WLC 7.5 Sleeping clients with ISE and Central WEB Auth(CWA)

Hi there,
Is it possibe to use sleeping clients when using ISE and CWA?
I was thinking of enabling layer3 auth with web auth on mac auth failure, but will that work with CWA?
Or is the only solution to use LWA?

Controller-> General-> User Idle Timeout (seconds) = 50 000 sec.
And your users will be connected all this time even if they going in sleepmode
be carefull with CPU loading

Similar Messages

ISE and central web authentication

Hello all,
I have followed the steps in this document in detail:
http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080ba6514.shtml
however, my central authentication does not work. I get to the guest portal, i get authenticated through the guest portal,
but then the "second" MAB authenticatino doesn't happen.
In the last screencapture of the document, you get a green "Dynamic Authorization" line (third line from below). On my system
this is a red line with the error message "11213 No response received from Network Access Device".
(i have a successfull guest authentication in my ise logs, but it seems ise is unable to bounce or initiate the second MAB....)
Any ideas ?
regards,
Geert

By the way, i feel the document example is a bit too general. For example, if you implement the document, ISE will do web authentication and redirection even when you are using a 802.1X client and are authenticated (and you have no other rules in your Autorization sequence table)
I managed to prevent this by adding an additional condition to the first rule "MAC not known" that has the CentralWebAuth policy. Only do webautentication if MAC not known AND Wired_MAB is being used.

Cisco vWLC and Central Web Authetication ISE Issue

Hello!
I have an issue with Wireless Central Web Authentication. Wired CWA woking fine.
My APs woking in FlexConnect mode with local switching. When I connect to the WLAN with CWA, web page with guest portal in not opening, but I see, that redirect is working...
When I try to ping ISE, and have a strange result:
y@5733Z:~$ ping 10.10.2.47
PING 10.10.2.47 (10.10.2.47) 56(84) bytes of data.
64 bytes from 10.10.2.47: icmp_seq=5 ttl=63 time=1.45 ms
64 bytes from 10.10.2.47: icmp_seq=8 ttl=63 time=2.22 ms
64 bytes from 10.10.2.47: icmp_seq=10 ttl=63 time=1.43 ms
^C
--- 10.10.2.47 ping statistics ---
21 packets transmitted, 3 received, 85% packet loss, time 20106ms
rtt min/avg/max/mdev = 1.430/1.703/2.223/0.367 ms
When I change the security method on the WLAN to open or any other, ping to ISE working fine. Please help!

Central Web Auth (CWA) works different on controllers/APs running in FlexConnect mode. Please check this guide and confirm that you have similar setup.
http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116087-configure-cwa-wlc-ise-00.html
If so, please post screen shots with your configs (Redirect ACLs, policies in ISE and the WLC SSD settings).
Also, the version of code that you are running in ISE and your controller.
Thank you for rating helpful posts!

Wlc flexconnect wlan local authentication and central web authentication maximum rtt

Hi
From the below link below it mentioned that "Round-trip latency must not exceed 300 milliseconds (ms) between the AP and the controller. If the 300 milliseconds round-trip latency cannot be achieved, configure the AP to perform local authentication."
http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Mobility/emob73dg/emob73/ch7_HREA.html#wp1094148.
Is this limitation refer to web authentication also?
Thanks
Anyone???

Central Web Auth (CWA) works different on controllers/APs running in FlexConnect mode. Please check this guide and confirm that you have similar setup.
http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116087-configure-cwa-wlc-ise-00.html
If so, please post screen shots with your configs (Redirect ACLs, policies in ISE and the WLC SSD settings).
Also, the version of code that you are running in ISE and your controller.
Thank you for rating helpful posts!

