10-22-2012 12:56 PM - edited 03-10-2019 07:42 PM
My Desired flow is:
Guest SSID - Open Access.
If WebAuths as a Guest User, apply ACL-GUEST-ACCESS and stop
If webauth's as a user that is a member of AD group X, go to client provisioning portal.
I've tried using CWA, and I get "We are unable to determine access privileges in order to access the network. Please contact your administrator."
Since the 4400 and 2100 WLCs are supported for ISE using LWA only (no CWA support), I think this is why.
The below log appears in the authentications screen: (not very helpful is it)
So I think I need to do a AuthZ rule resulting in a profile using webauth against the provisioning portal, not CWA? If so, I can't seem to wrap my head around a workable rule to match this. Any hints on making this work? All the TrustSec 2.0 and 2.1 docs center around CWA only.
10-30-2012 07:11 PM
When you use LWA (Local Web Authentication) the NAD device (Switch, wireless lan controller, etc) is providing the Web Authentication Services. For example, on the WLC clients get redirected to the built-in WebAuth Guest page. As a result, the clients will never reach ISE for them to utilize the web services (web auth, device registration, provisioning etc). You will need to run version 7.2 and above on your WLC and use CWA. I hope this makes sense.
Thank you for rating!
05-22-2013 02:31 AM
Kindly review the below link:
http://www.cisco.com/en/US/docs/security/ise/1.1.1/compatibility/ise_sdt.html
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide