Wired Guest Using ISE Interface

Ive scoured the forums for a solution but struck out looking for design tips. I have a centralized guest wireless using ISE with CWA on an anchor controller and it works great. Now I need to create wired guest network for my remote sites. Is this possible using an interface on my 3415 running ISE, or can the anchor controller be used some how?
The 3415 sits in my Pennsylvania data center. It has a new dedicated interface going to the internet for guest traffic. Can this interface be used as a redirect for a guest at a remote site? If so, is there documentation detailing the basic steps to implement this?
Thanks in advance!

If you are already authenticating your wireless users and anchoring them to a DMZ you can do the same with wired users as long as you have a foreign controller layer 2 adjacent to the wired guests.  
http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/99470-config-wiredguest-00.html
You would just need to set the VLAN on the port for the guest users, or if you want you can use ISE wired AuthZ policy to place the guest users into the correct VLAN, or FlexAuth using guest VLANs.  

Similar Messages

  • Wired guest access with 5508

    Hi
    I have setup wireless guest access for a customer with a single 5508 and web authentication no problem at all. He then wanted to test wired guest access. The 5508 is currently connected to a single 3560 switch. The wired clients get a DHCP address OK but cannot reslove DNS and thus don't get redirected to teh guest login portal. I have even tried turning of all L3 security to no avail. The setup is as follows
    VLAN 101 access points and 5508 management interface
    VLAN 102 wired guest access dynamic ingress (L2 config only no SVI on 3560)
    VLAN 103 wireless guest dynamic egress nterface L3 network with SVI on switch
    VLAN 104 wired guest dynamic egress interface L3 network with SVI on switch
    There are two DHCP pools setup on the WLC one for the VLAN 103 and one for the VLAN 104 subnets.
    The internet router is also connected to the 3560 on a sepearte VLAN with an SVI. the 3560 has a default route to teh internet router and teh DHCP pools give the DHCP clients a default gateway of the IP address of dynamic interface 103 or 104. The Internet routre can ping the WLC on both these addresses.
    LAG is enabled on teh WLC and VLANs 101-104 are trunked to it from the 3560.
    I even tried making the wired guest egress interface the same one as for wireless. The wired clientys now got an IP address on the wireless range but still couldnt pass any traffic. It's like the intrenal bridging on teh WLC between VALN 102 and 104 (or 103) is broken. Tried both the lates 6.x and 7.x software on the WLC. Any ideas ? All the problems I can find with this seem to relate to not gettingas far as a DHCP address but that works fine.
    Thanks
    Pat

    Hi
    Yes got it resolved. It turns out that the connection from the wired guest access port to the WLC must be L2. That is the switch that the wired guest acces sport is connected and WLC are connected to must be L2 only. We were using a single switch to do the testing and it was also doing the routing for the test LAN. Even though there was no L3 VLAN interface configured for the VLAN that the guest access port was on for some reason this breaks it. Absolu Didnt have chance to work out the exact limitations of this as we simply made the switch L2 only and configured an 802.1Q trunk to the Internet router and made subinterfaces on the router for the wired and wireless egress ports and it worked then. No config change was needed on the WLC at all.
    The only thing I can think of is that it's something about the way the WLC joins the wired guest access ingress VLAn and egress VLAN. The WLC isn't a reall router it says so in the documentation. I think the packet coming from the wired access port is being bridged to the egress VLAn not routed and this is what screws it up (remeber with a router the source and destination MAC addresses would be changed with a bridge they aren't). Got to be something along those lines. If you have a bigger newtork with a guest anchor WLC handling this function you dont run into this as the traffic is coming over an EOIP tunnle from the remote WLC so the switch with the guest anchor WLC doesnt see the MAC address of the wired guest PC.

  • How to use ISE Guest Portal for AD users

    Hi there,
    As  subject explains all, I want to use ISE Guest Portal for my domain  users. I have tried many different ways to authenticate users and  finally I came to the conclusion that ISE CWA works pretty well and is  very stable. WLC Webauth sucks alot, does not redirect to the login page  always.
    Can  you please share what other ways are stable ways to authenticate AD  users? I know about WPA 802.1x authentication but that requires a CA in  the network which is not available at the moment. So can you please  Suggect?
    Otherwise,  I want to use ISE Guest Portal for my AD users as well. AD is already  integrated to ISE, the issue happens when I attempt to athenticate using  AD user account, the user gets authenticated but the Guest Portal  redirects me to Device Provissioning page and there it shows an error  saying "there is not policy to register the device, contact system  admin"
    Am I missing something??
    I am running WLC 5760 with ISE 1.2
    Thanks in advance..