CWA with ISE and 5760

Hi,
we have an ISE 1.2 (Patch 5), two 5760 Controllers (3.3), one acting as Primary Controller (named WC7) for the APs and the other as Guest Anchor (named WC5).
I have trouble with the CWA. The Guest is redirected and enters the correct credentials. After that, the CoA fails with error-cause(272) 4 Session Context Not Found. I have no idea why....
aaa authentication login Webauth_ISE group ISE
aaa authorization network cwa_macfilter group ISE
aaa authorization network Webauth_ISE group ISE
aaa accounting network ISE start-stop group ISE
aaa server radius dynamic-author
client 10.232.127.13 server-key 0 blabla
auth-type any
radius-server attribute 6 on-for-login-auth
radius-server attribute 31 send nas-port-detail mac-only
wlan test4guests 18 test4guests
aaa-override
accounting-list ISE
client vlan 1605
no exclusionlist
mac-filtering cwa_macfilter
mobility anchor
nac
no security wpa
no security wpa akm dot1x
no security wpa wpa2
no security wpa wpa2 ciphers aes
security dot1x authentication-list Webauth_ISE
no shutdown
wc5# debug aaa coa
Feb 27 12:19:08.444: COA: 10.232.127.13 request queued
Feb 27 12:19:08.444: RADIUS: authenticator CC 33 26 77 56 96 30 58 - BC 99 F3 1A 3C 61 DC F4
Feb 27 12:19:08.444: RADIUS: NAS-IP-Address      [4]   6   10.232.127.11
Feb 27 12:19:08.444: RADIUS: Calling-Station-Id [31] 14 "40f308c3c53d"
Feb 27 12:19:08.444: RADIUS: Event-Timestamp     [55] 6   1393503547
Feb 27 12:19:08.444: RADIUS: Message-Authenticato[80] 18
Feb 27 12:19:08.444: RADIUS:   22 F8 CF 1C 61 F3 F9 42 01 E4 36 77 9C 9B CC 56            [ "aB6wV]
Feb 27 12:19:08.444: RADIUS: Vendor, Cisco       [26] 41
Feb 27 12:19:08.444: RADIUS:   Cisco AVpair       [1]   35 "subscriber:command=reauthenticate"
Feb 27 12:19:08.444: RADIUS: Vendor, Cisco       [26] 43
Feb 27 12:19:08.444: RADIUS:   Cisco AVpair       [1]   37 "subscriber:reauthenticate-type=last"
Feb 27 12:19:08.444: RADIUS: Vendor, Cisco       [26] 49
Feb 27 12:19:08.444: RADIUS:   Cisco AVpair       [1]   43 "audit-session-id=0aea2001530f2e1e000003c6"
Feb 27 12:19:08.444: COA: Message Authenticator decode passed
Feb 27 12:19:08.444: ++++++ CoA Attribute List ++++++
Feb 27 12:19:08.444: 92FB84A0 0 00000001 nas-ip-address(600) 4 10.232.127.11
Feb 27 12:19:08.444: 92FB87EC 0 00000081 formatted-clid(37) 12 40f308c3c53d
Feb 27 12:19:08.444: 92FB8820 0 00000001 Event-Timestamp(445) 4 1393503547(530F2D3B)
Feb 27 12:19:08.444: 92FB8854 0 00000001 reauthenticate-type(756) 4 last
Feb 27 12:19:08.444: 92FB8888 0 00000081 audit-session-id(819) 24 0aea2001530f2e1e000003c6
Feb 27 12:19:08.444: 92FB88BC 0 00000081 ssg-command-code(490) 1 32
Feb 27 12:19:08.444:
Feb 27 12:19:08.444: ++++++ Received CoA response Attribute List ++++++
Feb 27 12:19:08.444: 92FB84A0 0 00000001 nas-ip-address(600) 4 10.232.127.11
Feb 27 12:19:08.444: 92FB87EC 0 00000081 formatted-clid(37) 12 40f308c3c53d
Feb 27 12:19:08.444: 92FB8820 0 00000001 Event-Timestamp(445) 4 1393503547(530F2D3B)
Feb 27 12:19:08.444: 92FB8854 0 00000001 reauthenticate-type(756) 4 last
Feb 27 12:19:08.444: 92FB8888 0 00000081 audit-session-id(819) 24 0aea2001530f2e1e000003c6
Feb 27 12:19:08.444: 92FB88BC 0 00000081 ssg-command-code(490) 1 32
Feb 27 12:19:08.444: 92FB88F0 0 00000002 error-cause(272) 4 Session Context Not Found
Feb 27 12:19:08.444:
wc5#

Reason for this are two bugs which prevent this from working:
https://tools.cisco.com/bugsearch/bug/CSCul83594
https://tools.cisco.com/bugsearch/bug/CSCun38344
This is embarrassing because this is a really common scenario. QA anyone?
So, with ISE and 5760 CWA is not working at this time.

