Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8582
Views
6
Helpful
17
Replies

ISE 1.04 and WLC 7.2 - CWA Config?

Gustavo Novais
Level 1
Level 1

‎02-15-2012 10:32 PM - edited ‎03-10-2019 06:49 PM

Hello, I'm currently deploying a POC for Central WebAuthentication with the new 7.2 Wireless Lan Controller code.

I'm aware of the differences between LWA and CWA in Catalyst Switches, but I'm having trouble grasping how to configure the CWA on the WLC for wireless guests with open web auth.

For LWA I did get:

1- User opens browser

2- WLC redirects user to ISE Guest page

3- ISE Guest page sends username/password to WLC,

4- WLC does a RADIUS PAP request to ISE in order to authenticate user.

5- ISE authenticates (or not) and send Access-Accept to WLC

6- WLC lets user go through.

For CWA the way I see it, it should be:

1- User opens browser

2- WLC redirects user to ISE Guest page

3- ISE Guest page processes username/password internally

4- ISE authenticates (or not) and sends Access-Accept to WLC

5- WLC lets user go through.

The way I see it, we should define  a WLAN's L3 security policy as webauth, with no L2 security, but the question is how to configure the controller so that the ISE doesn't just serve as an external web server and the WLC is not waiting for a username/password from this external webserver, as would LWA work, but instead just gets an Access-Accept from the ISE.

For the moment LWA is more intuitive given the WLC philosophy of operation. I'm not really seeing how/where to configure 7.2 code to just expect an access-accept from ISE.

Can anybody enlighten me on how this should be configured/work?

Any insight is very much appreciated.

Thanks

Gustavo Novais

Labels:
0 Helpful
17 Replies 17

Gustavo Novais
Level 1
Level 1
In response to Brian Schultz

‎05-21-2012 02:58 AM

Hi Brian,

Complementing Nicolas Darchis idea:

On SSID Security settings, set Open Authentication and check the MAC Filtering box, do NOT check any type of L3 authentication.

Then define your RADIUS/ISE servers (enable support for RFC 5734 when defining them) on the SSID, and on the advanced tab of the ssid, enable RADIUS NAC (and aaa override too).

It is exactly the same thing as when you do RADIUS based mac authentication, except on this case, the RADIUS server will reply with an access-accept + a few attributes (namely airespace-acl/vlan/url-redirect).

On the ISE, you'll need to match service type: call-check (MAB) RADIUS authentication in order to match requests coming from WLC CWA.

Then the order will be the exact same as for a switch:

http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_guest_pol.html#wp1112855

I needed to put the redirect access-list referenced on ISE CWA, statically on the WLC as a pre-auth ACL (you'll need to define it statically on the WLC - security access-lists).

Nicolas, I've seen trustsec design guide 2.0 but no CWA on wireless was included... do you have any idea if will it be on trustsec 2.1?

Thanks & Regards

Gustavo

Brian Schultz
Level 4
Level 4
In response to Gustavo Novais

‎05-24-2012 02:00 PM

Thanks Gustavo!  I wasn't allowing wireless MAB.  It is working now.

0 Helpful

Naveen Kumar
Level 4
Level 4

‎05-01-2013 05:40 PM

Hello,

Please check the below link,  might be this docs helps you in this.

http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bead09.shtml

Customers Also Viewed These Support Documents