topic ISE WLC 4400 configuration in Network Access Control

ISE WLC 4400 configuration

MMstre — Mon, 11 Mar 2019 03:49:29 GMT

Up until now, my experience has been with 5500 controllers and ISE.

My customer is using 4400 controller, on 7.0.240 code.

I cannot locate any documents referencing 4400 controller configuration for webauth, named ACLs, posturing, etc...

Does anyone know of any documents, or have experience that can assist with this configuration?

ISE WLC 4400 configuration

Charlie Moreton — Tue, 27 Aug 2013 21:15:42 GMT

Michael,

Depending on the version of ISE software you are running, you may be in luck. The information below is for 1.1.x. If you are using v 1.2, you may have to tweak a bit.

In this first document, you can see the WLC 4400 is supported and Local Web Auth is supported, with the following caveat: “Wireless (An ISE Inline Posture node is required if the WLC does not support CoA as discussed in Footnote #4. WLCs with the code specified in this table do support CoA without an ISE Inline Posture node)”

http://www.cisco.com/en/US/docs/security/ise/1.1/compatibility/ise_sdt.html#wp55038

Of course, with an IPN, your posturing (and CoA) is handled here.

DACLs are also supported on the WLC 4400.

Per User ACLs are covered in the following document:

http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a00808b041e.shtml

I think you will find that if you substitute the ACS pages with the corresponding ISE interface pages, this can be done.

Please feel free to ask any additional or follow-up questions.

Also, please let me know if this fixes your issue. If it does, please rate this answer and mark your question as Answered.

Charles Moreton

ISE WLC 4400 configuration

MMstre — Wed, 28 Aug 2013 05:27:00 GMT

Hi Charles,

this is great information, thanks for linking this.

However, to be a bit more specific on the need of this deployment...

The customer is looking to do webauth for guests. Setting up all the clients for dot1x may not be possible as the client count could reach into the hundreds. Not to mention, this is for a trade show, and the clients won't be on-site until the day of the show. So getting everyone to configure the service may not be accomplishable.

The customers main requirement is the use of an AUP, and being able to monitor. Ideally, they would like to posture, as this has been a manual procedure, but are aware that this is unlikely.

Any thoughts on what i may be able to accomplish?

I tried setting up radius authZ profiles for webauth, using the controller to authenticate and ISE for authorization, but this isn't working as planned

ISE WLC 4400 configuration

Charlie Moreton — Wed, 28 Aug 2013 15:10:07 GMT

AUP is a sub of Posturing, but posturing is not a good idea for guest flows. I would create an AUP with an Any role and use the ISE for both Authenticate and Authorize.

I have linked the following document so that you may see the different AUP Configurations available.

http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_pos_pol.html

Here is a quick chart to look at, as well:

Again, please let me know if this fixes your issue. If it does, please rate this answer and mark your question as Answered.

Charles Moreton

ISE WLC 4400 configuration

George Stefanick — Wed, 28 Aug 2013 17:11:29 GMT

Hi Charles,

Are you sure this is a correct statement ?

DACLs are also supported on the WLC 4400 ?

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

ISE WLC 4400 configuration

Charlie Moreton — Wed, 28 Aug 2013 17:15:52 GMT

According to this matrix, they are supported with a caveat "Wireless (An ISE Inline Posture node is required if the WLC does not support CoA as discussed in Footnote #4. WLCs with the code specified in this table do support CoA without an ISE Inline Posture node)"

So the WLC 4400 is NOT itself processing or using the DACL

http://www.cisco.com/en/US/docs/security/ise/1.1/compatibility/ise_sdt.html#wp55038

ISE WLC 4400 configuration

George Stefanick — Wed, 28 Aug 2013 17:16:25 GMT

Michael,

My experience is not the hardware but the code is the differentiater . 4400 cant go past 7.0 code.

If you are looking for a simple guest AUP. Why not just take ISE out of the mix and do a AUP on the controller. You can upload a custom page and have a simple click here or you could use a generic account.

Why the trouble of ISE for a simple AUP guest ?

ISE WLC 4400 configuration

George Stefanick — Wed, 28 Aug 2013 17:18:54 GMT

Unifed controllers only use NAMED ACLs. ISE uses a radius attriubute to impose the named ACL from the wlc onto the client.

ISE WLC 4400 configuration

George Stefanick — Wed, 28 Aug 2013 17:22:54 GMT

Chalres that chart is a type o ? States dACL but (4) says different ..

⁴

Wireless LAN Controllers (WLCs) do not support downloadable ACLs (dACLs), but support named ACLs. WLCs prior to release 7.0.116.0 do not support CoA and require deployment of an ISE Inline Posture Node to support posture services. Use of Inline Posture Node requires WLC version 7.0.98 or later. Autonomous AP deployments (no WLC) also require deployment of an Inline Posture Node for posture support. Profiling services are currently supported for 802.1X-authenticated WLANs only on the WLC with CoA support. HREAP is not supported. WLCs do not currently support MAC Authentication Bypass (MAB).