Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
317
Views
0
Helpful
4
Replies

configuring ise

kennedymacharia
Level 1
Level 1

‎12-19-2014 02:12 AM - edited ‎03-10-2019 10:17 PM

hi guys,

I am deploying ise 1.2.1.198 with wlc 5508 for guest web authentication but  redirection is not occuring and also clients are not getting dhcp.

I have not configured any switch for this deployment. (do I have to? )

 

 

Labels:
0 Helpful
4 Replies 4

Saurav Lodh
Level 7
Level 7

‎12-19-2014 05:27 AM

can you share the authorization profile and policies? Take the configuration help from below

http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html

0 Helpful

Venkatesh Attuluri
Cisco Employee
Cisco Employee

‎12-22-2014 09:08 AM

check ACL on WLC "ACL-WEBAUTH_REDIRECT" configured for redirection

0 Helpful

Charlie Moreton
Cisco Employee
Cisco Employee

‎12-22-2014 12:35 PM

Yes, you have to.

Ensure that you configure the switchport connected to the WLC as a trunk:

interface GigabitEthernet0/23
 description wlc
 switchport trunk encapsulation dot1q
 switchport mode trunk

Also ensure that the VLANs used have the ip helper address pointing to the DHCP Server:

interface Vlan50
 description GUEST
 ip address 10.1.50.1 255.255.255.0
 ip helper-address 10.1.100.10
 

Whichever ACLs you reference on your ISE must exist on your WLC:

These are the first steps to proper redirection.

Be sure to check the Admin Guide for further guidance:

http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/admin_guide/b_ise_admin_guide_13/b_ise_admin_guide_sample_chapter_0100001.html

 

Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.

Charles Moreton

 

Preview file
16 KB
0 Helpful

kennedymacharia
Level 1
Level 1
In response to Charlie Moreton

‎01-04-2015 11:07 PM

I have managed to set up cisco ise  and redirection  is working fine  but my problem is to separate  guest traffic from the corporate traffic. Here is a brief scenario of what I have running

  • Layer three switch has only fiber ports.
  • All the switches connect to the core switch(L3) and access points are distributed to all the switches that are in various parts of the building
  • WLC connects to the  core switch
  • Everything  is in the default vlan 1
  • The internal wlan is been authenticated by active directory in the DHCP server which is also providing dhcp services (this is before ise was introduced)
  • The ise server is the radius server

This is what I have been trying to do

  • I have configured another vlan (20) for guest wlan and configured  a sub –interface on the router for it.
  • I have configured the router as the dhcp server for vlan 20 tested it and it is working fine
  • When I put guest wlan in the guest vlan on the controller, redirection seizes to occur even if I put the ise server in this vlan

Here are my questions

  • Can I restrict guests from accessing my corporate network via an access-list?
  • Do I need to change the native vlan
  • Or what can I do to make this scenario work in such a way that the internal wlan is authenticated by the AD and the guest vlan is authenticated by ISE and restrict guests from accessing internal network

I have attached a picture of how my topology looks like.

                                                                           Thanks

 

 

Preview file
73 KB
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents