https://community.cisco.com/t5/network-access-control/wireless-guest-in-an-sd-access-network/m-p/5294783#M596540 <P>All working now Boort.</P><P>Thanks again.</P> Thu, 29 May 2025 08:34:56 GMT KevinR99 2025-05-29T08:34:56Z https://community.cisco.com/t5/network-access-control/wireless-guest-in-an-sd-access-network/m-p/5292751#M596407 <P>Hi</P><P>I’ve been testing guest wireless using CWA in an SD Access network. &nbsp;When I configure the SSID as a standard over the top deployment and tunnel the traffic back to the WLC all is ok. &nbsp;However, when I change my SSID to fabric mode redirection to the ISE portal doesn’t work.</P><P>I’ve been thinking about the process involved and redirection relies on an ACL on the WLC. &nbsp;Since fabric mode offloads the data at the edge switch that the AP is connected to I’m thinking the WLC doesn’t see that traffic and get a chance to use the WLC to intercept the traffic and cause a redirect to the ISE.</P><P>Can anyone advise if CWA can work in a fabric mode SSID?</P><P>AThanks, Kev.</P> Wed, 21 May 2025 22:00:48 GMT https://community.cisco.com/t5/network-access-control/wireless-guest-in-an-sd-access-network/m-p/5292751#M596407 KevinR99 2025-05-21T22:00:48Z https://community.cisco.com/t5/network-access-control/wireless-guest-in-an-sd-access-network/m-p/5292767#M596408 <P>Unless I'm mistaken, I think the RADIUS + Redirect flow would happen in the CAPWAP Control Plane. The redirect URL and ACL would be sent from the WLC to the Fabric AP. At the point where the client needs to access the portal, that would be using the VXLAN Data Plane.</P> <P>If you haven't done so already, you might confirm that whatever VLAN/VN you are dropping the client onto as defined in the AuthZ Profile has routing and connectivity to the PSN Portal.</P> <P>All else fails, you might have to open a TAC case to investigate further and confirm the flow.</P> Thu, 22 May 2025 02:27:02 GMT https://community.cisco.com/t5/network-access-control/wireless-guest-in-an-sd-access-network/m-p/5292767#M596408 Greg Gibbs 2025-05-22T02:27:02Z https://community.cisco.com/t5/network-access-control/wireless-guest-in-an-sd-access-network/m-p/5293544#M596455 <P>Sounds like your APs is missing the redirect ACLs. They way this is done in a fabric mode deployment is to add the redirect ACLs to the default flex connect profile or which ever profile you have assigned. Even tho you are not using flexconnect it will still get pushed to the AP.</P> Sun, 25 May 2025 08:03:21 GMT https://community.cisco.com/t5/network-access-control/wireless-guest-in-an-sd-access-network/m-p/5293544#M596455 Boort 2025-05-25T08:03:21Z https://community.cisco.com/t5/network-access-control/wireless-guest-in-an-sd-access-network/m-p/5294053#M596477 <P>Thank you Boort.&nbsp; I've made some progress.&nbsp; My wireless client is now attempting to be redirected.</P><P>Still some work to do but progress is being made.</P> Tue, 27 May 2025 11:05:57 GMT https://community.cisco.com/t5/network-access-control/wireless-guest-in-an-sd-access-network/m-p/5294053#M596477 KevinR99 2025-05-27T11:05:57Z https://community.cisco.com/t5/network-access-control/wireless-guest-in-an-sd-access-network/m-p/5294577#M596524 <P>Great! Glad to help. Is there still problems getting the client authenticated?</P> Wed, 28 May 2025 15:46:36 GMT https://community.cisco.com/t5/network-access-control/wireless-guest-in-an-sd-access-network/m-p/5294577#M596524 Boort 2025-05-28T15:46:36Z https://community.cisco.com/t5/network-access-control/wireless-guest-in-an-sd-access-network/m-p/5294783#M596540 <P>All working now Boort.</P><P>Thanks again.</P> Thu, 29 May 2025 08:34:56 GMT https://community.cisco.com/t5/network-access-control/wireless-guest-in-an-sd-access-network/m-p/5294783#M596540 KevinR99 2025-05-29T08:34:56Z