    Hi,
    Can you post a screenshot of your current policies? Also for 802.1x authentication although it is best practices you do not have to have an internal CA to make this solution work. You can disable the option to "validate server certificate" or you can use a trusted CA to sign the certificate for the eap interface.
    In most cases 802.1x is the method to go because it provides dynamic authentication without forcing users to redirected to a web page multiple times throughout the day, scenarios such as computers that sleep or users that are mobile will not have connectivity until they redirect to the portal if one of the scenarios exist. You also gain WPA encryption on your WLAN, if you are using strictly layer 3 web auth you run into issues where encryption is not used and rely on encryption from the application as your method of data integrity and security.
    Thanks,
    Tarik Admani
    *Please rate helpful posts*

  • ISE with CWA and wired guest access via WLC Anchor

    Can an Anchor WLC (WLCa) provide a wired guest LAN service if the wlan guest access is using CWA?
    We are deploying a WLAN only ISE solution (it is a full license ISE though) but they just want a few wired guest ports.  I was hoping to add L2 switch to the DMZ where the WLCa is and that the L2 switch wouldnt need any other config as the WLCa just bridges the wired to the wlan vlan.  This Im sure i have done before.
    So now I have set wiredguest the same as i have done before ISE and my wired clients get an IP address, but when they redirect, the URL they get is different, and the redirect just doesnt work.
    It comes out as:
    https://my_ise_ip:8443/guestportal/Login.action?switch_url=https://my_ise_host/login.html&wlan=my_wired_guest_lan&redirect=www.google.co.uk
    So does my simple L2 only switch need an ISE config on it or should the WLCa be handling or the redirection just as it would for a wlan device.

    The ISE never receives an auth entry, so i dont believe the redirect is working for the wired client.  So even though the clients browser gets a redirect url which fails connection, the client info in the WLCa doesnt have a redirect ACL listed like a wlan client would

  • Wired Guest CWA with ISE

    Having a heck of a time getting this to work.
    First option is for the device to try and authenticate using Dot1X/EAP-TLS - for domain-connected devices only.
    If that fails, they want the option to pop a CWA portal where they can enter either AD creds, or internal Guest user creds.
    My challenge is the Policies and where to insert.
    I'm using Policy Sets in ISE 1.2
    Currently, I have these statements in the Default Policy Set:
    Rule Name
    Conditions
    Permissions
    Wired Guest Portal Auth
    if Net Access:UseCase EQUALS Guest Flow
    Permit Access
    Wired Guest Redirect
    if Wired_MAB
    Wired CWA
    What i figured is if they fail the .1X, they'll drop down here to Wired MAB, and that will initiate a redirect and Guest Flow.
    Couple problems:
    First, it does seem to try; a show auth sess shows the proper redirect URL getting sent to the switchport.
    Unfortunately, my browser pop gives me a certificate not recognized error, and if i try to continue anyways, it doesn't do anything. Wireless Guest, which I copied works fine.
    Second challenge is that it forces the redirect whether i have the switch (NAD) in Monitor Mode or Low Impact Mode.  This is a problem because there are multiple sites, and we're cutting each over to Low Impact progressively.
    Does anyone have any insight, or a document laying out in step by step terms implementing this?
    thanks in advance.

    Hi Andrew! Yes, good job on fixing the portal issue!
    And yes, the authorization rules are considered even in an open mode! And you are also correct that you will need to create different rules to account for NADs that are in production and for NADs that are in monitor mode. I have always liked using a separate Policy Set for Monitor Mode and a separate Policy Set for Production Mode. Then I used device location to match against these conditions. For each location I have two sub-groups: One for Monitor and one for Production. That way I can move a NAD from monitor mode to full production by simply changing its group.
    Lastly, yes, your CWA rules should be at the bottom of your production authorization rules. 
    Thank you for rating helpful posts!

  • ISE Wired Guest + user without supplicant and dynamic vlan change

    Hi All,
    I have two issues:
    Is it still an issue when a wired user who is directed to the ISE CWA, is able to stay authenticated as a guest for as long as they stay connected?
    This is happening on our test pilot - a guest with 2 hour access on a wired connection can maintain the guest access for as long as they desire.
    I hear that this isnt an issue for wireless, but yet to try this out. Is there a workaround for this?
    Secondly my testing confirms that only users with a supplicant eg anyconnect NAM can be dynamically changed into a vlan (only tested on wired).
    What I'd hope to do, is create a policy that when wired guest connect in, to dynamically change their vlan to the guest vlan (same one guest WLAN users will use).
    Is this possible if the guest doesnt have a supplicant?

    One of my tasks was to rebuild the multiportal config, and looks like there was an option there to do a VLAN dhcp release and renew. I wont know if this will work until next week but it sounds promising. It was tucked down on the screen so I had to scroll down to find it...
    Still dont have an answer about the guest able being able stay authenticated, or does this feature solve this issue as well? Only time will tell..

  • Guest Anchor with web auth using ISE guest portal

    Hello All,
    Before launching into my exact issues, could anyone confirm if they have completed a wireless Guest anchor setup using 2504 controllers on 7.4 as the anchor (5508 is the foreign) with webauth external redirection at ISE 1.1.3 using ISE Guest Services?
    I am attempting this for an internal POC and have hit a couple of issues. Firstly I am looking for correct configuration confirmation prior to going in depth with a couple of the issues. I've been using the TrustSec 2.1 how to guides to build the parts I am not strong on so if anyone has actual completed this setup, I'd love to go through it with you.
    massive thanks to anyone that can assist.
    JS.

    Thanks for the reply RikJonAtk.
    so to start with, based on the trust sec documents, of the guest WLAN on the anchor I need to configure mac filtering at the layer 2 security menu as well as enable RADIUS NAC under the Advanced tab. But when I do this, I get an error message that states that mac filitering and RADIUS NAC cannot be enable at the same time.
    Additionally, if I just enable the RADIUS NAC setting under the Advanced tab in the WLAN, I get another error message that states that the priority order for Web-Auth can only be set for radius, so I go to the AAA server tab and send local and LDAP to the not use column and hit apply. If I move to another menu then check the priority order again under the AAA servers tab, the local and LDAP have been moved back to the menu field to be used again.  So I initially though it might be a bug, but I was hoping to find someone here that has done this already and can look at my issues and maybe walk me through their configs, which I'll mirror and see how it goes.
    Thanks in Advanced,
    JS

  • Guest Portal Using ISE with Flexconnect Mode

    Folks,
    I have configured my guest web authentication using ISE with flexconnect mode like this:
    http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080bcb905.shtml
    After done, I connect the SSID but cannot log in. I cannot get IP address and in the ISE I can see that my device has already hit my authorization profile and the status is pending. Can anyone help me with this?

    As Richard says, check to see if you have an IP address.  If not check the AP settings for FlexConnect.  Is the mode on the AP set right?  Please confirm that you are using FC local switching and not centralised switching? 
    Is the VLAN tagging enabled on the AP, and/or the VLANs on the AP switchport set right?

  • Wired Guest in 5.x 4402 - Does it Work???

    Anyone get Wired Guest access working using the latest code 5.148 (or any code for that matter). In particular has anyone been sucessful using 1 WLC with ingress and egress on same controller. I have been trying for a week and does not work no matter what.
    Thanks for all responses....

    Armonk-
    See next post with attached .doc
    This post was trimmed.
    4402 config
    -Ingress int
    Create a new interface <. myguests-ingress> assign it a VLAN ID <44>
    Check the box that says Guest LAN
    This interface has no IP, it is Layer2 only!
    If there is an IP associated with this VLAN (anywhere), create another VLAN.
    -Egress int (if you are already using one for wireless guest access, you can skip this step and reuse that one, I did!) It will not be called “Egress” on the wireless, just interface. If you don't have one already, you need to create it
    Create a new interface , assign it a different VLAN <55> than your ingress interface
    Assign IP, netmask, and gateway info < 192.168.100.10, 255.255.255.0, 192.168.100.1 > (see Router section below)
    I used addresses that were NOT on my business network, so guest IPs are easily distinguished from employees
    Also since this traffic is within a VLAN, I need to route this traffic at some point to access my gateway
    If you want to give guests DHCP addresses, assign a Primary DHCP Server to this interface (see DHCP section below)
    Since I was using the WLC for DHCP, I put the IP of my management interface (or another of your choice)
    -Internal DHCP (if you are using your WLC for DHCP this needs to be configured)
    Start <192.168.100.100 > (same subnet as "egress")
    End <192.168.100.200>
    Network <192.168.100.0>
    Mask <255.255.255.0>
    Lease <86400>
    Default router <192.168.100.1> (same as your gateway above)
    This is really just an IP to route between VLANs, it may not exist yet
    Don't worry if this is on another subnet as your real gateway (it should be), this is just a gateway IP for this subnet
    You can route between VLANs (that's what I did) on your router
    DNS server <10.10.10.50> (this a local DNS, but you could use anything I guess, even your ISPs DNS server)
    Status = Enabled
    -WLAN
    Create a new WLAN, select Guest LAN as the type
    Ingress is a L2 VLAN
    Egress is a L3 VLAN or previously configured VLAN
    Security Tab, select Web Auth/Pass
    Advanced Tab, specify your DHCP
    Check override (required for external DHCP)
    Was not able to check DHCP Addr. Assignment = Required (bug?)
    General Tab, check status = Enabled
    Ignore the error; this is a bug!
    Core Switch configuration (these commands are in CatOS)
    Since wired guest access uses the same interface (in my config,) I did not have to do this step as it was done previously.
    You need to configure your core switch to allow VLAN traffic from your WLC interfaces
    VTP and VTP domain were previously configured; you may need to do this if you have never done VLANs on this switch
    # set vlan 44 name MYGUESTS-INBOUND - - - IOS will be different
    # set vlan 55 name MYGUESTS-OUTBOUND - - - IOS will be different
    If you already have a vlan for wireless guests this step is already done
    Setup trunking on the port coming from the WLC to your switch (I chose mod/port =3/5, yours will be different)
    # set trunk 3/5 on dot1q - - - IOS will be different
    This allows VLANs to traverse from the WLC to the switch, (you could specify which VLANs only)
    I have created VLAN ACLs that restrict the access of guests, but that can be done after this is up and working
    Now this next step was required for my environment, but I am not sure that all setups can be done like this. I have another DHCP server on my network, so I wanted to make sure that there was not a conflict. To do this I specified a port on my core switch to accept VLAN traffic for my ingress interface
    Configure a port on my core switch to accept wired guest traffic (I chose mod/port =3/6, yours will be different)
    # set vlan 44 3/6 - - - IOS will be different
    It's possible you may also need to allow your egress VLAN depending on your setup
    Dumb switch
    Plug switch into the port specified

  • Cisco wired guest with one wlc

    Hello my name is Ivan
    I have a question:
    You can configure wired guest for wired network users so that appears the cisco wlc web portal for guest user authentication? having the following:
    Only one (1) cisco wlc 5508 no settings for auto  anchor  or foreing controller, a cisco acs v5.4,  cisco switches, and access points.
    I'm using 802.1x, and when the user because autententicacion policies fall into the guest vlan, the user receives full IP routing vlan guest, comes to internet through the router for guest users, but not redirected to the website of wlc .
    I would like to redirect http traffic from cisco switch to the cisco wlc for wlc web portal
    My deployment is to flex connect wireless authentication, and local switching center
    How I can do this?
    Thanks for your answers.

    Hi Scott, thanks for your answer:
    My scenary is:
    Site A Corporate
    WLC 5508 Flex Connect Central Auth + Local Switching
    1. int management:  vlan 10 - 10.1.1.2/24
    2. int virtual: 1.1.1.1
    3. wired-guest: vlan 30
    wlans:
    1. corporate - mapped to interface  management 802.1x wpa, 2pa2
    2. guest - mapped to interface management web auth
    3. wired-guest: web auth, ingress wired, egress management
    Cisco ACS v5.4
    Site B: Branch
    AP Ligthweight in the vlan 10, vlans mapped 100 and 30, 100 for wlan corporate and 30 for wlan guest.
    Switches Cisco,
    The branch have a router of internet to users guest.
    The switch cisco have a 802.1x configuration, and the method to authenticate users can not have a supplicant 802.1x is web auth.
    Actually i can not redirect the traffic from the switch in the branch to cisco wlc 5508 in the corporate site. The users bypass the interception of the cisco wlc and they can goes to internet without the portal of authentication.
    Please could you give and advice to resolv it?
    Regards for your answers.

