Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1300
Views
1
Helpful
3
Replies

3850 Unified Access with non SVI URL Redirect

scraven
Cisco Employee
Cisco Employee

‎11-14-2016 07:59 AM

Team,

Has anyone had success deploying Guest on 3850s with Unified Access when not using SVI.  With 3.7.3E, you have new options when unable to leverage an SVI on the switch.  Utilizing new parameter-maps to enable non SVI and VRF aware Web-Auth.

Release Notes for Catalyst 3850 Series Switch, Cisco IOS XE Release 3.7.xE - Cisco

Looking if we have an updated config deployment/etc.  Not able to do anchor/etc in this use case, as it's limited to one 3850 stack servicing both internal networks and guest.

TIA

S

0 Helpful
3 Replies 3

kthiruve
Cisco Employee
Cisco Employee

‎11-14-2016 08:37 AM

Hi,

There is a difference between local web authentication done at the switch level and central web auth in ISE.

ISE Guest uses central web authentication and the ISE guest services provides a way of customizing portals easily with localization support etc.

Here is the link to the how to guides for design

ISE Design & Integration Guides

Please see the section for Cisco Switches and guest section on how to docs for configuring ISE with switches.

Thanks

Krishnan

0 Helpful

scraven
Cisco Employee
Cisco Employee
In response to kthiruve

‎11-14-2016 08:52 AM

so the issue the VRF/L2 Parameter Map addresses is : 

Central Web Authentication with a Switch and Identity Services Engine Configuration Example - Cisco

Important Note about Switch SVIs

At this time, the switch needs a switch virtual interface (SVI) in order to reply to the client and send the web portal redirection to the client. This SVI does not necessarily have to be on the client subnet/VLAN. However, if the switch has no SVI in the client subnet/VLAN, it has to use any of the other SVIs and send traffic as defined in the client routing table. This typically means traffic is sent to another gateway in the core of the network; this traffic comes back to the access switch inside the client subnet.

Firewalls typically block traffic from and to the same switch, as in this scenario, so redirection might not work properly. Workarounds are to allow this behavior on the firewall or to create an SVI on the access switch in the client subnet.

As pre 3.7.3 on the 3850, you had to use a SVI for CWA URL redirection to occur.

Per the CSC bug on this item, the parameter maps were added both for LWA and CWA functionality.

S

0 Helpful

kthiruve
Cisco Employee
Cisco Employee
In response to scraven

‎11-14-2016 09:19 AM

Hi,

Have you tried this

Consolidated Platform Configuration Guide, Cisco IOS XE 3.7E and Later (Catalyst 3650 Switches) - Configuring Web-Based…

I know the relevancy was for LWA, but look at the bottom of the configuration for configuring web authentication with no SVI.

-Krishnan

Customers Also Viewed These Support Documents