Solved: Cisco ISE Guest Access with WLC

mikiNet · ‎05-27-2020

Dear colleagues,

I working now on project which require implement Guest Access with ISE and WLC, implementation is very easy but I can't udenrstand why Guest after connect to SSID get IP address because I return in step 2(please see below flow) redirect ACL + AeroACL where I have only permit statement for communication to ISE and DNS. I can't find any explanation for why this happens.

ACL on WLC:

Flow from Cisco documentation:

This situation happen on wireless connection. On wired connection I understand because I clearly defined ACL where DHCP is permit:

Anyone can explain why on ACL for WLC not reqired DHCP traffic ?

Arne Bier · ‎05-28-2020

Hello @mikiNet

This is designed like that on purpose. You HAVE to allow someone to get an IP address before you can do anything with a portal. How else can a user establish a TCP connection to the ISE web server? By default, you don't even have to include the permit DHCP stuff because it's implied. You have to include statement to allow DNS traffic though.

View solution in original post

Arne Bier · ‎05-28-2020

Hello @mikiNet

This is designed like that on purpose. You HAVE to allow someone to get an IP address before you can do anything with a portal. How else can a user establish a TCP connection to the ISE web server? By default, you don't even have to include the permit DHCP stuff because it's implied. You have to include statement to allow DNS traffic though.

mikiNet · ‎05-29-2020

Dear Arne,

Thanks for explanation!