Wireless Anchor Controller Web-Authenication Redirect Page

I configured a wireless guest anchor controller with a  custom web-authenication acceptable use policy splash  page with an email box and accept or reject button. Everything is working properly except if someone types their email in the box and hits enter instead clicking on accept it redirects the custom  page to the default Cisco page.  After entering the email on the Cisco page and click on accept it allows connectivity.     

I opened a case and TAC had me make two different changes and it still did not resolve my problem.  I had to edit the login HTML file with the following in bold to resolve:
Email AddressonKeypress="Javascript: if (event.keyCode==13) submitAction();">

Similar Messages

  • Central Web Auth with Anchor Controller and ISE

    Hi All
    I have a 5508 WLC on the corporate LAN and another 5508 sat in a DMZ as an anchor controller.
    I also have an ISE sat on the corporate LAN.
    Authenticate is working fine to the ISE and the client tries to re-direct to the ISE Portal but doesn't get there.
    DNS is working fine and the client can resolve the URL of the ISE to the correct IP address.
    I have a redirect ACL configured on the foreign controller which permits DNS, DHCP and traffic to and from the ISE.
    My questions are:
    1. Do I need to re-direct ACL to be present on both the foreign and anchor controllers?
    2. Since the Radius requests originate from the foreign controller do I need to configure the ISE server address on the WLAN on the anchor?
    3. Does the re-direct ACL need to be enabled on the advanced page of the WLAN on the foreign to over-ride the interface ACL - I don't believe it does.
    4. Is ICMP still blocked by the WLC until the web authentication is complete?
    Thanks.
    Regards
    Roger

    Hi Roger,
    Thanks for your brief explanation here are the answers for your queries.
    1. Do I need to re-direct ACL to be present on both the foreign and anchor controllers?
    The only catch is that since this web authentication method is Layer 2, you have to be aware that it will be the foreign WLC that does all of the RADIUS work. Only the foreign WLC contacts the ISE, and the redirection ACL must be present also on the foreign WLC.
    2. Since the Radius requests originate from the foreign controller do I need to configure the ISE server address on the WLAN on the anchor?
    Yes, you have to configure the ISE server address on the anchor WLC.
    3. Does the re-direct ACL need to be enabled on the advanced page of the WLAN on the foreign to over-ride the interface ACL
    Yes, you should override AAA under advanced tab of WLAN as ACL will be present on the foreign WLC.
    4. Yes, ICMP will work only after the sucessful web auth is complete.
    Please do go through the link below to understand the Anchor-Foreigh Scenario.
    http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html#anc11
    Regards
    Salma

  • Warning page on Cisco Wireless Lan Controller for guest access

    Hi,
    We have an Cisco wireless LAN controller 4400 in our organization, and lots of guest using our Wi-Fi network.
    I would like to configure a warning and terms and condition page when guest using first time our network.
    Can you please let me know is that possible without adding external web server and how to configure.
    Many Thanks in Advance
    Amit Sharma

    Hi Amit,
    Hope you are doing great!!
    the below link will help you in getting the issue resolved!!
    http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a00809bdb5f.shtml
    Please dont forget to rate the usefull posts!!
    Regards
    Surendra

  • Wireless Guest Network using Cisco 4402 as an Anchor Controller

    Hello,
    We have recently redesigned our wireless guest network in accordance to Cisco's recommended deployment using the anchor controller in the DMZ. We have created two mobility groups (enterprise and anchor). The anchor controller and DMZ has two subnets (guest managment and guest clients). The guest management subnet is connected to the controller and firewall allowing the mobility groups and EOIP tunnels while the guest client network is also connected to the controller and firewall to push the client traffic directly out the firewall. The setup works well but the one part that I'm not happy with is the DHCP. Currently DHCP is being handled on the firewall because of issues we had with dhcp relay and the controllers internal dhcp service.
    Does anyone have any information on getting DHCP relay working or the internal dhcp service on the controllers when using as a anchor?
    This is basically the setup guide that we followed.
    http://www.cisco.com/en/US/docs/solutions/Enterprise/Mobility/emob41dg/ch10GuAc.html
    Thanks!

    Hi,
    Make sure you have the IP helper address configured under the VLAN interface on the L3 and also make sure to disable DHCP proxy on both the WLC (Anchor and Foreign).
    This will help us as well..
    lemme know if this answered your question..
    Regards
    Surendra
    ====
    Please dont forget to rate the posts which answered your question and mark it as answered or was helpfull

  • Guest ssid with anchor controller and Web policy

    We have a WLC4404 and and anchor controller WLC4402 to provide guest access to the wifi net. We configured both in the same mobility group, and the guest ssid to attach to the mobility anchor 4402. All is working fine until we enable the web policy authentication on the 4402. In this case the client join the guest ssid but neither get an ip address from the dhcp server nor go anywhere. Is we disable the web authentication all works fine again. We are runnig 4.0.206.0 on both WLC. Anyone can help us?

    Two things you might check. (1) The 4404's mobility anchor should point to the 4402, and the 4402 should anchor to itself. (2) Make sure you are configuring the same security policy for the SSID on both the 4402 and 4404. So if the SSID is "guest" and you turn on web authentication on the 4402, make sure "guest" is on the 4404 with web authentication. We are using a similar setup for guest access at several sites.

  • Best Practice for DHCP when Anchoring to a Guest Wireless LAN Controller

    Hi all,
    I'm interested in the communities opinion in relation to DHCP provisioning when using auto-anchor/guest tunneling.
    As far as I can tell, one cannot use the internal DHCP on the anchor controller when using auto-anchor due to incompatibility between the auto-anchor feature and DHCP Option 82.
    The scenario is as follows:
    Guest controller is the anchor which provides Internet access to guests.
    There is a foreign controller which is configured to anchor to the guest controller.
    The internal DHCP server is configured on the guest anchor controller, therefore DHCP proxy must be enabled for DHCP to work.
    DHCP proxy enables Option 82.
    The guidlines for guest tunneling state that DHCP Option 82 isn't supported. (Ref: Deploying and Troubleshooting Cisco Wireless LAN Controllers - Ch14)
    So, the internal DHCP server requires DHCP proxy to be enabled; this in turn enables Option 82, which stops DHCP leases being made to clients connected to the foreign controller.
    Given that a guest WLC would normally be placed in a DMZ, the internal DHCP server may often be the only DHCP solution available.
    I look forward to hearing your opinions.
    Thanks
    Rhodri Jenkins

    There are a couple of options here if you need to get proxy disabled
    1) pinhole with an ACL that allows dhcp to pass your internal servers
    2) run dhcp on a switch, router, or firewall in the dmz
    3) if you are using a cab,e modem or dsl for the guest users, you can let that do the dhcp
    In general I've seen most of these in play, but I like option 2 myself
    Sent from Cisco Technical Support iPad App

  • Guest wireless running slow 1 Mb for one of the foreign vWLC (AIR-CTVM-K9) , the Anchor controller is on DMZ (AIR-CT5508-K9)

    Hi,
    We have few vWLC (AIR-CTVM-K9) as the foreign controller for anchoring on difference site . The Anchor controller (AIR-CT5508-K9) is located at DMZ at the main site. The guess wireless are working fine for all the site except Site A . The download speed is <1mb and i do not see any restriction on the Foreign controller as well as the anchor controller . Upload speed could reach to 5Mb . I have check the configuration for other foreign controller and it is working fine and have the similar setting . Could you please shed some light on where should i start to troubleshooting this . User are able to get the correct ip address, gateway , dns server ip address without any issue.

    Issue resolved . End out it is the Qos apply on the vWLC switch port that slow down the speed. Remove the Qos do the trick.

  • Guest Anchor Controller DNS issues

    Hi,
    I have an anchor controller (4402) is running version 4.0.219.0 in our DMZ
    The main service we use is a guest service which uses the anchor controller in the DMZ for access to the internet. Authentication is via the WEB re-direct feature. We currently have a subnet assigned to the Guest SSID with a 22 bit mask providing just over 1000 ip addresses to clients.
    Change required (which were attemped).
    1. Move the dhcp server to a dedicated dhcp server and off the anchor controller.
    2. Increase the address space to /21 thereby providing about 2000 addresses for clients. (By changing the ip address mask on the SSID interface).
    Problems
    The provision of dhcp from the new dhcp server worked fine and clients were able to pick up dhcp addresses when they associated to the wireless SSID.
    The problem was that only some clients were being re-directed to the web-redirect page for authentication. Any clients who were re-directed were able to authenticate correctly.
    Diagnosis
    It appears that only some client's dns requests were being passed on from the anchor controller. A capture of packets between the anchor controller and the DMZ firewall did not pick up dns packets from an assiocated and connected client even when running dns queries manually from the wireless client.
    A reboot of the controller did not make any difference.
    Is there any throttling effect on dns queries which may have being implemented on the anchor controller by default once the subnet mask was increased? I noticed authentication successes of about 1 a minute while normally we would see authentication rates of 1 every couple of seconds.
    Are there any bugs or known reason why an interface mask of /21 would be problematic on the controller?
    We had to roll back the changes to the original configuration in order to bring the service back on-line.

    Hello Eoin
    Where is the external dhcp server ? in the same DMZ or on the inside network ? we have a /19 subnet allocated to the guests and I dont foresee any throttling on the dns queries.. The connectivity anyway till the anchor controller is on EoIP, and is just like the client connecting onto a local controller..
    laptops which had issues -> was the problem interim or its just that they are not able to get the web redirect page at all ?
    Check the release notes for any bugs on this software:
    http://www.cisco.com/en/US/docs/wireless/controller/release/notes/crn402190.html#wp170104
    Raj

