Showing results for 
Search instead for 
Did you mean: 

Guest User caching ISE LWA


Hello all,


i am very fimilar with cisco WLC and ISE CWA but my customer requested installing an ISE based guest network with forti wlan. Forti mentioned that they don´t support CWA and CoA so i am looking at LWA.

I know how to cache guest access with CWA (register MAC and write a authorization rule for the MAC group)


My general question is:

Does any have an idea if it is possible to chache the guest accounts with LWA when no "sleeping client" feature is available in the wireless infrastructure.

My worry is that the wireless infrastructure intercept the http request anyway so i don´t have the chance to NOT redirect an already authenticated guest. :

LWA Process with the ISE Guest Portal

  1. The browser tries to fetch a web page.
  2. The WLC intercepts the HTTP(S) request and redirects it to the ISE.
    Several key pieces of information are stored in that HTTP redirect header. Here is an example of the redirect URL:
    From the example URL, you can see that the user tried to reach "" The URL also contains information about the Wireless Local Area Network (WLAN) name (mlatosie_LWA), and the client and access point (AP) MAC addresses. In the example URL, is the WLC, and is the ISE server.
  3. The user is presented with the ISE guest login page and enters the username and password.
  4. The ISE performs authentication against its configured identity sequence.
  5. The browser redirects again. This time, it submits credentials to the WLC. The browser provides the username and password that the user entered in the ISE without any additional interaction from the user. Here is an example GET request to the WLC.
    GET /login.html?redirect_url=
    Again, the original URL (, the username (, and the password (ityh) are all included.

    Note: Although the URL is visible here, the actual request is submitted over Secure Sockets Layer (SSL), which is indicated by HTTPS, and is hard to intercept.

  6. The WLC uses RADIUS in order to authenticate that username and password against the ISE and allows access.
  7. The user is redirected to the specified portal. Refer to the "Configure external ISE as the webauth URL" section of this document for more information.


Any idea/advise??


Many thanks



1 Accepted Solution

Accepted Solutions