WLC and ISE guest access COA

Similar Messages

• ISE with CWA and wired guest access via WLC Anchor

  Can an Anchor WLC (WLCa) provide a wired guest LAN service if the wlan guest access is using CWA?
  We are deploying a WLAN only ISE solution (it is a full license ISE though) but they just want a few wired guest ports.  I was hoping to add L2 switch to the DMZ where the WLCa is and that the L2 switch wouldnt need any other config as the WLCa just bridges the wired to the wlan vlan.  This Im sure i have done before.
  So now I have set wiredguest the same as i have done before ISE and my wired clients get an IP address, but when they redirect, the URL they get is different, and the redirect just doesnt work.
  It comes out as:
  https://my_ise_ip:8443/guestportal/Login.action?switch_url=https://my_ise_host/login.html&wlan=my_wired_guest_lan&redirect=www.google.co.uk
  So does my simple L2 only switch need an ISE config on it or should the WLCa be handling or the redirection just as it would for a wlan device.

  The ISE never receives an auth entry, so i dont believe the redirect is working for the wired client.  So even though the clients browser gets a redirect url which fails connection, the client info in the WLCa doesnt have a redirect ACL listed like a wlan client would

• WLC and ISE 1.1.1 guest MAC address limits

  Hi,
  I am looking at implimenting a wireless hotspot and want to know if ISE 1.1.1 is able to enforce limits on the individual users (ie. Time limit, Data Limit)
  These limits need to be erased at the end of the day.
  I am using dynamic vlans to seperate out guests from corporate users.
  ISE is in a 192.x.x.x address range and the guest vlan sits in a 10.x.x.x vlan.
  Im struggeling with ISE terminating the Guest sessions and then not permitting that same user back onto the network.

  Yes it can be done using the time profile option in ISE.Please review the below  links on how to configure time profiles for guest and sponsor portals.
  http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_guest_pol.html
  http://www.cisco.com/en/US/docs/security/ise/1.0/sponsor_guide/ise10_sponsor.html

• WLC and ISE

  Hello,
  I need to know what are the features I will lose for the wireless users, if I did not use a WLC deployment (Using autonomous AP), knowing that I'm using last code of ISE1.1.1.
  Also in case of no WLC, can I use Inline posture node or I have to use WLC in this case ?
  Thanks.

  So I understand from that COA is supported on the Cisco Switch and it provides this to the wired client, while this is not supported on the AP (although it is connected after that to a switch) and we will need WLC or inline posture, but I believe that the inline posture will be added after the switch so setup will be AP-----Switch---Inline posture---Core and ISE, so why the Inline posture can provide the CoA to the wireless clients while the switch can't do that ?
  Note : I assumed a lot of facts in the above statement so please correct me if any is wrong
  Fact 1: COA is supported on the Cisco Switch and it provides this to the wired client.
  Fact 2: but I believe that the inline posture will be added after the switch so setup will be AP-----Switch---Inline posture---Core and ISE.
  Also assuming that CoA is not supported and as I know it is important for the Posture and profiling, but can we use normal AAA authentication and Guest life mangamnet with ISE and without WLC or inline posture ?
  Thanks 

• ISE Guest Access- Redirect to URL after successful logon

  Currently, when guest users attempt to browse they get redirected to the guest portal.  After login, they get a message that they can now access the original URL.  Is there a way to automatically redirect to the URL they were trying to access, or remember the URL after they login?

  ISE guest flow :
  The user associates to the web authentication Service Set Identifier (SSID).
  The user opens the browser.
  The WLC redirects to the guest portal (such as ISE or NGS) as soon as a URL is entered.
  The user authenticates on the portal.
  The guest portal redirects back to the WLC with the credentials entered.
  The WLC authenticates the guest user via RADIUS.
  The WLC redirects back to the original URL

• ISE - Guest Access (without portal)

  Hi Guys,
  I have a customer who current is using the cwa portal for guest access. Corporate use will be added in the future sometime next year.
  Kit involved:
  5508 - Internal (Inside Net)
  5508 - Anchor (DMZ Net)
  ISE - Inside Net
  3600 APs
  Presently, guest user connects, anchored to DMZ 5508, issued IP address from server in DMZ and DNS redirect to the web portal from same server. guest logs in and internet access through ASA and then content filtering box.
  They want a solution whereby they do not have to use the portal for corporate user with their own devices such as ipads. I know BYOD is a possiblity but would involve using a CA server on the inside of the network. This is not something I'm keen as it opens a channel from the guest network directly to their AD infrastructure.
  I'm leaning toward PEAP authentication atm using a GoDaddy SSL cert that is already installed. This would bypass the portal system and only involve client devices being configured once.
  Is there any other option that would be simple to setup as this is on a limited timescale ?
  Cheers,
  Nick

  Nick,
  They want a solution whereby they do not have to use the portal for  corporate user with their own devices such as ipads. I know BYOD is a  possiblity but would involve using a CA server on the inside of the  network. This is not something I'm keen as it opens a channel from the  guest network directly to their AD infrastructure.
  If you are referring to supplicant provisioning, the scep enrollment request is proxied from ISE and the private key and cert is transferred to the endpoint. This doesnt require your guest network having direct access to AD....just to ISE.
  Tarik Admani
  *Please rate helpful posts*

• ISE guest access - can't match on Optional Data fields

  Hi all
  I need to have 2 different types of guest users that will get different level of access with DACL / Airspace ACL
  I thought that best way to do that is simply matching one of optional data fields you can setup in Sponsor Portal
  Unfortunately as soon as I reference Optional Data field in Authorization rule I get no match. Can't also match on username which would not help anyway.
  getting redirected, login, getting redirected again etc.......
  This is affecting both wireless and wired.
  As soon as I remove that additonal condition from authz rule guest access works fine - getting redirected, log in, surf the internet.
  Is this is bug with ISE that you can't match guest optional data fields?

  Hi evnafets,
  You were right. How silly I am didnt see that small thing- but STILL PROBLEM IS UNSOLVED.
  [ore]
  java.sql.SQLException: [Microsoft][ODBC Microsoft
  Access Driver] Missing ), ], o
  r Item in query expression 'Post_Date LIKE
  to_date('04-06-2005',' dd/MM/yyyy''.
  Like it says, you have a missing ")" character
  rs=stmt.executeQuery("SELECT Name FROM
  NoticeBoardTable WHERE Post_Date LIKE to_date('"+
  date_str+"', 'dd/MM/yyyy' <--HERE NEED A CLOSING
  BRACKET ");
  When I did this it said to_date function is not available that because Ms-access doesn't have this function. Then I just changed the query to:-
  rs=stmt.executeQuery("SELECT Name FROM NoticeBoardTable WHERE Post_Date LIKE "+ date_sql ); . Although it didnt generate any exception, but dont show any record.
  But even better would be to use a prepared
  statement.
  String sql = "SELECT Name FROM NoticeBoardTable
  WHERE Post_Date LIKE  ?";
  PreparedStatement stmt = con.prepareStatement(sql);
  stmt.setDate(1, date_sql);
  ResultSet rs = stmt.executeQuery();
  I had prepared statement in my final servlet, I made this one just to check why its not working on dates. Also on your advice I changed it to prepared statement. It runs fine but didn't show any record with date 04-06-2005 although I have it in my database (not generating any exception).
  I print the sql date throuht servlet just to check , its showing 2005-06-04. May be its formate problem.
  Thanks
  Regards

• 2106 and Wired Guest Access

  Hi,
  It seems that the 2100 models do not support wired guest access. I wondered if the following work around might work?
  We are using a 2106 with a wireless guest network anchored to a 5508.
  Would it be possible to configure an Autonomous AP in WGB mode and configure it to connect to the visitor wlan?
  Would wired clients then be able to connect through the autonmous AP and use web authentication?
  Cheers

  I opened a TAC with Cisco.
  Here was the repsonse.
  Unfortunately this is not a supported feature , please have a look at the following
  ·         These lightweight features are supported for use with a workgroup bridge:
  – Guest N+1 redundancy
  – Local EAP
  ·         These lightweight features are not supported for use with a workgroup bridge:
  – Cisco Centralized Key Management (CCKM)
  – Hybrid REAP
  – Idle timeout
  – Web authentication
  Note If a workgroup bridge associates to a web-authentication WLAN, the workgroup bridge is added to the exclusion list, and all of the workgroup bridge wired clients are deleted.
  So it is not possible. Just thought I'd share this in case anyone else came across the same issue.

• Windows 7 and Wireless Guest Access

  Dear All, one of my Customers uses 4400 based Guest Access Solution with L3 Webauth. With XP everything works Fine. Since the Migration to Windows 7, Guest Access is not working correctly. It takes a long time to get an IP Address via DHCP, sometimes it idles to 169.xxx. If an IP Address is provided, the Redirect will not work. Has anybody seen similar Problems with Win7 or a Solution?
  Regards, Michael

  Found a solution for the "Boot Camp x64 is unsupported on this computer model" message. Here is the link: http://www.techulous.com/hardware/how-to-apple-boot-camp-64-bit-for-windows-7-on -unsupported-macs.html
  Everything works ( for ) now. Yay!

• Cisco WLC Whitelist for Guest Access? and securing guest-access?

  Is it possible to allow certain websites to bypass the web authentication pages, so that they do not need to autnehticate to get to our own website, but do have to if they wish to go anywhere else?
  Looking at a 5508 model at the moment
  Thanks

  Hello Stephen,
  Exactly how long is "an extended period of time?" Also, is this period enforced in the controller in some way, and if so, can it be configured?
  I'm asking because I have a WLAN for guests with a pre-authentication ACL allowing VPN traffic (ESP, IKE, SSL).
  For "normal" use of this guest WLAN you have to click on an "accept" button on a captive portal page before you can get anywhere with traffic not matching the pre-auth ACL.
  The pre-auth ACL does actually work, but it stops passing any traffic after 5 minutes of use per user. This happens every time and is 100% repeatable.
  So I'm very interested to know if we can change this apparent 5 minute restriction in some way.
  Thanks!
  Chris Slater-Walker
  Senior System Analyst
  Nokia UK Ltd.

• Cisco ISE - Guest Access With Google Chrome

  We've implemented the self provisioning guest portal/Guest SSID and it seems to work great for internet explorer, if a user uses Google Chrome to go through the setup the password is generated, they login and accept the terms and conditions, but then they get hung up on the WLC URL and then have to start self provisioning again.
  Any ideas?

  Please check the below browser requirements :
  Supported Operating Systems and Browsers for Sponsor, Guest, and My Devices Portals
  These Cisco ISE portals support the following operating system and  browser combinations. These portals require that you have cookies  enabled in your web browser.
  Table 8     Supported Operating Systems and Browsers
  Supported Operating System Browser Versions
  Google Android 1 4.0.4, 4.0.3, 4.0, 3.2.1, 3.2, 2.3.6, 2.3.3, 2.2.1, 2.2
  •Native browser
  Apple iOS 6, 5.1, 5.0.1, 5.0
  •Safari 5, 6
  Apple Mac OS X 10.5, 10.6, 10.7, 10.8
  •Mozilla Firefox 3.6, 4, 5, 9
  •Safari 4, 5, 6
  •Google Chrome 11
  Microsoft Windows 82
  •Microsoft IE 10
  Microsoft Windows 73
  •Microsoft IE 9
  •Mozilla Firefox 3.6, 5, 9
  •Google Chrome 11
  Microsoft Windows Vista, Microsoft Windows XP
  •Microsoft IE 6, 7, 8
  •Mozilla Firefox 3.6, 9
  •Google Chrome 5
  Red Hat Enterprise Linux (RHEL) 5
  •Mozilla Firefox 3.6, 4, 5, 9
  •Google Chrome 11
  Ubuntu
  •Mozilla Firefox 3.6, 9

• Web auth with , intenal web page of WLC and ISE as radius server

  Hi All ,
  We have created a SSID as web auth with internal web page for login . In advanced tab we configured AAA server.  AD is integrated with ISE .
  When the user tries to get connect , he is getting redirect URL . But during the authentication , we are getting error in ISE as
  "ise has problems communicating with active directory  using its machine credentials "  and authentication getting failed .
  When we have L2 security mechanism enabled with PEAP , ISE is able to read the AD and providing authentication .
  Only for L3 web auth it is not happening..
  Any clue on this ..???
  Thanks,
  Regards,
  Vijay.