  • Guest VLAN unable to get DHCP IP address from Anchor Controller

    Hello everybody,
    In our test set up, we have two WLC 5508 Controllers connected via Checkpoint UTM-1 firewall Inside and DMZ Interfaces. Both the WLC controllers are connected to the firewall via Cisco 3750 switch. On the Local (Inside) Controller, guest SSID is enabled and attached to the wireless management Interface. On the remote anchor controller, guest SSID is enabled and attached to the Management Interface as well. The following configs are replicated on both the Controllers.
    SSID Name - guest
    Interface - Management ( VLAN 10 on Local and VLAN 20 on remote) -
    Mobility Group: Same configs at both ends
    SSID Anchor : Anchor SSID on local and local SSID on Anchor.
    AP: CAPWAP 3502 Management Subnet
    SSID Security etc all defaults and matching on  both ends
    Checkpoint Firewall Rules: Allowed 16666-7, IP 97 etc on the firewall
    Checkpoint Inside/DMZ to Outside(Internet) is NAT enabled.
    EoIP Tunnel Status: Up, UP - Both ends
    Mping - OK
    eping - OK
    WLC Sofware Version on Local - 7.0.98.0
    WLC Sofware Version on Local - 7.0.116.0
    DHCP Scope: Definitions on Anchor Controller and Guest Anchor SSID points to the Anchor management IP as the Primary DHCP server.
    Management IP Subnet on Local: 10.x.x.x
    Management IP Subnet on Anchor: 172.x.x.x
    The problem definition as follows:
    When guest SSID associates to the local AP, the guest SSID never gets a DHCP address assigned from the Anchor Controller and the following debugs are obtained.
    1. WLAN ID 1 (for Guest SSID Number) delete message appears in the Controller message logs, but the SSID does not DHCP from the local Management Subnet and i can see DHCP request via the tunnel to the Anchor WLC as follows:
    DHCP Socket Task: Feb 24 17:20:46.612: 64:b9:e8:33:2d:13 DHCP received op BOOTREQUEST (1) (len 308,vlan 0, port 13, encap 0xec03)
    *DHCP Socket Task: Feb 24 17:20:46.612: 64:b9:e8:33:2d:13 DHCP processing DHCP DISCOVER (1)
    *DHCP Socket Task: Feb 24 17:20:46.612: 64:b9:e8:33:2d:13 DHCP   op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 0
    *DHCP Socket Task: Feb 24 17:20:46.612: 64:b9:e8:33:2d:13 DHCP   xid: 0x49c54774 (1237665652), secs: 42, flags: 0
    *DHCP Socket Task: Feb 24 17:20:46.612: 64:b9:e8:33:2d:13 DHCP   chaddr: 64:b9:e8:33:2d:13
    *DHCP Socket Task: Feb 24 17:20:46.612: 64:b9:e8:33:2d:13 DHCP   ciaddr: 0.0.0.0,  yiaddr: 0.0.0.0
    *DHCP Socket Task: Feb 24 17:20:46.612: 64:b9:e8:33:2d:13 DHCP   siaddr: 0.0.0.0,  giaddr: 0.0.0.0
    *DHCP Socket Task: Feb 24 17:20:46.612: 64:b9:e8:33:2d:13 DHCP successfully bridged packet to EoIP tunnel
    2. Similar debugs on the Anchor controller yields the following results;
    Cisco Controller) >*DHCP Socket Task: Feb 25 04:30:25.488: 64:b9:e8:33:2d:13 DHCP options end, len 72, actual 64
    *DHCP Socket Task: Feb 25 04:36:44.246: 64:b9:e8:33:2d:13 DHCP received op BOOTREQUEST (1) (len 308,vlan 20, port 1, encap 0xec05)
    *DHCP Socket Task: Feb 25 04:36:44.246: 64:b9:e8:33:2d:13 DHCP processing DHCP DISCOVER (1)
    *DHCP Socket Task: Feb 25 04:36:44.246: 64:b9:e8:33:2d:13 DHCP   op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 0
    *DHCP Socket Task: Feb 25 04:36:44.246: 64:b9:e8:33:2d:13 DHCP   xid: 0x49c54778 (1237665656), secs: 52, flags: 0
    *DHCP Socket Task: Feb 25 04:36:44.246: 64:b9:e8:33:2d:13 DHCP   chaddr: 64:b9:e8:33:2d:13
    *DHCP Socket Task: Feb 25 04:36:44.246: 64:b9:e8:33:2d:13 DHCP   ciaddr: 0.0.0.0,  yiaddr: 0.0.0.0
    *DHCP Socket Task: Feb 25 04:36:44.246: 64:b9:e8:33:2d:13 DHCP   siaddr: 0.0.0.0,  giaddr: 0.0.0.0
    *DHCP Socket Task: Feb 25 04:36:44.246: 64:b9:e8:33:2d:13 DHCP successfully bridged packet to DS
    *DHCP Socket Task: Feb 25 04:36:53.208: 64:b9:e8:33:2d:13 DHCP received op BOOTREQUEST (1) (len 308,vlan 20, port 1, encap 0xec05)
    *DHCP Socket Task: Feb 25 04:36:53.208: 64:b9:e8:33:2d:13 DHCP processing DHCP DISCOVER (1)
    *DHCP Socket Task: Feb 25 04:36:53.208: 64:b9:e8:33:2d:13 DHCP   op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 0
    *DHCP Socket Task: Feb 25 04:36:53.208: 64:b9:e8:33:2d:13 DHCP   xid: 0x49c54778 (1237665656), secs: 61, flags: 0
    *DHCP Socket Task: Feb 25 04:36:53.208: 64:b9:e8:33:2d:13 DHCP   chaddr: 64:b9:e8:33:2d:13
    *DHCP Socket Task: Feb 25 04:36:53.208: 64:b9:e8:33:2d:13 DHCP   ciaddr: 0.0.0.0,  yiaddr: 0.0.0.0
    *DHCP Socket Task: Feb 25 04:36:53.208: 64:b9:e8:33:2d:13 DHCP   siaddr: 0.0.0.0,  giaddr: 0.0.0.0
    *DHCP Socket Task: Feb 25 04:36:53.208: 64:b9:e8:33:2d:13 DHCP successfully bridged packet to DS
    *apfOrphanSocketTask: Feb 25 04:37:49.931: 34:51:c9:59:b1:c7 Invalid MSCB state: ipAddr=169.254.254.148, regType=2, Dhcp required!
    Is there any thing missing in the wireless configs and or the firewall rules as i could not see DHCP request back from the Anchor Controller. Also, after DHCP is obtained, the web authentication request will be redirected to an Amigopod device for authentication. In this case is the redirect URL congiguration to be performed only on the Anchor Controller or is this to be replicated on both the Local and Anchor Controllers.
    Thanks and Regards.

