https://community.cisco.com/t5/wireless/wlc-external-web-authentication/m-p/2243277#M119216 <HTML><HEAD></HEAD><BODY><P>Vijay,</P><P></P><P>can you check what authorization policy are you hitting for L3 auth and L2 auth on ISE? maybe you will need add/modify a rule on ISE.</P></BODY></HTML> Thu, 18 Jul 2013 16:39:02 GMT Viten Patel 2013-07-18T16:39:02Z https://community.cisco.com/t5/wireless/wlc-external-web-authentication/m-p/2243272#M119211 <P>Hi all,</P><P></P><P>We are using auto anchor mechanism for guest clients . Anchor controller placed after the Firewall. Guest vlan will&nbsp; be having reachabilty only to internet.</P><P>We want to use ISE for web authentication.</P><P></P><P>Since client subnet is not having reachbility to ISE , redirection page is not coming and we cant allow clients subnet to access internal resource . </P><P></P><P>So , is there a way WLC will forward the own web auth page to clients , but it needs to check with ISE for the&nbsp; crdentials ?</P><P></P><P>Thanks for your help <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/happy.gif"></SPAN></P><P></P><P>Regards,</P><P>Vijay.</P> Sun, 04 Jul 2021 07:27:14 GMT https://community.cisco.com/t5/wireless/wlc-external-web-authentication/m-p/2243272#M119211 vijay kumar 2021-07-04T07:27:14Z https://community.cisco.com/t5/wireless/wlc-external-web-authentication/m-p/2243273#M119212 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>Here is a short cisco doc that would answer your queries. It also has a configurable example:</P><P></P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076f974.shtml">http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076f974.shtml</A></P></BODY></HTML> Thu, 18 Jul 2013 03:00:11 GMT https://community.cisco.com/t5/wireless/wlc-external-web-authentication/m-p/2243273#M119212 mmangat 2013-07-18T03:00:11Z https://community.cisco.com/t5/wireless/wlc-external-web-authentication/m-p/2243274#M119213 <HTML><HEAD></HEAD><BODY><P>Hi Mantej Magat ,</P><P></P><P>thanks for your reply <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/happy.gif"></SPAN></P><P></P><P>I have gone through the document . As per it ,</P><P></P><P>Login page is from&nbsp; external web server , and authentication of users against local data base in WLC.</P><P></P><P>But our requirement is, </P><P></P><P>Login page is from WLC , and authentication of users from ISE database .</P><P></P><P></P><P>IS that possible?</P></BODY></HTML> Thu, 18 Jul 2013 03:16:34 GMT https://community.cisco.com/t5/wireless/wlc-external-web-authentication/m-p/2243274#M119213 vijay kumar 2013-07-18T03:16:34Z https://community.cisco.com/t5/wireless/wlc-external-web-authentication/m-p/2243275#M119214 <HTML><HEAD></HEAD><BODY><P>Yes that is possible.<BR /><BR />Under the wlan configurations<BR />• set layer 2 security to none<BR />• set layer 3 to webauth (override to local or make sure global is set to local)<BR />• point to the radius server (ISE) on the AAA servers tab. On the same tab change the authentication priority for webauth to radius &gt; local<BR /><BR />Sent from Cisco Technical Support iPhone App</P></BODY></HTML> Thu, 18 Jul 2013 05:57:32 GMT https://community.cisco.com/t5/wireless/wlc-external-web-authentication/m-p/2243275#M119214 Viten Patel 2013-07-18T05:57:32Z https://community.cisco.com/t5/wireless/wlc-external-web-authentication/m-p/2243276#M119215 <HTML><HEAD></HEAD><BODY><P>Hi Viten ,</P><P></P><P>Really thanks for your help . It got worked .</P><P></P><P>But again , ISE and AD communication is not happening properly for L3 SSID.</P><P></P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">When the user tries to get connect , he is getting redirect URL . But during the authentication , we are getting error in ISE as</P><P></P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">"ise has problems communicating with active directory&nbsp; using its machine credentials "&nbsp; and authentication getting failed .</P><P></P><P></P><P>Apart from this , we have one more SSID configured for L2 auth , and authentication is happening properly between client ,ISE and AD.</P><P></P><P>But only for L3 it is not working. could you pls suggest <SPAN __jive_emoticon_name="confused" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/tiny_mce3/plugins/jiveemoticons/images/spacer.gif"></SPAN></P></BODY></HTML> Thu, 18 Jul 2013 12:41:25 GMT https://community.cisco.com/t5/wireless/wlc-external-web-authentication/m-p/2243276#M119215 vijay kumar 2013-07-18T12:41:25Z https://community.cisco.com/t5/wireless/wlc-external-web-authentication/m-p/2243277#M119216 <HTML><HEAD></HEAD><BODY><P>Vijay,</P><P></P><P>can you check what authorization policy are you hitting for L3 auth and L2 auth on ISE? maybe you will need add/modify a rule on ISE.</P></BODY></HTML> Thu, 18 Jul 2013 16:39:02 GMT https://community.cisco.com/t5/wireless/wlc-external-web-authentication/m-p/2243277#M119216 Viten Patel 2013-07-18T16:39:02Z https://community.cisco.com/t5/wireless/wlc-external-web-authentication/m-p/2243278#M119217 <HTML><HEAD></HEAD><BODY><P>Hi Viten ,</P><P></P><P>we have allowed the default permit access authorization policy for the clients once it get authenticates.</P><P></P><P>For authentication policy , in default list we are using external identity store as AD server.</P></BODY></HTML> Thu, 18 Jul 2013 20:24:13 GMT https://community.cisco.com/t5/wireless/wlc-external-web-authentication/m-p/2243278#M119217 vijay kumar 2013-07-18T20:24:13Z https://community.cisco.com/t5/wireless/wlc-external-web-authentication/m-p/2243279#M119218 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>As per your query i can suggest you the following solution-</P><H2>Configure</H2><P>In this section, you are presented with the information to configure the features described in this document.</P><P><STRONG>Note:</STRONG> Use the <A href="http://tools.cisco.com/Support/CLILookup/cltSearchAction.do">Command Lookup Tool</A> (<A href="http://tools.cisco.com/RPF/register/register.do">registered</A> customers only) in order to find more information on the commands used in this document.</P><P>Complete these steps in order to configure the devices for EAP authentication:</P><UL><LI>•1.&nbsp;&nbsp;&nbsp;&nbsp; <A href="http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080665d18.shtml#c1">Configure the WLC for basic operation and register the Lightweight APs to the controller.</A><BR /></LI><LI>•2.&nbsp;&nbsp;&nbsp;&nbsp; <A href="http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080665d18.shtml#c2">Configure the WLC for RADIUS authentication through an external RADIUS server.</A><BR /></LI><LI>•3.&nbsp;&nbsp;&nbsp;&nbsp; <A href="http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080665d18.shtml#c3">Configure the WLAN parameters.</A><BR /></LI><LI>•4.&nbsp;&nbsp;&nbsp;&nbsp; <A href="http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080665d18.shtml#c4">Configure Cisco Secure ACS as the external RADIUS server and create a user database for authenticating clients.</A><BR /></LI></UL><P></P><P>Hope this will help you.</P></BODY></HTML> Fri, 19 Jul 2013 21:45:50 GMT https://community.cisco.com/t5/wireless/wlc-external-web-authentication/m-p/2243279#M119218 Abhishek Abhishek 2013-07-19T21:45:50Z