  • Wired guest

    Respected members of this community... :) I need help.
    The last couple of days i spend implementing unified wireless at a customers site.
    We used the latest versions of the controller and WCS software.
    This new software offers a new feature, wired guest.
    Since we already implemented 802.1x with a guest VLAN on the wired network last year, we wanted to offer the guest access functionality on the wired LAN as well.
    So first we implemented wireless guest access, which worked fairly quickly.
    Then we added another interface on the controllers, which matched the already existing wired guest VLAN. First we wanted to use that VLAN for wireless guests as well as wired, but we found out that is not possible (so we created a new wireless guest VLAN). Then we added a new WLAN wich we marked for wired guest.
    Anyway, we followed the documentation and...could not get it to work.
    The network is a layer 3 routed network with 40 or so VLANs. The controllers are connected to the core switch (with nicely configured trunks), which does all the routing.
    DHCP is the first thing that didn't work. The interfaces we created on the controllers have the guest lan checkbox checked, ingress interface is the guest VLAN, egress interface is the mngt interface.
    The DHCP relay function did not work.
    DHCP will work with IP-helper configured on the VLAN interface on the core router, but this al goes outside of the controllers.
    This is by the way the major thing i do not understand. With wireless, all traffic goes via de controller through the LWAPP tunel. But with wired, my layer 2 VLAN ends on the core switch, not on the controller.
    So what should the default gateway be for that VLAN? The interface VLAN of the coreswitch or one of the controller IP adresses?
    Traffic should be directed to the controllers (i guess?) to enable them to catch HTTP and send the redirect to the webauth page.
    But if you set the default gateway to the controllers, DNS does not work because the controllers do not forward traffic untill after authentication, but for this to work, you need DNS for the client to start the HTTP session.
    Is there anyone out there who has this working, including DHCP?
    The customers network is flexible, we can build almost anything we want there, so iw we need to change something, we can.
    Wireless guest was no problem at all, and de data WLAN, including 802.1x, auth on AD and dynamic VLAN assignment worked perfectly. So we did get something to work actually... :)

    Does this help?
    <http://www.cisco.com/warp/public/102/wired_guest_access.pdf>
    Also keep in mind that the clients and the controller needs L2 adjacency (i.e. the Guest-VLANs would need to be trunked directly to the controller where you define the Guest-WLAN).
    I assume you have already deployed an anchor controller for wireless Guest traffic. So, the idea is to leverage the same EoIP tunnel infrastructure also for wired guest traffic. DHCP/DNS traffic should be blindly tunneled across this infrastructure, so your network services should be deployed in the anchor controller location (i.e. DMZ). Keep in mind again, that this design implements a logical L2 connection from the endpoints to the anchor controller.
    Hope this helps,

