Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
688
Views
0
Helpful
2
Replies

LWA Support for Provisioning

zztopping
Level 4
Level 4

‎10-22-2012 12:56 PM - edited ‎03-10-2019 07:42 PM

My Desired flow is:

Guest SSID - Open Access.

     If WebAuths as a Guest User, apply ACL-GUEST-ACCESS and stop

     If webauth's as a user that is a member of AD group X, go to client provisioning portal.

I've tried using CWA, and I get "We are unable to determine access privileges in order to access the network. Please contact your administrator."

Since the 4400 and 2100 WLCs are supported for ISE using LWA only (no  CWA support), I think this is why.

  The below log appears in the authentications screen: (not very helpful is it)

              

So I think I need to do a AuthZ rule resulting in a profile using webauth against the provisioning portal, not CWA? If so, I can't seem to wrap my head around a workable rule to match this. Any hints on making this work? All  the TrustSec 2.0 and 2.1 docs center around CWA only.

Labels:
0 Helpful
2 Replies 2

nspasov
Cisco Employee
Cisco Employee

‎10-30-2012 07:11 PM

When you use LWA (Local Web Authentication) the NAD device (Switch, wireless lan controller, etc) is providing the Web Authentication Services. For example, on the WLC clients get redirected to the built-in WebAuth Guest page. As a result, the clients will never reach ISE for them to utilize the web services (web auth, device registration, provisioning etc). You will need to run version 7.2 and above on your WLC and use CWA. I hope this makes sense.

Thank you for rating!

0 Helpful

manjeets
Level 3
Level 3

‎05-22-2013 02:31 AM

Kindly review the below link:

http://www.cisco.com/en/US/docs/security/ise/1.1.1/compatibility/ise_sdt.html

0 Helpful
Customers Also Viewed These Support Documents