https://community.cisco.com/t5/wireless/external-webauth-with-flexconnect/m-p/1937164#M81053 <HTML><HEAD></HEAD><BODY><P>It has to do with the traffic flow. For external webauth you need the pre-auth acl configured allowing the client to reach the ISE. But the WLC doesn't have that control of the guest traffic is going to be locally switched. </P><P></P><P>Steve</P><P></P><P>Sent from Cisco Technical Support iPhone App</P></BODY></HTML> Wed, 23 May 2012 21:24:28 GMT Stephen Rodriguez 2012-05-23T21:24:28Z https://community.cisco.com/t5/wireless/external-webauth-with-flexconnect/m-p/1937163#M81052 <P>Hi</P><P>Trying to use ise (1.1) as an external webauth within a flexconnect/h-reap setup (WLC:7.2.103)... Can't get it to work.. After a lot of testing/troubleshooting found this: <A href="http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080736123.shtml#webauth" target="_blank">http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080736123.shtml#webauth</A></P><P>That says: "External web Authentication is only supported on a centrally switched WLAN"</P><P></P><P>Anyone can explain why/how this should be an issue....Anypne got it to work?</P><P></P><P>BG</P><P>Kasper</P> Sun, 04 Jul 2021 05:12:16 GMT https://community.cisco.com/t5/wireless/external-webauth-with-flexconnect/m-p/1937163#M81052 Kasper Roholt 2021-07-04T05:12:16Z https://community.cisco.com/t5/wireless/external-webauth-with-flexconnect/m-p/1937164#M81053 <HTML><HEAD></HEAD><BODY><P>It has to do with the traffic flow. For external webauth you need the pre-auth acl configured allowing the client to reach the ISE. But the WLC doesn't have that control of the guest traffic is going to be locally switched. </P><P></P><P>Steve</P><P></P><P>Sent from Cisco Technical Support iPhone App</P></BODY></HTML> Wed, 23 May 2012 21:24:28 GMT https://community.cisco.com/t5/wireless/external-webauth-with-flexconnect/m-p/1937164#M81053 Stephen Rodriguez 2012-05-23T21:24:28Z https://community.cisco.com/t5/wireless/external-webauth-with-flexconnect/m-p/1937165#M81054 <HTML><HEAD></HEAD><BODY><P>hi Stephen,</P><P>&nbsp; Can you please explain the traffic flow for HREAP AP with an SSID which is webauth configured and local switching enabled ? This is how i see it :</P><P></P><P>1. client sends DHCP request and gets IP on locally defined VLAN on the HREAP AP</P><P>during this, the controller get to know of the client association via the CAPWAP control message from HREAP AP</P><P>2. Client opens browser and enter website address (google.com) and gets the controller webauth login page</P><P>is this step&nbsp; happening in the capwap tunnel or outside it ? the TCP communication between client and WLC</P><P>3. Client enters username and password for webauth </P><P>but the wlc virtual IP is not routed anywhere, so how will the username and password reach the wlc ? (through the capwap tunnel ? )</P><P>4. controller checks the username/password eiither locally defined or can be on a nac guest server or ISE ?</P><P>if the username/password reaches the controller, it should be able to verify the credentials wtih an external entity like NGS oR ISE ? </P><P></P><P>regards</P><P>Joe</P></BODY></HTML> Fri, 21 Sep 2012 14:28:00 GMT https://community.cisco.com/t5/wireless/external-webauth-with-flexconnect/m-p/1937165#M81054 wireless wlc 2012-09-21T14:28:00Z