I have a little bit of a complex dilemma in an ISE deployment and I am trying to lean more on how it works technically. Long story short: I am trying to do both machine and user authentication / authorization (per requirements from our Security department) on a wireless network using iDevices (iPads, iPhones, iTouches) that are shared between users. Just an FYI, I know Apple devices are not intended for “multiple users”; hence, why it is a problem I am trying to solve with CWA.
Cisco ISE VM running 184.108.40.206
WLC 5508 running 220.127.116.11
AP 3602I running 18.104.22.168 / IOS 15.2(2)JB$
iPod Touch version 6.1.3(10B329)
•- User Authenticates to SSID that is 802.1x WPA2 AES,
•- Machine is checked by having valid Cert issued by CA and given access to ISE CWA
•- User open’s their browser
•- WLC redirects them to ISE CWA
•- User provides credentials on the portal
•- User to CoA’d to full access network
Rules, NSP is a limited profiling access network. CWA is a limited access network with redirect to centeral web auth on ISE. Standard rule 2 & 3 (which are disabled in this screen shot) are the rules that prove the CWA works on an open SSID.
I have gotten the CWA to work great on an open SSID, however when the process involves EAP-TLS everything works but the redirect. The iPod is properly authorized to the CWA (which is the redirect permission), but when I open a browser the iPod just spins searching for the website; it is never redirected to the ISE. My question is, is this even possible? Is there a trick or order of sequence that needs to be changed? I have been told from a Cisco NCE that specializes in ISE that this “may” or “may not” work, but not given an explanation as to why or why not. And if it’s not possible, why not?