Showing results for 
Search instead for 
Did you mean: 

ISE - EAP-TLS and then webAuth?

Matthew Hines

Hello everyone!

I have a little bit of a complex dilemma in an ISE deployment and I am trying to lean more on how it works technically. Long story short: I am trying to do both machine and user authentication / authorization (per requirements from our Security department) on a wireless network using iDevices (iPads, iPhones, iTouches) that are shared between users. Just an FYI, I know Apple devices are not intended for “multiple users”; hence, why it is a problem I am trying to solve with CWA.


Cisco ISE VM running

WLC 5508 running

AP 3602I running / IOS 15.2(2)JB$

iPod Touch version 6.1.3(10B329)


  • •- User Authenticates to SSID that is 802.1x WPA2 AES,
  • •- Machine is checked by having valid Cert issued by CA and given access to ISE CWA
  • •- User open’s their browser
  • •- WLC redirects them to ISE CWA
  • •- User provides credentials on the portal
  • •- User to CoA’d to full access network

authorization rules.PNG

Rules, NSP is a limited profiling access network. CWA is a limited access network with redirect to centeral web auth on ISE. Standard rule 2 & 3 (which are disabled in this screen shot) are the rules that prove the CWA works on an open SSID.

I have gotten the CWA to work great on an open SSID, however when the process involves EAP-TLS everything works but the redirect. The iPod is properly authorized to the CWA (which is the redirect permission), but when I open a browser the iPod just spins searching for the website; it is never redirected to the ISE. My question is, is this even possible? Is there a trick or order of sequence that needs to be changed? I have been told from a Cisco NCE that specializes in ISE that this “may” or “may not” work, but not given an explanation as to why or why not. And if it’s not possible, why not?

Thank you in advance!


live auth.PNG

Example, now the user is authorized for CWA, but when a user opens the browser it just sits there spinning.

I checked the WLC “Clients>Details” (from the monitoring page) and I noticed something interesting:1st client detail.PNG

2nd client detail.PNG

0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers