Solved: ISE CWA Flow Validation

tolarosa@cisco.com · ‎03-07-2018

Hi Team,

I'm working on an ISE POC with a customer and we ran into an issue with ISE CWA on switches without SVI's in the Data/Access VLAN's. The customer is using an ASA as their default GW for all vlans so every vlan needs to go through policy for communication. I have put together the attached flow based on information I have read but would like to verify this is correct and I'm not missing anything. Due to the asymmetry of how URL Redirection works, I can see how this will cause a problem with Firewalls. I have also added some alternative designs in the image. Is there any Best Practice Designs with this type of scenario? Also, Is this flow accurate?

Craig Hyps · ‎03-07-2018

Summation is correct and yes, we have seen customer's hit issue when default GW is a firewall due to reasons noted.

I have also posted a number of flows here ISE Auth-Feature Flows_v1.pdf and similar scenario is highlighted in an "oldie but goody" guide here IBNS: Web Authentication Deployment and Configuration Guide - Cisco in section titled "TCP Traffic Flow for Login Page When No Layer 3 SVI for Host VLAN Exists on Access Switch". This older guide is talking about local web auth, but the redirection concepts are the same.

View solution in original post

Craig Hyps · ‎03-07-2018

Summation is correct and yes, we have seen customer's hit issue when default GW is a firewall due to reasons noted.

I have also posted a number of flows here ISE Auth-Feature Flows_v1.pdf and similar scenario is highlighted in an "oldie but goody" guide here IBNS: Web Authentication Deployment and Configuration Guide - Cisco in section titled "TCP Traffic Flow for Login Page When No Layer 3 SVI for Host VLAN Exists on Access Switch". This older guide is talking about local web auth, but the redirection concepts are the same.