Central Web Auth with Anchor Controller and ISE

Hi All
I have a 5508 WLC on the corporate LAN and another 5508 sat in a DMZ as an anchor controller.
I also have an ISE sat on the corporate LAN.
Authenticate is working fine to the ISE and the client tries to re-direct to the ISE Portal but doesn't get there.
DNS is working fine and the client can resolve the URL of the ISE to the correct IP address.
I have a redirect ACL configured on the foreign controller which permits DNS, DHCP and traffic to and from the ISE.
My questions are:
1. Do I need to re-direct ACL to be present on both the foreign and anchor controllers?
2. Since the Radius requests originate from the foreign controller do I need to configure the ISE server address on the WLAN on the anchor?
3. Does the re-direct ACL need to be enabled on the advanced page of the WLAN on the foreign to over-ride the interface ACL - I don't believe it does.
4. Is ICMP still blocked by the WLC until the web authentication is complete?
Thanks.
Regards
Roger

Hi Roger,
Thanks for your brief explanation here are the answers for your queries.
1. Do I need to re-direct ACL to be present on both the foreign and anchor controllers?
The only catch is that since this web authentication method is Layer 2, you have to be aware that it will be the foreign WLC that does all of the RADIUS work. Only the foreign WLC contacts the ISE, and the redirection ACL must be present also on the foreign WLC.
2. Since the Radius requests originate from the foreign controller do I need to configure the ISE server address on the WLAN on the anchor?
Yes, you have to configure the ISE server address on the anchor WLC.
3. Does the re-direct ACL need to be enabled on the advanced page of the WLAN on the foreign to over-ride the interface ACL
Yes, you should override AAA under advanced tab of WLAN as ACL will be present on the foreign WLC.
4. Yes, ICMP will work only after the sucessful web auth is complete.
Please do go through the link below to understand the Anchor-Foreigh Scenario.
http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html#anc11
Regards
Salma

5760 Central Web Auth with ISE

Hi,
I am having problems with getting central web auth to work on the 5760, I cant seem to find any documentation for the 5760-Central Web Auth.
The setup is with a Cisco 5760 and Cisco ISE, for guest users to be re-directed to ISE guest portal to authenticate. Has anyone configured this or have any advice, that would be great.
Thanks

Hi Roger,
I have gotten CWA running on the 5760 with ISE, below is the config for the guest SSID:
wlan Guest 1 TEST-guest
aaa-override
ip dhcp required
mac-filtering cwa_macfilter
mobility anchor 10.1.1.100
nac
no security wpa
no security wpa akm dot1x
no security wpa wpa2
no security wpa wpa2 ciphers aes
security dot1x authentication-list ISE_Auth_Group
session-timeout 14400
no shutdown
! ***You will need the following commands as well:
ip http server
ip http authentication local
ip http secure-server
aaa authentication login ISE_Auth_Group group ISE
aaa authorization network cwa_macfilter group ISE
Hope it helps =)

Working with Flex and Central

Hi,
I am new in Flex and Central and interested in working with
Flex and Central and I'm currently trying to run one of the samples
from the "Central Flex SDK", the HelloFlexCentral. I have an error
when trying to run the application. The "import.mx.central" line is
not recognized.
I don't understand how to connect Flex and Central. My
questions are :
- Do I have to install a JRun environment to run/develop this
kind of application or can I develop the application without a JRun
Environment ?
- Can I deploy my application on a IIS server for example
(and then all the users will install it in central by accessing
this webserver) ?
- Where do I have to put all the "CentralIntrinsics" stuff to
avoid this error I encounter ?
Thank you for your answers.
Olivier

If you want three distinct notes, I suggest you cut it into three samples, then using flex pitch drag the notes to the pitches you desire. Keep in mind that the farther away a note is from it's actual sampled pitch, the worse it's quality will be.

LWA Guest Access with ISE and WLC

Hi guys,
Our Company try to implement Guest Access with ISE dan WLC with Local Web Auth Method. But there is problem that comes up with the certificate. This is the scenario :
1. Guests try to connect wifi with SSID Guest
2. Once it connect, guests open the browser and try to open a webpage (example: cisco.com)
3. Because, guests didn't login, so it redirect to "ISE Guest Login Page" (url became :
https://ise-hostname:8443/guestportal/Login.action?switch_url=https://1.1.1.1/login.html&wlan=Guest&redirect=www.cisco.com/
4. If there is no ISE Guest Login Page installed, message Untrusted Connection message will appear, but it will be fine if they "Add Exception and install the certificate"
5. After that the Guest Login Page will appear, and guests input their username and password.
6. Login success and they will be redirected to www.cisco.com and there is pop up from 1.1.1.1 (WLC Virtual Interface IP) with logout button.
The problem happen in scenario 6, after login success, the webpage with ISE IP address and message certificate error for 1.1.1.1 is appear.
I know it happened when guests didn't have the WLC Login Page Certificate...
My Question is, is there a way to tunneling WLC Certificate on ISE ? Or what can we do to make ISE validate WLC Certificate, so guests doesn't need to install WLC Certificate/ Root Certificate before connect to Wifi ?
Thx 4 your answer and sorry for my bad English....

Thx for your reply Peter, your solution is right,
i don't choose CWA, because their DNS is not stable...
i've found the problem...
the third-party CA is revoked, so there is no way it will success until it fixed...
and there is no guarantee, they will fix it soon..
so solution that we choose is by disable "HTTPS" on WLC...
"config network web-auth secureweb disable".
"config network web-auth secureweb disable".
"config network web-auth secureweb disable".
"config network web-auth secureweb disable".
"config network web-auth secureweb disable"
thank you all...

ISE and WLC for CWA (Central Web Auth)

Hello All,
As we know that WLC (i.e. 5508) does not support MAB (MAC Auth Bypass) and it supports CWA in 7.2.x.
CWA is a result of successfull MAB. So how CWA work for wireless? So it means WLC support MAB?

I've been playing around with this and have it working on 7.3.101 on the WLC 5508, however, I don't seem to be receiving the web redirect correctly. When I look under the client connections on the WLC I see that the URL is received on the WLC from ISE, but it appears to be truncated, unless that's just a limitation of the display. I see hits on the ACL-WEBAUTH-REDIRECT ACL on the controller, but it doesn't seem to be redirecting. I have this similar configuration on the wired side of the house and it works fine. ISE just shows pending webauth, as it should.
Security Policy Completed      No
Policy Type        N/A
Encryption Cipher       None
EAP Type        N/A
SNMP NAC State       Access
Radius NAC State       CENTRAL_WEB_AUTH
CTS Security Group Tag      Not Applicable
AAA Override ACL Name      ACL-WEBAUTH-REDIRECT
AAA Override ACL Applied Status     Yes
AAA Override Flex ACL      none
AAA Override Flex ACL Applied Status     Unavailable
Redirect URL
https://.com:8443/guestportal/gateway
IPV4 ACL Name     none
IPv4 ACL Applied Status      Unavailable
IPv6 ACL Name       none
IPv6 ACL Applied Status     Unavailable

Is ASA integration with ISE and RSA for 2 factor authentication a valid/tested design

Hi,
Customer currently uses ASA to directly integrate with RSA kind of solution to provide 2 factor authentication mechanism for VPN user access. We're considering to introduce ISE to this picture, and to offload posture analysis from ASA to ISE. And the flow we're thinking is to have ASA interface to ISE and ISE interface to RSA and AD backend infrastructure. And we still need the 2 factor authentication to work, i.e., customer gets a SMS code in addition to its login username and password. I'm wondering if ASA/ISE/RSA/AD integrated solution (and with 2 factor authentication to work) is a tested solution or Cisco validate design? Any potential issue may break the flow?
Thanks in advance for any input!
Tina

Hi,
I have an update for this quite broad question.
I have now came a bit further on the path.
Now the needed Radius Access Attribute are available in ISE after adding them in
"Policy Elements" -> "Dictionaris" -> "System" -> "Radius" -> "Cisco-VPN3000".
I added both the attribute 146 Tunnel-Group-Name which I realy need to achive what I want(select diffrent OTP-backends depending on Tunnel Group in ASA) and the other new attribute 150 Client-Type which could be intresting to look at as well.
Here the "Diagnostics Tools" -> "Generel tools" -> "TCP Dump" and Wireshare helped me understand how this worked.
With that I could really see the attributes in the radius access requests going in to the ASA.
Now looking at a request in "Radius Authentication details" I have
Other Attributes:
ConfigVersionId=29,Device Port=1025,DestinationPort=1812,RadiusPacketType=AccessRequest,Protocol=Radius,CVPN3000/ASA/PIX7.x-Tunnel-Group-Name=SMHI-TG-RA-ISESMS,CVPN3000/ASA/PIX7.x-Client-Type=,CPMSessionID=ac100865000006294FD60A7F,.....
Ok, the tunnel group name attribute seems to be understood correct, but Client-Type just say =, no value for that.
That is strange, I must have defined that wrong(?), but lets leave that for now, I do not really need it for the moment being.
So now when I have this Tunnel-Group-Name attribute available I want to use it in my Rule-Based Authentication Policy.
Problem now is that as soon as I in an expression add a criteria containing Cisco-VPN3000:CVPN3000/ASA/PIX7.x-Tunnel-Group-Name matches .* (just anything), then that row does not match any more. It still work matching against NAS-IP and other attributes.
What could it be I have missed?
Best regards
/Mattias

Win 7 client with machine and user auth stuck in 802.1x_REQD

Hi everybody
we have a WLC 5508 with 7.2.110.0 and an ACS 5.3 and do the following:
- Win 7 client gets a GPO object with the wlan configuration for "Machine and User authentication" with PEAP
- On ACS 5.3 I configured correctly the authentication and authorization for first machine authentication and then user authentication ("Was machine authenticated = true)
- First when machine authentication happens, the client is configured into a quarantine VLAN, where it is only allowed to communicate with the domain controllers
- When the user authenication happens, the client is moved into the productive client vlan with no restrictions.
Everything works fine, except that after the user loggs in, it takes about 3 minutes until the client answers the EAP Identity Request and loggs in, see attached screenshot or the screenshot below:
In the client status on WLC i can see that the client is stuck in the 802.1x_REQD state for these 3 minutes, until suddenly it authenticates (but then very often, about 5 times - see screenshot).
We tried the following to find the problem spot. but we were not able to locate the problem:
- Configure the machine and user authentication into the same vlan all the time
- ONLY user authentication on the client
- Played with the Win 7 settings (timers, and so on)
- When we manually configured the WLAN profile on the Win 7 client and saved it, the Win 7 client connected to the SSID without any problems and without any delay (about 5 seconds after the save)
Did someone ever had the same issue?
Thanks a lot and best regards
Dominic

Hi Amjad
very good point on this, thanks a lot. In this case, I did not even think about the client firmware side, thought that I should be the WLC or the client settings, but not the driver. We will give a shot on this next week, maybe this will help us to solve the problem.
It is normal to have the clietn in 802.1x_REQD if it is not yet authenticated and that is the expected state to be at in your situation untlil the client fully authenticates.
Absolutely correct that the client is associated and in the 802.1x_REQD state as long as the authenticator did not get the EAP identity Response, but that the client takes such a long time to answer is not normal ;-)
- What is the supplicant that is used on the windows machines? default WLAN supplicant? or you use some commercial supplicants?
WZC.
- what is the result when testing with user auth only?
The same, it takes such a long time.
- what ist he result when testing with machine auth only?
Machine authentication works as expected, fast and as soon as the client is booted, the client gets authenticated.
Regards and have a nice weekend
Dominic

Create web service consumer client with Ant and wsdl

How can I create a web service client with just Ant and WSDL?
Thanks.

Hi,
Did you check this web log?
/people/thomas.jung3/blog/2004/11/17/bsp-a-developers-journal-part-xiv--consuming-webservices-with-abap
Eddy

