Wireless guest in an SD Access network

KevinR99 · ‎05-21-2025

Hi

I’ve been testing guest wireless using CWA in an SD Access network. When I configure the SSID as a standard over the top deployment and tunnel the traffic back to the WLC all is ok. However, when I change my SSID to fabric mode redirection to the ISE portal doesn’t work.

I’ve been thinking about the process involved and redirection relies on an ACL on the WLC. Since fabric mode offloads the data at the edge switch that the AP is connected to I’m thinking the WLC doesn’t see that traffic and get a chance to use the WLC to intercept the traffic and cause a redirect to the ISE.

Can anyone advise if CWA can work in a fabric mode SSID?

AThanks, Kev.

Greg Gibbs · ‎05-21-2025

Unless I'm mistaken, I think the RADIUS + Redirect flow would happen in the CAPWAP Control Plane. The redirect URL and ACL would be sent from the WLC to the Fabric AP. At the point where the client needs to access the portal, that would be using the VXLAN Data Plane.

If you haven't done so already, you might confirm that whatever VLAN/VN you are dropping the client onto as defined in the AuthZ Profile has routing and connectivity to the PSN Portal.

All else fails, you might have to open a TAC case to investigate further and confirm the flow.

Boort · ‎05-25-2025

Sounds like your APs is missing the redirect ACLs. They way this is done in a fabric mode deployment is to add the redirect ACLs to the default flex connect profile or which ever profile you have assigned. Even tho you are not using flexconnect it will still get pushed to the AP.

KevinR99 · ‎05-27-2025

Thank you Boort. I've made some progress. My wireless client is now attempting to be redirected.

Still some work to do but progress is being made.

Boort · ‎05-28-2025

Great! Glad to help. Is there still problems getting the client authenticated?