configuring ise

fredrick.ndegwa · ‎01-16-2015

hi,

I have configured ise with a WLC for two WLANs ( guest vlan 20 and staff vlan 1 ), the staff ssid is working fine but the guest ssid does not go to the

internet. when i do a trace route I discover that my guest clients do not reach my router although the ise server can reach the router. I have attached my access-list which Im not sure if it is the one causing my dilema. I am trying to figure out why traffic is not moving to the router after redirection occurs.

nspasov · ‎01-16-2015

Hi there. A couple of remarks/questions:

1. Are you trying to perform CWA (Central Web Auth)?

2. The ACL is not getting any hits, this tells me that it most likely not being applied on the guest flow session

3. Keep in mind that WLC ACLs are not reflexive, thus you must explicitly allow traffic in both directions. Your current ACL looks fine but I just wanted to throw this out there :)

4. Can you share screen shots of your:

- Guest authorization policy

- The "Authorization Profile" that you are returning for both the Guest_CWA rule and then authenticated guests?

Thank you for rating helpful posts!

fredrick.ndegwa · ‎01-16-2015

hi,

thank you for your answer.

yes I am trying to perform CWA (Central Web Auth)?
I have noticed that the access-list is not getting any hits and I dont understand why.
I have attached the Authorization profile.

I am pretty green in this, any assistant will be highly appreciated.

Thanx

nspasov · ‎01-16-2015

OK, let fix a couple of things:

- Under "Authentication" change the identity store to "Internal Endpoint"

- Then under "Options" set the "If Authentication Fails" to "Reject"

Also, confirm that:

1. You have configured the ISE server(s) under the AAA configurations in the WLC

2. You have selected the ISE servers under the "AAA Servers" tab on the WLC

3. There are no settings under the "Layer 3 Security" on the SSID

4. In ISE, under the "Live Authentications" screen, can you confirm that you are seeing hits for the "Guest Redirection" authorization rule that you have created

Lastly, check out this doc/link as it provides step by step instructions :)

http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html

Let me know how it goes!

Thank you for rating helpful posts!

fredrick.ndegwa · ‎01-19-2015

hi Neno,

Thank you very much but my problem does not seem to get resolved.I have done all that and even reset ise and followed that document to the latter but still my guests do not get to the internet. Is there anything else you can think of that I an missing?

fredrick.ndegwa · ‎01-19-2015

Hi,

my access-list is now getting hits in all the rules but still I can not get access to the internet I have tried creating another rule using a permit all access-list but still not working.I have attached the profile and the access-list. please help me identify where I am going wrong.

nspasov · ‎01-22-2015

OK, so is the redirection at least not working? Just want to make sure that we fixed at least the first issue before moving on to the second one :)

So for the second issue: Have you checked in ISE and confirm that your guest authorization policy is being hit after the guest authenticates?

Also, do you have an upstream device that might have an ACL blocking the connection? Last but not the least, make sure that the guest network has full connectivity to the internet (routing, VLANs, etc)

Thank you for rating helpful posts!