i am very fimilar with cisco WLC and ISE CWA but my customer requested installing an ISE based guest network with forti wlan. Forti mentioned that they don´t support CWA and CoA so i am looking at LWA.
I know how to cache guest access with CWA (register MAC and write a authorization rule for the MAC group)
My general question is:
Does any have an idea if it is possible to chache the guest accounts with LWA when no "sleeping client" feature is available in the wireless infrastructure.
My worry is that the wireless infrastructure intercept the http request anyway so i don´t have the chance to NOT redirect an already authenticated guest.
The user is presented with the ISE guest login page and enters the username and password.
The ISE performs authentication against its configured identity sequence.
The browser redirects again. This time, it submits credentials to the WLC. The browser provides the username and password that the user entered in the ISE without any additional interaction from the user. Here is an example GET request to the WLC. GET /login.html?redirect_url=http://yahoo.com/&username=mlatosie%40cisco.com&password=ityh&buttonClicked=4&err_flag=0 Again, the original URL (yahoo.com), the username (email@example.com), and the password (ityh) are all included.
Note: Although the URL is visible here, the actual request is submitted over Secure Sockets Layer (SSL), which is indicated by HTTPS, and is hard to intercept.
The WLC uses RADIUS in order to authenticate that username and password against the ISE and allows access.
The user is redirected to the specified portal. Refer to the "Configure external ISE as the webauth URL" section of this document for more information.