  • Wired guest access on WLC 4400 with SW 7.0.240.0

    Hello,
    after we upgrade our Wlan-controller 4400 from software 7.0.116.0 to 7.0.240.0
    wired guest access don't work anymore.
    All other things works fine, incl. WLAN guest access!
    When we try wired guest access, we get the web-authentication page and can log in.
    On the controller we can see that the Policy Manager State changes from WEBAUTH_REQD
    to RUN.
    But then there is no access to the internet.
    We tried also SW 7.0.250.0, same problem!
    Log Analysis on the WCS:
    Time :03/12/2014 14:21:23 MEZ Severity :INFO Controller IP :10.101.200.11 Message :The WLAN to which client is connecting does not require 802 1x authentication.
    Time :03/12/2014 14:21:23 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Client does not have an IP address yet.
    Time :03/12/2014 14:21:23 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Client L3 authentication is required
    Time :03/12/2014 14:21:23 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Client Moved to DHCP Required State.
    Time :03/12/2014 14:21:26 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Mobility role update request. from Unassociated to Local Peer = 0.0.0.0, Old Anchor = 0.0.0.0, New Anchor = 10.101.200.11
    Time :03/12/2014 14:21:26 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Mobility role changed. State Update from Mobility-Incomplete to Mobility-Complete, mobility role=Local, client state=APF_MS_STATE_ASSOCIATED
    Time :03/12/2014 14:21:26 MEZ Severity :INFO Controller IP :10.101.200.11 Message :DHCP successful.
    Time :03/12/2014 14:21:26 MEZ Severity :ERROR Controller IP :10.101.200.11 Message :Client got an IP address successfully and the WLAN requires Web Auth or Web Auth pass through.
    Time :03/12/2014 14:21:26 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Client IP address is assigned.
    Time :03/12/2014 14:22:01 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Webauth user logged in to the network. manni
    Time :03/12/2014 14:22:01 MEZ Severity :INFO Controller IP :10.101.200.11 Message :AAA response message sent.
    Time :03/12/2014 14:22:01 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Client has completed Web Auth successfully.
    Time :03/12/2014 14:22:01 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Client has completed Web Auth successfully.
    Trying http://www.google.de .... doesnt work. No Log Entries. Next entries while logging out.
    Time :03/12/2014 14:36:20 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Web auth is being triggered again.
    Time :03/12/2014 14:36:20 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Client L2 authentication has been completed successfully.
    Time :03/12/2014 14:36:20 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Client Moved to DHCP Required State.
    Time :03/12/2014 14:36:20 MEZ Severity :INFO Controller IP :10.101.200.11 Message :WebAuth user Logged out from network.
    Has someone a idea how to solve this problem?
    Regards
    Manfred

    Hi
    Yes got it resolved. It turns out that the connection from the wired guest access port to the WLC must be L2. That is the switch that the wired guest acces sport is connected and WLC are connected to must be L2 only. We were using a single switch to do the testing and it was also doing the routing for the test LAN. Even though there was no L3 VLAN interface configured for the VLAN that the guest access port was on for some reason this breaks it. Absolu Didnt have chance to work out the exact limitations of this as we simply made the switch L2 only and configured an 802.1Q trunk to the Internet router and made subinterfaces on the router for the wired and wireless egress ports and it worked then. No config change was needed on the WLC at all.
    The only thing I can think of is that it's something about the way the WLC joins the wired guest access ingress VLAn and egress VLAN. The WLC isn't a reall router it says so in the documentation. I think the packet coming from the wired access port is being bridged to the egress VLAn not routed and this is what screws it up (remeber with a router the source and destination MAC addresses would be changed with a bridge they aren't). Got to be something along those lines. If you have a bigger newtork with a guest anchor WLC handling this function you dont run into this as the traffic is coming over an EOIP tunnle from the remote WLC so the switch with the guest anchor WLC doesnt see the MAC address of the wired guest PC.

  • Wired Guest Network

    To the forum,
    I am trying to create a guest wired network using my WLC 4402 (5.2.193.0). I have attached a diagram of basic lay out. I am using this document - http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00808ed026.shtml - as a guide. The problem is I have a single WLC and not anchor in the DMZ. When I try to configure a ingress interface for the "WLAN" my only option is none.
    My plan is trunk the layer 2 link that terminates on my perimeter firewall with both VLAN 199 (Guest wireless) and VLAN 198 (Guest Wired).
    I would greatly appreciate any input or suggestions.
    Doug

    Doug,
    You must create a "guest LAN" layer 2 interface on the WLC.  This will be the ingress interface on the L2 vlan the wired guest will be in. Then the egress interface is going to be the L3 network those clients will actually have their IPs in.
    Lee

  • Wired guest lan authentication through NGS

    Hello Guys,
    We have 5508 controller running ver 7.2.110.0.We have configured wireless guest and wired guest WLAN profiles and assosicated necessary dynamic interfaces to it. The authentication for both wireless and wired guest is through Cisco NGS[NAC]. I have configured Webauth and added the server in the security tab for authentication. I have guest user accounts created in NGS, if I use wirless guest the auth works perfect. But the same credentials is not working with wired guest. Any advice on this issue would be really helpful
    Regards
    Krishna

