topic ISE and WLC for CWA (Central Web Auth) in Network Access Control

ISE and WLC for CWA (Central Web Auth)

shekharmore003 — Mon, 11 Mar 2019 02:26:47 GMT

Hello All,

As we know that WLC (i.e. 5508) does not support MAB (MAC Auth Bypass) and it supports CWA in 7.2.x.

CWA is a result of successfull MAB. So how CWA work for wireless? So it means WLC support MAB?

ISE and WLC for CWA (Central Web Auth)

Tarik Admani — Tue, 21 Aug 2012 22:43:06 GMT

Hi,

The term in the wireless world is mac filtering. so when mac filtering is triggered you will return the CWA portal in the access-accept.

Remember to set your condition in the authentication policy to continue if the user is not found, so the device can hit the default CWA rule.

Thanks,

Tarik Admani
*Please rate helpful posts*

Re: ISE and WLC for CWA (Central Web Auth)

David Niemann — Thu, 10 Jan 2013 15:14:45 GMT

I've been playing around with this and have it working on 7.3.101 on the WLC 5508, however, I don't seem to be receiving the web redirect correctly. When I look under the client connections on the WLC I see that the URL is received on the WLC from ISE, but it appears to be truncated, unless that's just a limitation of the display. I see hits on the ACL-WEBAUTH-REDIRECT ACL on the controller, but it doesn't seem to be redirecting. I have this similar configuration on the wired side of the house and it works fine. ISE just shows pending webauth, as it should.

Security Policy Completed No

Policy Type N/A

Encryption Cipher None

EAP Type N/A

SNMP NAC State Access

Radius NAC State CENTRAL_WEB_AUTH

CTS Security Group Tag Not Applicable

AAA Override ACL Name ACL-WEBAUTH-REDIRECT

AAA Override ACL Applied Status Yes

AAA Override Flex ACL none

AAA Override Flex ACL Applied Status Unavailable

Redirect URL

https://.com:8443/guestportal/gateway

IPV4 ACL Name none

IPv4 ACL Applied Status Unavailable

IPv6 ACL Name none

IPv6 ACL Applied Status Unavailable

Re:ISE and WLC for CWA (Central Web Auth)

Tarik Admani — Thu, 10 Jan 2013 15:31:54 GMT

Hi,

Can you post the screenshot of your acl. Also can you post the screenshot of the advanced settings. Also are you in flexconnect mode?

Sent from Cisco Technical Support Android App

Re: ISE and WLC for CWA (Central Web Auth)

David Niemann — Thu, 10 Jan 2013 15:37:49 GMT

Not running in FlexConnect mode for this WLAN.

ISE and WLC for CWA (Central Web Auth)

Tarik Admani — Fri, 11 Jan 2013 03:04:25 GMT

David,

Please permit the dns and also allow full access to ISE (for testing purposes) and you redirection should work fine. With wireless the behavior is a bit different from the wired where you have to deny any "exempt" redirection traffic.

Give that a shot and let us know how it goes.

Tarik Admani
*Please rate helpful posts*

ISE and WLC for CWA (Central Web Auth)

lambiase — Thu, 22 Aug 2013 23:47:07 GMT

Tarik,

I do have similar issue.I have configured a WLAN on my WLC and trying to setup ISE central web authentication...

do have similar ACL setup on WLC and have the authorization profile on ISE pointed to the redirection.

I get connected to internet without redirection to web auth and on ISE authentications, it shows as pending..

Please help

Thanks

Re: ISE and WLC for CWA (Central Web Auth)

blenka — Tue, 27 Aug 2013 18:58:03 GMT

Central Web Authentication

In the case of Central Web Authentication (CWA), the web-authentication occurs on the ISE server. The web portal in the ISE server provides a login page to the client. Once the credentials are verified on the ISE server, the client is provisioned. The client remains in the POSTURE_REQD state until a CoA is reached. The credentials and ACLs are received from the ISE server.