DNS Registration for clients with WLAN and LAN adapters

I have read a number of articles and it seems that there are a number of people who have problems with DNS and workstations with both WLAN and LAN adapters. I haven't however found workable solutions.
Workstation Connection Objective:
To enable DNS discovery and Ip connection to client workstations regardless of whether the client is using the WLAN or LAN. Enabling users to use either Wireless or LAN adapter adhoc. ie they dock their laptops at their desks, and undock to take their laptops
to meetings or consulations with peers. I need to be able to discover and connect to the workstations irrespective of the adapter being used at any time.
Most people seem to try to control which interface is used on the workstations, ie disable WLAN and only use LAN etc. Trying to disable interfaces isn't going to be feasible and its very inflexible.
I believe I can ensure that the workstations use the NICs in our preferred order:
1. LAN
2. WLAN - Our wireless network isn't as fast as the LAN.
By setting specific DHCP metric for the WLAN Router to be higher(ie 2) than the LAN(1). When the LAN isn't connected traffic will route via the WLAN adapter and when the LAN adapter is connected, its router metric will be lower and it will be the preferred
gateway/route.
But how do I solve the DNS resolution for connection to that asset?
If I disable DHCP Server updates into DNS and allow secure updates from the client. It would be really good if DNS client behaved in the following manner
1. The LAN adapter(referred to as primary ie LAN) with the lowest metric(ie 1) registers/auto updates DNS with the ip(both A and PTR). Any other Adapters don't register. - ie the WLAN
2. The Laptop is undocked and the LAN adapter goes offline, the DNS Client then triggers a registration/auto updates its existing DNS entry with the ip from the next adapter(WLAN) with the next lowest gateway metric(2)...hence replacing the first ip registered.
3. The laptop is docked again, and DNS Client triggers a registration/auto updates its existing DNS entry with the IP from the primary adapter(LAN), replacing the WLAN ip.
So there is only ever 1 ipaddress registered for a workstation and it will always be a valid address. Then I don't need to be concerned about whether the user has the wireless turned on and docked.
Being able to discover and communicate with all our workstations in our sites is crucial requirement....
This microsoft article says, http://technet.microsoft.com/en-gb/library/cc771255.aspx
Dynamic updates can be sent for any of the following reasons or events:
    * An IP address is added, removed, or modified in the TCP/IP properties configuration for any one of the installed network connections.
    * An IP address lease changes or renews with the DHCP server any one of the installed network connections. For example, when the computer is started or if the ipconfig /renew command is used.
    * The ipconfig /registerdns command is used to manually force a refresh of the client name registration in DNS.
    * At startup time, when the computer is turned on.
    * A member server is promoted to a domain controller.
However from what I am reading, both adapters(LAN,WLAN), if configured to update DNS, will register their Ip addresses. Which leads to an invalid DNS entry if the laptop is undocked, as the IP for LAN adapter isn't removed.
Has anyone solved this problem for their organizations without
1. Controlling which adapter is used - large management overhead
2. Only allowing one adapter to register with DNS
   - If using LAN adapter for DNS, then anytime the user is using WLAN, their workstation doesn't have a valid DNS entry. Which also impacts Kerberos.
   - If using the WLAN, then we would have to invest a large amount of money into Wireless to provide the necessary bandwidth
3. Setting GPO's to configure dns updates every 30mins on clients
   - Inconsistent results...which I think is sometimes a worse problem
4. Defining separate DNS suffixes for their WLAN networks (I read some people did this)
   - This doesn't remove an invalid DNS entry ie the ip(LAN adapter) DNS entry if the laptop is undocked
   - It also creates problems with kerberos, if the host is registered under a separate DNS suffix from the Active Directory domain name

Hi,
From my point of view, DNS can't be so smart.
As a workaround, please try the steps below,
Disable the DNS register of wireless adapter
Put "ipconfig /regiserdns" in a bat file
Everytime when the wired network is undocked, run the bat file.
If the wired network is docked, wired adapter will register the DNS record.
When the wired network is undocked, run the bat file, then the wireless adapter will register the DNS record.
If the wired network is docked again, wired adapter will register the DNS record automatically.
Best Regards.
Steven Lee
TechNet Community Support

ISE and capturing web traffic logs

We have guests that visit our office and connect to the Guest WiFi. We want to implement ISE for the self-sign in portal. That would help us determine the user and accept the legal terms without involving IT.
When a guests logs in and surfs the web, We want to track which websites they go to for legal purposes and hold that information for 18 months. I am not sure how I can achieve this part.
The guests may visit it us 1 or 2 times every 6 months so using WSA with AD auth, for example, would not be ideal and that's why we like the ISE portal.
We are using Cisco 5500 WLC's.
Any help is appreciated.

By the way, i feel the document example is a bit too general. For example, if you implement the document, ISE will do web authentication and redirection even when you are using a 802.1X client and are authenticated (and you have no other rules in your Autorization sequence table)
I managed to prevent this by adding an additional condition to the first rule "MAC not known" that has the CentralWebAuth policy. Only do webautentication if MAC not known AND Wired_MAB is being used.

WLC 7.5 Sleeping clients with ISE and Central WEB Auth(CWA)

Similar Messages

Maybe you are looking for