  Machine credentials requires a lookup on the computer OU and that has to be defined on the client side.
  Thanks,
  Scott
  Help out other by using the rating system and marking answered questions as "Answered"

• WLC as a Mobility Anchor for guest access - Management on DMZ or not DMZ

  When using Guest Access Cisco recommend a Mobility Anchor Controller be placed on a DMZ and the guest access wireless Lan is tunneled to this controller.  This means that 2 DMZ subnetworks are required - one for the management interface and one for the wireless lan's dynamic interface itself.
  I am trying to see if there are any disadvantages/security risks using 2 physical ports on the controller (no LAG) and placing one on a corporate network inside the firewall for management and to terminate the mobility anchor tunnel, and one outside the firewall on a DMZ for the wireless lan's dynamic interface.
  Advantages that I see are that no tunnels need to go though a firewall, management of the WLC is kept completely inside the corporate network, protected by the firewall and not left on the DMZ.
  Thanks.

  OK, so to recap;
  - place the 2nd WLC in the DMZ with only 1 port (set for dynamic AP management)?
  - Then Anchor the guest SSID (on it's DMZ IP instead of management IP as is now)
  And to make that kind of anchoring work, I have to open ports below on the firewall.. right?
  UDP port 16666 for inter-WLC  communication, and IP protocol ID 97 Ethernet in IP for client traffic.
  and:
  •TCP 161 and 162 for SNMP 
  •UDP 69 for TFTP 
  •TCP 80 or 443 for HTTP, or HTTPS for GUI access 
  •TCP 23 or 22 for Telnet, or SSH for CLI access
  Thanks to confirm that

• Extending a network and the new guest access feature

  Hi-
  Currently, I have 3 of the 802.11n Airport Extremes—One creating the network, and two extending the network.
  I would like to get the new feature that allows you to setup guest access---
  My question: Will I be able to purchase ONE of the new Airports, setup guest access and extend it using the older Airports, or will I have to buy three of the new Airports to make this work….
  Thanks for any help or advice!

  It would seem almost certain that the older AirPort Extreme base station (AEBS) would not extend both the normal network and the guest access network. You should be able to extend the normal network.

• ISE Guest User problem

  Hi Guys,
       I got a problem about Guest user after create guest account from ISE sponsor. When i try to login with guest user on Web authen (WLC) it show login error and the message on ISE is  Authentication failed                                                                                 : 24206 User disabled
  Failure Reason > Authentication Failure Code Lookup
  Failure Reason :
  24206 User disabled
  Description
  User marked disabled in Internal database.
  Resolution Steps
  Check whether the user account in Internal database is enabled
  I would like to know, how to enable the guest account? What i missed configuration?

  Hi dsdavid,
       Do you use ISE with WLC? If yes, you need to configure ISE as External Web Auth at WLC?
      WLC
      Security > Access Control List
            Allow traffic from Client to ISE
       * If you have firewall or ACL on Core switch between WLC and ISE, you have to allow traffic Client to ISE too.
      Security > Web Auth > External Web Auth
       Web Authentication Type : External
       Redirect URL after login : Up to you
       External Webauth URL : https://:8443/guestportal/Login.action
       WLAN > Security > Layer 3
       - Check Web Policy > Authentication
       - Pre-Auth ACL > Choose ACL which you pre-define at Security > Access Control List
       WLAN > AAA Servers
       - Choose Authentication Server as ISE
       WLAN > Advance
       - Check Allow AAA override