SSID with an laptop. That laptop is profiled as not belogning to the company network and is then redirected to the WLC guest portal.
    All the guides I find is about having the guest portal in the ISE.
    Regards
    Philip

    You can use LWA for this . he WLC redirects  the HTTP traffic to an internal or external server where the user is prompted to  authenticate. The WLC then fetches the credentials (sent back via an HTTP GET  request in the case of external server) and makes a RADIUS authentication. In  the case of a guest user, an external server (such as Identity Service Engine  (ISE) or NAC Guest Server (NGS)) is required as the portal provides features  such as device registering and self-provisioning.
    Refer to the following link for  configuration  example
    http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bead09.shtml

  • ISE 3315 Guest Portal on ETH1?

    Hi,
    the 3315 and other ise appliances have multiple nics.
    Is it possible/supported to use eth1 for hosting the guest portal? (wireless LWA)
    Tnx,
    Bart

    jrabinow ,
    I found this reference:
    http://www.cisco.com/en/US/docs/security/ise/1.1/installation_guide/ise_app_e-ports.html
    it states that the guest portal services are also listening on the other interfaces..
    Could somebody please confirm?

  • ISE 1.2 Guest Portal Profiling Certainty Factor not Increase

    Hi I have configure ISE 1.2 Guest Portal and check for profiling which device login but I found that endpoint profile not match after user succesful authenticate
    Profiling Configure and Endpoint Detail in attachment below

    Hi salodh
    as you can see in attach file all profiling are configure correctly and condition should be match according to User-Agent Contain Andriod (profile3.png) and Certainty Factor must increase (profile2.png) in this case but Total Certainty Factor still 0 in endpoint profile (profile1.png)

  • ISE 1.2 customizing guest portal

    I am having some issues trying to customize colours on the default guest portal in ISE 1.2.
    Is there really no way to change the entire page background colour, except going through creating a complete set of html files ?
    It seems if i upload a transparent background image for both the banner and the logo, and then change the all the gackground coulour settings, the colour only affects the area where the cisco splash logo is, and not the entire page.
    I attached my settings, and how the page looks with those, what i am after is the entire page black, and then white text.

    Hello Jan
    You can customize the look-and-feel of the end-user portals by uploading your company's logos, background images, or color schemes. These changes apply to the My Devices, Sponsor, and Guest portals, but you can assign different images and colors to the mobile Guest portal.
    These settings allow you to change the appearance of the portals without having to upload customized HTML files to the Cisco ISE server. However, if you want to create themes unique to specific Guest portals, you must upload your custom HTML files instead.
    Step 1 Choose Administration > Web Portal Management > Settings > General > Portal Theme.
    Step 2 Upload the graphics and change the color settings in the Style Settings section to customize the standard portals.
    Step 3 Upload the graphics and change the color settings in the Mobile Device Style Settings to customize the Guest mobile portal.
    Step 4 Click Save.

  • How to use ISE Guest Portal for AD users

    Hi there,
    As  subject explains all, I want to use ISE Guest Portal for my domain  users. I have tried many different ways to authenticate users and  finally I came to the conclusion that ISE CWA works pretty well and is  very stable. WLC Webauth sucks alot, does not redirect to the login page  always.
    Can  you please share what other ways are stable ways to authenticate AD  users? I know about WPA 802.1x authentication but that requires a CA in  the network which is not available at the moment. So can you please  Suggect?
    Otherwise,  I want to use ISE Guest Portal for my AD users as well. AD is already  integrated to ISE, the issue happens when I attempt to athenticate using  AD user account, the user gets authenticated but the Guest Portal  redirects me to Device Provissioning page and there it shows an error  saying "there is not policy to register the device, contact system  admin"
    Am I missing something??
    I am running WLC 5760 with ISE 1.2
    Thanks in advance..

