Solved: Configuring External Guest portal in Spaces with SDA

Lebowski1991 · ‎06-10-2024

Hi,

We recently rolled out our new SDA campus and had our Wireless in OTT due to using a single WLC for two different campuses. This was a temporary change and we are planning to roll our Wireless in SDA and separate admin domains for each WLC pair to it's dedicated sites as it's a prerequisite for SDA.

We are unfortunately facing some issues as we are very strict with separating Guest networks from Production network.
The prerequisites is that Guest portal can't be on the same ISE cluster as production and I am unable to find an adequate solution.

1. We had an idea to simply enroll the second ISE cluster used for Wireless to an existing SDA deployment as AAA (Since Prod ISE is already integrated in DNA) as AAA can be configured per SSID.
This of course does not work well because if we add another ISE cluster as AAA, it does not do the necessary NAD enrolment or policy. This would potentially be possible to b done manually but it adds an extra complexity and beats the purpose of having DNAC for automation. Also, we did not receive a confirmation that this would actually work in the end )

2. We also have a business need for features provided with SPACES and Spaces offers a captive portal that can be hosted in the cloud.
Logically, given the options to integrate spaces with DNA I would expect this should be straight forward and i can configure it as External web auth portal but it's not. I understand that this might not be supported if used with SDA and I'm wondering if this is correct and if someone found a tested workaround?

Lebowski1991 · ‎10-29-2024

I just realized I didn't update on the progress of this config and I actually have the solution:

- The process requires that the Spaces Radius servers are added to the DNAC as Radius servers .
- Server IP's and SharedKey are available in Spaces>Captive Portal > SSID > Click on SSID creted and in the corner it should say : manual configuration (Select this)
- Once this is configured, proceed with configuring Guest SSID.
- Define the authentication to be used as External Authentication and then you can enter a Splash page URL as well as add AAA servers which we previously configured.
- Provision the WLC.
- Make sure you set the Guest SSID as Fabric SSID under Network profiles.
- Publish Guest SSID and bind it to IP pool in Fabric onboarding process and deploy the config.

Now we need to configure the missing config and to make sure it's always provisioned and we achieve this with Day-N template.
The main thing to adjust is Parameter-map and append AP-MAC , CLIENT-MAC and WLAN when redirecting to splash page.

Here is the example:

Before(What DNAC pushed):

parameter-map type webauth GUEST_TEST_F_6f54676
type webauth
redirect for-login https://splash.dnaspaces.eu/p2/XYZXYZXYZ
redirect portal ipv4 X.X.X.X

After applying manual config:

parameter-map type webauth GUEST_TEST_F_6f54676
type consent
timeout init-state sec 600
redirect for-login https://splash.dnaspaces.eu/p2/XYZXYZXYZ
redirect append ap-mac tag ap_mac
redirect append wlan-ssid tag wlan
redirect append client-mac tag client_mac
redirect portal ipv4 X.X.X.X
logout-window-disabled
success-window-disable

Documentation used:
Configure Spaces Captive Portal with Catalyst 9800 WLC - Cisco
Cisco DNA Center SD-Access Guest Automation - Cisco

View solution in original post

andy!doesnt!like!uucp · ‎07-25-2024

demystifying Space captive portal: it wont give u full automation for your guest SSID as u will need to configure a lot of stuff with network templates (parameter-maps etc). it's what i can conclude from design made by Cisco CX for my customer...
i dont see actual profit from using Space c/p comparing to what u can do for Guest services with legacy approaches.

Lebowski1991 · ‎10-29-2024

I just realized I didn't update on the progress of this config and I actually have the solution:

- The process requires that the Spaces Radius servers are added to the DNAC as Radius servers .
- Server IP's and SharedKey are available in Spaces>Captive Portal > SSID > Click on SSID creted and in the corner it should say : manual configuration (Select this)
- Once this is configured, proceed with configuring Guest SSID.
- Define the authentication to be used as External Authentication and then you can enter a Splash page URL as well as add AAA servers which we previously configured.
- Provision the WLC.
- Make sure you set the Guest SSID as Fabric SSID under Network profiles.
- Publish Guest SSID and bind it to IP pool in Fabric onboarding process and deploy the config.

Now we need to configure the missing config and to make sure it's always provisioned and we achieve this with Day-N template.
The main thing to adjust is Parameter-map and append AP-MAC , CLIENT-MAC and WLAN when redirecting to splash page.

Here is the example:

Before(What DNAC pushed):

parameter-map type webauth GUEST_TEST_F_6f54676
type webauth
redirect for-login https://splash.dnaspaces.eu/p2/XYZXYZXYZ
redirect portal ipv4 X.X.X.X

After applying manual config:

parameter-map type webauth GUEST_TEST_F_6f54676
type consent
timeout init-state sec 600
redirect for-login https://splash.dnaspaces.eu/p2/XYZXYZXYZ
redirect append ap-mac tag ap_mac
redirect append wlan-ssid tag wlan
redirect append client-mac tag client_mac
redirect portal ipv4 X.X.X.X
logout-window-disabled
success-window-disable

Documentation used:
Configure Spaces Captive Portal with Catalyst 9800 WLC - Cisco
Cisco DNA Center SD-Access Guest Automation - Cisco