    Hey Scott,
    Yes NGS is working as Radius. However I haven't checked on WLC neither NGS log to see if there is any but let me look into that. No other names also doesn't work. I did run a debug on WLC while the user was authenticating below is the output
    Output of debug for wireless user where I am getting Accept message for auth at the end
    User IP ADDR - 172.22.207.157
    *aaaQueueReader: Aug 20 09:44:29.940: 00:23:14:ec:3d:38 Successful transmission of Authentication Packet (id 190) to 194.156.169.111:1812, proxy state 00:23:14:ec:3d:38-00:01
    *aaaQueueReader: Aug 20 09:44:29.940: 00000000: 01 be 00 a2 cd 8f 91 44  a2 4f 85 f1 04 f7 14 9a  .......D.O......
    *aaaQueueReader: Aug 20 09:44:29.940: 00000010: d0 3e 42 94 01 1b 6d 61  68 65 62 6f 6f 62 2e 6b  .>B...maheboob.k
    *aaaQueueReader: Aug 20 09:44:29.940: 00000020: 68 61 6e 40 61 6d 61 64  65 75 73 2e 63 6f 6d 02  [email protected].
    *aaaQueueReader: Aug 20 09:44:29.940: 00000030: 12 34 fc 96 01 47 ed 5e  d3 8d 08 4e 72 ce 1d b5  .4...G.^...Nr...
    *aaaQueueReader: Aug 20 09:44:29.940: 00000040: da 06 06 00 00 00 01 04  06 ac 16 cf 83 05 06 00  ................
    *aaaQueueReader: Aug 20 09:44:29.940: 00000050: 00 00 0d 20 0b 42 4c 52  57 4c 43 4f 30 31 3d 06  .....BLRWLCO01=.
    *aaaQueueReader: Aug 20 09:44:29.940: 00000060: 00 00 00 13 1a 0c 00 00  37 63 01 06 00 00 00 01  ........7c......
    *aaaQueueReader: Aug 20 09:44:29.940: 00000070: 1f 10 31 37 32 2e 32 32  2e 32 30 37 2e 31 35 37  ..172.22.207.157
    *aaaQueueReader: Aug 20 09:44:29.940: 00000080: 1e 10 31 37 32 2e 32 32  2e 32 30 37 2e 31 33 31  ..172.22.207.131
    *aaaQueueReader: Aug 20 09:44:29.940: 00000090: 50 12 ef 00 53 8b 39 31  14 93 b3 82 1c f5 b5 51  P...S.91.......Q
    *aaaQueueReader: Aug 20 09:44:29.940: 000000a0: 82 45                                             .E
    *radiusTransportThread: Aug 20 09:44:30.516: 00000000: 02 be 00 1a 0c 8e d4 54  91 55 d6 ae b2 91 05 6e  .......T.U.....n
    *radiusTransportThread: Aug 20 09:44:30.516: 00000010: 93 f9 4b 7e 1b 06 00 21  70 70                    ..K~...!pp
    *radiusTransportThread: Aug 20 09:44:30.517: ****Enter processIncomingMessages: response code=2
    *radiusTransportThread: Aug 20 09:44:30.517: ****Enter processRadiusResponse: response code=2
    *radiusTransportThread: Aug 20 09:44:30.517: 00:23:14:ec:3d:38 Access-Accept received from RADIUS server 194.156.169.111 for mobile 00:23:14:ec:3d:38 receiveId = 0
    But for wired user below is the output
    User IP ADDR - 172.22.207.151
    5.338: 00:26:b9:e0:36:a6 Successful transmission of Authentication Packet (id 188) to 194.156.169.111:1812, proxy state 00:26:b9:e0:36:a6-00:01
    *aaaQueueReader: Aug 20 09:35:15.338: 00000000: 01 bc 00 a2 2c fe c1 97  a7 d1 25 a0 59 34 89 38  ....,.....%.Y4.8
    *aaaQueueReader: Aug 20 09:35:15.338: 00000010: c1 be 59 f3 01 1b 6d 61  68 65 62 6f 6f 62 2e 6b  ..Y...maheboob.k
    *aaaQueueReader: Aug 20 09:35:15.338: 00000020: 68 61 6e 40 61 6d 61 64  65 75 73 2e 63 6f 6d 02  [email protected].
    *aaaQueueReader: Aug 20 09:35:15.338: 00000030: 12 37 c7 5c 52 27 41 5b  0d 60 98 70 76 3b b3 ba  .7.\R'A[.`.pv;..
    *aaaQueueReader: Aug 20 09:35:15.338: 00000040: f5 06 06 00 00 00 01 04  06 ac 16 cd 74 05 06 00  ............t...
    *aaaQueueReader: Aug 20 09:35:15.338: 00000050: 00 00 0d 20 0b 42 4c 52  57 4c 43 4f 30 31 3d 06  .....BLRWLCO01=.
    *aaaQueueReader: Aug 20 09:35:15.338: 00000060: 00 00 00 0f 1a 0c 00 00  37 63 01 06 00 00 02 02  ........7c......
    *aaaQueueReader: Aug 20 09:35:15.338: 00000070: 1f 10 31 37 32 2e 32 32  2e 32 30 37 2e 31 35 31  ..172.22.207.151
    *aaaQueueReader: Aug 20 09:35:15.338: 00000080: 1e 10 31 37 32 2e 32 32  2e 32 30 35 2e 31 31 36  ..172.22.205.116
    *aaaQueueReader: Aug 20 09:35:15.338: 00000090: 50 12 36 60 54 47 0b 84  02 5c 0b da 19 a1 05 eb  P.6`TG...\......
    *aaaQueueReader: Aug 20 09:35:15.338: 000000a0: af 2b                                             .+
    *aaaQueueReader: Aug 20 09:35:17.053: AuthenticationRequest: 0x2ab12b50