    Hi,
    Can you post a screenshot of your current policies? Also for 802.1x authentication although it is best practices you do not have to have an internal CA to make this solution work. You can disable the option to "validate server certificate" or you can use a trusted CA to sign the certificate for the eap interface.
    In most cases 802.1x is the method to go because it provides dynamic authentication without forcing users to redirected to a web page multiple times throughout the day, scenarios such as computers that sleep or users that are mobile will not have connectivity until they redirect to the portal if one of the scenarios exist. You also gain WPA encryption on your WLAN, if you are using strictly layer 3 web auth you run into issues where encryption is not used and rely on encryption from the application as your method of data integrity and security.
    Thanks,
    Tarik Admani
    *Please rate helpful posts*

  • 5760 v3.6 guest portal redirect to ISE

    I'm testing a new set of 5760 controllers for a future production rollout, running software version 3.6.  Our current production setup consists of older WISM-1 and 4402 controllers running CUWN 7.0.  Our guest network has an anchor in the DMZ, redirecting to ISE.
    In the recent thread (https://supportforums.cisco.com/discussion/12319151/3850-ise-guestportal-no-redirect-v-334), one of the posters said that guest redirection in 3.6 works similarly to redirection in CUWN, while in 3.3 it is very different.  I found the documentation for 3.3 (http://www.cisco.com/c/en/us/support/docs/wireless/5700-series-wireless-lan-controllers/117717-config-wlc-00.html), which I have to say I don't like very much.  However, I find the configuration and command reference guides for 3.6 are less than helpful on this point. 
    So the question I have is whether guest networking with an external redirect to ISE looks like the following in 3.6?  Or does it work like CUWN, where the SSID is configured with layer 3 security?  If it uses layer 3 security like CUWN, does anybody have a quick configuration sample for how it can work end to end in 3.6?
    ------ From the document http://www.cisco.com/c/en/us/support/docs/wireless/5700-series-wireless-lan-controllers/117717-config-wlc-00.html ---------
    The flow includes these steps:
    The user associates to the web authentication Service Set Identifier (SSID), which is in fact open+macfiltering and no Layer 3 security.
    The user opens the browser.
    The WLC redirects to the guest portal.
    The user authenticates on the portal.
    The ISE sends a RADIUS Change of Authorization (CoA - UDP Port 1700) in order to indicate to the controller that the user is valid, and eventually pushes RADIUS attributes such as the Access Control List (ACL).
    The user is prompted to retry the original URL.

    I have a project with a 5760 running 3.6 working to a 5508 anchor controller in a DMZ.
    I have web authentication working to an ISE OK.
    Regards
    Roger

  • ISE 1.2.1.198 - Guest Portal Configuration

    Is it possible to customize the default portal and add a paragraph any where on the login page with instructions?  I've tried adding the text in the Pre-Login Banner Text field, and it does wrap to the next line, but text goes of the screen before wrapping.  Would like to be able to add carriage return in the text, so text would scroll off the screen.

    ISE 1.3 (due out in November time frame) will have a huge amount of customization of the portal available for your use.
    If you really need to do it before then, and you have an ISE-certified Authorized Technology Partner you're working with, they have access to a Guest Portal Builder tool that can be used.
    Failing those, you're back to changing the native html code for the portal by hand. Not recommended.

  • Ise 1.2, cannot access guest portal

    I upgraded from 1.1.4 patch 3 to 1.2 but cannot access guest portal anymore nor with FQDN:8443 nor with IP:8443
    any idea?

