Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1272
Views
0
Helpful
3
Replies

Cisco ISE - CWA redirect in another way than cisco-av-pair?

dal
Level 3
Level 3

‎11-12-2014 02:52 PM - edited ‎03-10-2019 10:10 PM

Hello.

I'm trying to set up ISE as a CWA.

I have made all the rules in both Authenticatin and Authorization, and I also see the clients hitting the right rules. The Authorizaton rule redirects the client to a captive web portal within ISE like this: cisco-av-pair = url-redirect=https://ip:port/portal/gateway?sessionId=SessionIdValue&portal=etc.

 

But here is the problem: We use Aerohive as Accesspoints. And Aerohive does not support cisco-av-pair attributtes, since it's Cisco proprietary.

Therefore, even if ISE says everything is fine, it's not, because Aerohive does not understand what's been sent to it.

So the big question: Is there way to make the same redirect using standard radius attributes?

 

Thank you.

 

Labels:
0 Helpful
3 Replies 3

nspasov
Cisco Employee
Cisco Employee

‎11-12-2014 07:14 PM

Unfortunately there isn't. I have done a project with ISE and Aerohive before and outside of basic 802.1x authentications, I was not able to deploy any of the other ISE features. There isn't an interoperability guide for ISE but just a compatibility one:

http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/compatibility/ise_sdt.html

If could be wrong here so if someone else has done this before pls chime in.

 

Thank you for rating helpful posts! 

Thank you for rating helpful posts!
0 Helpful

dal
Level 3
Level 3
In response to nspasov

‎11-13-2014 07:20 AM

Hello, and thank you for answering.

It's a shame.

Cisco ISE is an excellent product that for the most part can be used on many vendors of wifi equipment, so why not take the full step to broaden their customer base? Here's hoping..

That said, is there a way at all to make url redirect happen with standard radius attributes?

And is there a place where it is possible to make a change request for this?

Thanks.

0 Helpful

nspasov
Cisco Employee
Cisco Employee
In response to dal

‎11-13-2014 09:08 AM

I hear your frustration but perhaps we are looking at this problem from the wrong angle. We know that ISE supports CWA now we need to figure out what Aerohive supports. Can you check with them and see if they support CWA and/or LWA and if yes with what attributes. ISE is a radius server and it supports a lot of Radius attributes and it even let's you import/create your own dictionaries as well. 

 

Thank you for rating helpful posts!

Thank you for rating helpful posts!
0 Helpful
Customers Also Viewed These Support Documents