    The DHCP issue is resolved if external DHCP server is configured on a 3750 switch connected to the WLC and the default gateway for DHCP points to the Firewall, which is in the data path between the Inside and Anchor Controllers. DHCP is essentially bridged (no Proxy setting now) from the EoIP tunnel to the Distribution system network. We will test this solution on pilot production and then consider upgrading to 7.0.116.0, as there are about six offices running 7.0.98.0, which will need to be upgraded. 
    For L3 security,  configuration is set up on both the controllers for external captive portal redirection.I will try this only on the Anchor and revert.
    Thanks again very much for all your help.

  • Anchor WLC web-auth secure web issue

    Hi all,
    I am running into an issue with disabling the web-auth secure web on an 5508 anchor WLC running 7.2.110. After the WLC rebooted, the guest authentication portal didn't show up...I could see the IE tab showed Web Auth Redirect though...Changed again the web-auth secure web to enable and rebooted the WLC fixed the issue...Has anyone ran into this before and any idea how to fix it?
    Thanks in advanced for your input!
    Robin

    The custome page might be from Cisco web auth page sample by the look of the webpage. I don't know how to verify whether or not it was hard coded for HTTPS...
    Do I also need to diable the web-auth secure web on the main controller?
    This anchor is running in production and has to reboot after hour, will do the test and let you know how it goes.
    Thanks!
    Robin

  • Wireless Lan Controller Issue

    Hi All,
    We have a Wireless Lan Controller 4402 with software version 4.0.155.5. On Friday we experience a problem where our clients wouldn't get redirected to the internal webpage for authentication. It would just come up with page not found. We know the page was working fine becasue we could manually type in the
    https://1.1.1.1/login.html and the
    page would come up and you could login successfully. The users who were already connected to the controller were not affected and continued to operate. We have 2 other WLC's at the same software revision and they were not affected so I don't think it has anything to to with software level. Its like the webserver in the wlc failed to work. We failed over the AP's to the 3rd WLC and rebooted WLC1. After the WLC1 restarted we failed one of the previous non-working AP's back to it and it works again.
    I know "now" there is debug commands to run at the time when the WLC wasn't working, but unfortunately I didn't know at the time. The WLC is running again fine and I was wondering if anybody has seen this issue before.
    Any ideas on a fix or reason would be greatly appreciated.
    Thanks,

    We are running WiSM 4.1.185.0 and we just had the similar problem with one controller. The other three controllers were fine when it happened. The exactly issue was the nslookup failed(timed out) from the client, so the web login page won't show when people lunch the browser. A reboot of the controller fixed the problem. We have been running Cisco LWAPP for more than a year (from 4.0.155.5 to 4.1.185.0) and it is the first time we see this problem. TAC is still investigating the cause.
    Zhenning

  • Problems joining Wi-Fi networks that require viewing a redirect page in iOS 8.1.1? Check your "Auto-Login" setting.

    Are you having problems joining previously used Wi-Fi networks that require you to view a login or redirect page (say to accept Terms of Use) first?  The problem could be your Auto-Login Wi-Fi network setting.
    I found numerous cases where I could not access in-store Wi-Fi networks (Nordstrom was one), hotel networks or in fact networks where you had to first view a Terms and Conditions page or where you had to login via a web form.
    These were all networks I had used before.
    This appears to be due to the "Auto-Login" setting assuming that once you (re)join a previously known network you can just go ahead and use it without further action. When the iOS device receives an error trying to use the network, it silently drops the Wi-Fi association.
    If this is happening to you, follow these steps:
    1) Go to Settings -> Wi-Fi
    2) Select the network you want to join
    3) When a check-mark appears next to the SSID, press the "i" button on the right hand side
    4) Set Auto-Join however you want, but shut off the Auto-Login switch
    5) Now attempt to use the network and you should be presented with the usual redirect page with terms you must accept or where you must login to use the Wi-Fi network in question
    This cleared up the issue for me everywhere I had previously been having issues.

    Just let me get one thing straight...you don't change don't do this for the PC you have your router plugged in to?
    "For Vista:
    1. Open Control Panel, Network and Internet, Network and Sharing Center, Manage Network Connections
    2. If Wireless, Right click on your Wireless Network Connection, otherwise, Right click on Local Area Connection and click Properties
    3. Highlight Internet Protocol Version 4(TCP/IPv4)
    4. Click Properties
    5. Tick Use the Following IP Address and enter the IP you want to use for that PC. I would start at 192.168.0.100(D-Link) and work your way up on each additional device. The second device would be 192.168.0.101, the 3rd, 192.168.0.102 and so on. Like I said, different brands of routers use different IP's, so it could be 192.168.1.100 and so on, so you will need to know the IP address of your router first.
    6. Subnet Mask is 255.255.255.0 on all pc's and devices
    7. Default Gateway is 192.168.0.1(D-Link) or whatever your router's IP is on all pc's and devices
    8. Tick Use the Following DNS Server Address and enter 192.168.0.1(D-Link) or whatever your router's IP is and click OK.
    9. You will need to do this on all Vista Pc's"

  • Auto-Anchor Controller's Best Practice

    Hi All,
    I got confused with this setup. I have 2 Wlc's.One is the internal controller and another one configured for the anchor controller (different subnet-DMZ zone) for guest traffic. Where do i configure DHCP assignment for this users..? Should Production controller intervine in this dhcp process or shall i direct to Anchor to take care of everything..? which is recommended ?
    And also any best practice doc is available for this ..?
    Please help...
    thanks in advance.

    Prasan,
    Just keep in mind that there are best practices that are published and best practices that you learn from experience. Being a consultant, I get to implement wireless in various networks and everyone's network is quite different. Also code versions can change a best practice because of bug issues or how a standard might of changed and how that standard was implemented in code. The biggest best practice secret is really working with various client devices, scanner's, laptops, smartphones, etc., and seeing how those change because of newer models and it firmware updates. It's amazing to understand how some devices will require a few checkboxes in the WLAN to be disabled compared to others. Even with anchoring for guest and using a custom WebAuth to make sure the splash page works with various types of browsers.
    What I can say is to always try the defaults if possible when you have issues and then enable things one by one.
    Sent from Cisco Technical Support iPhone App

  • Issues after changing the AP Name on Wireless LAN Controller

    I recently changed the AP Name of all the Wireless Access Points in my branch office (which are all associated to the branch office Wireless LAN Controller(s)). After that I noticed that all branch office employees are unable to connect to the employee SSID. The employee SSID uses web authentication and employees are authenticated using Head Office AD via Cisco ACS, both located at the Head Office.
    There are other SSID's on the WLC which all work fine, but only employee SSID which uses AD authentication does not work. AD authenticaion is working fine because employee's in HO are successfully able to connect to the employee SSID at HO.
    The branch office is connected to the HO via a tunnel link. We noticed that if we restart both the ASA at either ends of the tunnel. The employee SSID starts working again but only temporarily for a day or so... what could be the issue? Can renaming the AP's cause issues? How can I fix this problem?
    Thanks in advance

    Thanks Elliott,
            I did the debug like you said and I am getting the following debug messages:
    *apfMsConnTask_0: Jun 20 08:18:14.580: Deleting the client immediatly since WLAN is changed
    and also
    *apfReceiveTask: Jun 20 05:25:11.857: 00:1f:3c:86:af:15 Orphan Packet from 192.168.52.34
    The logging on the WLC shows
    *apfReceiveTask: Jun 18 17:56:41.788: %MM-1-ANCHOR_UNAVAILABLE: mm_mobile.c:2155
    All export anchors are down. Cannot anchor the client.00:c0:a8:f3:cd:ae
    The DHCP pool for the employee users are configured on a guest WLC which sits behind an ASA

  • Using ISE for guest access together with anchor controller WLC in DMZ

    Hi there,
    I setup a guest WLAN in our LAB environment. I have one internal WLC connection to an anchor controller in our DMZ. I'm using the WLC integrated web-auth portal which works fine.
    To gain more flexibility regarding guest account provisioning and reporting my idea is to use Cisco Identity Services Engine (ISE) for web-authentication. So the anchor controller in the DMZ would redirect the guest clients to the ISE portal.
    As the ISE is located on the internal network while the guest clients end up in the DMZ network this would mean that I have to open the web-auth portal port of ISE for all guest client IPs in order to be able to authenticate.
    Does anyone know of a better solution for this ? Where to place the ISE for this scenario, etc ?
    Thx
    Frank

    So i ran into a similar scenario on a recent deployment:
    We had the following:
    WLC-A on private network (Inside)
    ISE Servers ISE01 and ISE02 (Inside)
    WLC-B Anchor in DMZ for Guest traffic (DMZ)
    ISE Server 3 (DMZ)
    ISE01 and ISE02 are used for 802.1X for the private network WLAN.
    Customer does not allow guest traffic to move from a less secure network to a more secure network (Compliance reasons).
    The foreign controller (WLC-A) must handle all L2 authentication and it must use the same policy node that the clients will hit for web auth.  Since we want to do CWA, we use Mac Filtering with ISE as the radius server.  If you send this traffic RADIUS authentication for Mac Filtering to ISE01/ISE02, it will use https://ise01.mydomain.com/... to redirect the client to.  Since we don't allow traffic to traverse from the DMZ with the anchor in it back inside to the network where ISE01 and ISE02 are, client redirection fails.  (This was a limitation of ISE 1.1.  Not sure if this persists in 1.2 or not.
    So what now?  In our deployment we decided to use a 3rd ISE policy node (ISE03 in the DMZ) for guest authentiction from the Foreign controller so that the client will use a DNS of https://ise03.mydomain.com/... to redirect the client to.  Once the session is authenticated, ISE03 will send a CoA back to the foreign which will remove the redirect for the session.  Note, you do have to allow ISE03 to send a CoA.
    In summary, if you can't allow guest traffic to head back inside the network to hit the CWA portal, you must add a policy node in a DMZ to use for the CWA portal so they have a resolvable and reachable policy node.

Maybe you are looking for

  • Alerting in PI 7.0

    Hello forum My alerting does not work. I configured the ALRTCATDEF and activated the rule in the RWB: Alert configuration. So it should work?! I tried it with a message which should be posted to a SOAP destination and changed the login data, so that

  • Problem in the Procedure GET_MATCHING

    THE PROCEDURE JOB : GET compare BETWEEN ANY WORD IN TABLE dynamic for Each character but the loop not stop when i run the procedure please help me i have frustration ...thanks for all team support BODY Procedure : CREATE OR REPLACE PROCEDURE APPS.get

  • Can't open a file with creative cloud because "it was saved with a newer version of Adobe InDesign CS8.1"

    Is there any way I can open this file? I am using creative cloud. Thanks!

  • Unrecoverable proxy failure

    got this notification for http://www.msnbc.msn.com which has frozen my screen. won't respond to touch on "OK". Cannot mauever on internet screen and noitificaqtion box won't go away. How do I remove and restore functionality?

  • Data source connection problem

    Hi, im starting to get into Coldfusion and im trying to connect to a database but when i make the data source and submit it it times out. I tried going to the data sources main page and the database does showup but when i click the little verify butt