  • Is it possible to run Posture using ISE 1.2 without NAC Agent provisioning?

    Is it possible to run Posture using ISE 1.2 without NAC Agent provisioning?
    -My customer does not want to push NAC Agent installation on BYOD type of computers (non-managed by the company computers).
    -The requirement is to check for posture only company owned wired, wireless, and VPN connected Windows computers. The rest of the endpoints should be considered as posture incompliant, and limited access to the network should be allowed.
    -No certificates are used.
    -I’ve configured the required posture check, and it all works fine if a PC has NAC Agent manually installed (without ISE Client Provisioning). However, when I use a PC without NAC Agent, it is redirected to Client Provisioning Portal and is stuck there as Client Provisioning is deliberately not configured in ISE.
    -If I remove Posture Remediation Authorization Profile that does URL redirect, the posture does not work.
    -For now I'm testing it on wired endpoints.
    Is there a way to configure ISE to fulfill the listed above requirements?
    Any ideas would be appreciated.
    Thanks,
    Val Rodionov

    Everyone who finds reads this article,
    I'm answering my own quesiton "Is it possible to run Posture using ISE 1.2 without NAC Agent provisioning?"
    The answer is Yes.
    After doing research and configuration testing I came up with a solution, and it works fine for wired and VPN connections. I expect it to work on wireless endpoints as well.
    ISE configuration:
    Posture General Settings - Default Posture Status = NonCompliant
    Client Provisioning Policy - no rules defined
    Posture Policy - configured per requirements
    Client Provisioning (under Administration > Settings) - Enable Provisioning = Enable (it was disabled in my first test)
    Authorization Policies configured as regular posture policies
    The result:
    After successful dot1x authentication posture redirect happens. If the PC does not have NAC Agent preinstalled, the browser is redirected to Client Provisioning Portal and a default ISE message is displayed (ISE is not able to apply and access policy... wait one minute and try to connect again...). At the same time, the endpoint is assigned NonCompliant posture status and proper authorization policy is applied. This is what I wanted to achieve.
    If NAC Agent was preinstalled on the PC, after successful dot1x authentication the NAC Agent pops up and performs posture check. If posture is successful, posture compliant authorization policy is applied. If posture check fails, NonCompliant posture status is assigned and posture non-compliant authorization policy is applied. Which is the expected and needed result.
    The only part that is not perfect it the message displayed to the end-user when posture is about to fail. I did not find a place to change the text of that message. I might need to open TAC case, so this file can be manually found and edited from CLI (root access).
    Best,
    Val Rodionov

Maybe you are looking for