    I had attached the steps to configure the guest portal and hope will address the problem.
    Configuring the Guest Portal
    Adding a New Guest Portal You must configure settings for the Guest portal before allowing guests to use it to access the network. Some settings apply globally to all Guest portals and other require you to set them for each portal individually.
    You can add a new Guest portal or edit an existing one.
    Step 1Choose Administration > Web Portal Management > Settings > Guest > Multi-Portal Configurations.
    Step 2Click Add.
    Step 3Update the fields on each of these tabs:
    •General—enter a portal name and description and choose a portal type.
    •Operations—enable the customizations for the specific portal
    •Customization—choose a language template for displaying the Guest portal with localized content
    •File Uploads—displays only if you have chosen a portal type requiring you to upload custom HTML files.
    •File Mapping— identify and choose the HTML files uploaded for the particular guest pages. Displays only if you have chosen a portal type requiring you to upload custom HTML files.
    •Authentication—indicate how users should be authenticated during guest login.
    Step 4Click Submit.
    Specifying Ports and Ethernet Interfaces for End-User Portals
    You can specify the port used for each web portal allowing you to use different ports for the end-user portals: Sponsor, Guest (and Client Provisioning), My Devices, and Blacklist portals. The Client Provisioning portal uses ports 8905 and 8909 for posture assessments and remediation, which you cannot change. Otherwise, it uses the same ports assigned to the Guest portal.
    You can also partition portal traffic to specific Gigabit Ethernet interfaces. For example, you might not want the Admin portal (which always uses GigabitEthernet 0) available on the same network as guest users or employee devices.
    Step 1Choose Administration > Web Portal Management > Settings > General > Ports.
    Step 2Enter the port value in the HTTPS Port field for each portal. By default, the Sponsor, Guest, My Devices portals use 8443, and the Blacklist portal uses port 8444.
    Step 3Check the Gigabit Ethernet interfaces you want to enable for each portal.
    Step 4Click Save.
    If you have changed the port settings, all nodes (Administration, Policy Services, and Monitoring) restart automatically, which may take several hours to complete.
    Tips for Assigning Ports and Ethernet Interfaces
    •All port assignments must be between 8000-8999. This port range restriction is new in Cisco ISE 1.2. If you upgraded with port values outside this range, they are honored until you make any change to this page. If you make any change to this page, you must update the port setting to comply with this restriction.
    •You must assign the Blacklist portal to use a different port than the other end-user portals.
    •Any portals assigned to the same HTTPS port also use the same Ethernet interfaces. For example, if you assign both the Sponsor and My Devices portals to port 8443, and you disable GigabitEthernet 0 on the Sponsor portal, that interface is also automatically disabled for the My Devices portal.
    •You must configure the Ethernet interfaces using IP addresses on different subnets. Refer to these guidelines to help you decide how best to assign ports and Ethernet interfaces to the end-user portals:
    Specifying the Fully Qualified Domain Name for Sponsor and My Devices Portals
    You can set the Sponsor and My Devices portals to use an easy-to-remember fully-qualified domain names (FQDN), such as: mydevices.companyname.com or sponsor.companyname.com. Alternatively, Cisco ISE also supports wildcard certificates to address certificate name mismatch issues. You must configure DNS to resolve to at least one policy services node. If you have more than one policy services node that will provide portal services, you should configure high availability for the portal. For example, you could use a load balancer or DNS round-robin services.
    Before You Begin
    Step 1Choose Administration > Web Portal Management > Settings > General > Ports.
    Step 2Scroll to the Portal FQDNs section, and check the appropriate setting:
    •Default Sponsor Portal FQDN
    •Default My Devices Portal FQDN
    Step 3Enter a fully qualified domain name.
    Step 4Click Save, and all nodes (Administration, Policy Services, and Monitoring) restart automatically, which may take several hours to complete.
    Step 5Configure the network DNS server so that it resolves the FQDN to the Sponsor or My Devices portal nodes. You must also update DNS to ensure the FQDN of the new URL resolves to a valid policy service node IP address. Additionally, to avoid certificate warning messages due to name mismatches, you should also include the FQDN of the customized URL in the subject alternative name (SAN) attribute of the local server certificate of the Cisco ISE policy service node.

  • ISE 1.2 Guest Portal - This device has not been registered.

    I have setup and SSID on my WLC. I got the redirecting to my ISE guestportal working.
    However when I sign in I get a Device regitration Page
    "This device has not been registered"
    Unable to obtain the user information needed for network access.
    The device ID is grayed out and blank.
    Any assistance in this matter would be greatly appreciated

    Thanks Johnston,
    P.S for those who needs the path ISE 1.2 Administration -> Web Portal Management -> Settings -> Multi-Portal Configurations -> DefaultGuestPortal -> Operations.
    On another note
    When I login - I get my acceptable usage policy.
    Accept
    Then get a Device registration Portal where I can add the MAC address.
    Now I have two quistions.
    When I add my test mac address the url redirects to myservername:8443/guestportal/AfterDevReg.action - unable to connect <- that's the one issue.
    The other is - Can't I by pass the MAC? ie once the user is signed on to get access.
    Curretly I have the following settings enabled.
    Enable Mobile Portal
    Allow guest users to change password
    Guest users should be allowed to do device registration <- if I disable that after signon the page just flash back to the guest portal.

  • ISE 1.2 Guest portal user cannot change their passwords

    I have a WLC 5508(version 7.6) and a server installed  the ISE (version 1.2.1.198),Now we configured the CWA,Use guest portal as an employee and guest login url,We can use the manually create internal user and password successfully logged in, and we set up allow guest users to change password in Multi-Portal, but the user can not change the password in the guest portal ,I suspect the change password option on the Guest  Portal actually works? Can anyone tell me how to change their own username password in the guest portal ?

    Requiring Guests to Change Password
    You can allow or require guest users to change their password after their initial account credentials are created by the sponsor. If guest users change their passwords, sponsors cannot provide guests with their login credentials if they are lost. The sponsor must create a new guest account.
    You can either allow guests to change their passwords, or you can require that they do it at expiration and at first login. To require internal users using a guest portal to change their password upon their next login, choose Administration > Identity Management > Identities > Users . Select the specific internal user from the Network Access Users list and enable the change password check box.
    Before You Begin
    Create a Guest portal or modify the DefaultGuestPortal. This setting is specific to each Guest portal.
    Step 1 Choose Administration > Web Portal Management > Settings > Guest > Multi-Portal Configuration.
    Step 2 Check the Guest portal to update and click Edit .
    Step 3 Click the Operations tab.
    Step 4 Check either or both options:
    Allow guest users to change password
    Require guest users to change password at expiration and first login
    Step 5 Click Save .

  • ISE 1.3 Sponsored Guest Portal Login Failure

    Hello Team,
    Ive created a guest account in the sponsor portal for a test guest user, however the state remains in "created" state.
    Now when the user tries to log on via the sponsored guest portal the error back is "invalid username or password".
    In ISE logs it says :
    Overview
    Event
    5418 Guest Authentication Failed
    Username
    bnawaz01 
    Endpoint Id
    Endpoint Profile
    Authorization Result
    Actions
    Troubleshoot Authentication
    View Diagnostic Messages
    Audit Network Device Configuration
    View Network Device Configuration
    View Server Configuration Changes
    -->Authentication Details
    Source Timestamp
    2014-12-24 08:49:05.551
    Received Timestamp
    2014-12-24 08:49:05.553
    Policy Server
    DC1-ISE-DMZ01
    Event
    5418 Guest Authentication Failed
    Failure Reason
    Account is not yet active.
    Resolution
    Root cause
    Username
    bnawaz01
    User Type
    GuestUser
    Endpoint Id
    Endpoint Profile
    IP Address
    Authentication Identity Store
    Guest Users
    Identity Group
    GuestType_Contractor (default)
    Audit Session Id
    Authentication Method
    PAP_ASCII
    Authentication Protocol
    PAP_ASCII
    Service Type
    Network Device
    Device Type
    Location
    NAS IP Address
    NAS Port Id
    NAS Port Type
    Authorization Profile
    Posture Status
    Security Group
    Response Time 
    Any ideas why this might be, if im doing something wrong and how to fix?
    Thank you
    Bilal

    I have had the same issue, the fault is caused by the time zone in the sponsor groups being set by default to UTC, so if you are in London the accounts wont become available until UTC time. The best practice is to add a local time zone and remove UTC at initial configuration
    To resolve this create a new local time zone in Guest Access>Settings>Guest Locations and SSIDs then under Guest Access>Configure>Sponsor Groups amend the time zone properties in each sponsor group
    One other problem is if you do not remove this at initial configuration you don't seem to be able to get rid of UTC, not really an issue unless you forget when creating new sponsor groups

Maybe you are looking for

  • Error while executing a report : Time limit exceeded

    Hello Experts, i have executed a report  and it took long time and finally throw an error saying that time limit is exceeded , please suggest how to resolve the problem Thanks in Advance Nitya

  • Can SAP leverage MM and classification (CL-system) data-model?

    Dear all, At the moment I’m working for a telecom company, setting up the Functional Management department activities to manage 2nd line support calls, and general overall application functional support. One of the issues is simplifying the work of m

  • Finder icon in dock is corrupted

    Hi all Today I had the dreaded "dock keeps crashing" problem. That was due to a few photoshop jpgs I put on the downloads folder which weren't properly previewed. After I moved them away, the dock came back, however the finder icon has been damaged s

  • NAC v 4.1.1 and Kaspersky AV

    Hi all, I?m willing to implement the NAC in L2 GW mode; so far I did a good job and the Windows update working fine but here I had Kaspersky AV and once I enabled the role-requirement for the AV definition I got an error said **KasperskyAV is not ins

  • Labview - GOOP Programmer

    I'm currently looking for a Labview developer to work on a team developing vision and data acquisition software for internal quality instrumentation systems.  This job will be a contract to possible hire depending on the skills that they possess. A q