Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5879
Views
5
Helpful
33
Replies

WiSM2 - ISE Central Web Authentication - Redirection ACL does not work for Guest Access

Joana Manzano
Level 1
Level 1

‎04-16-2014 08:51 AM - edited ‎03-10-2019 09:38 PM

Hi

I am using these devices to setup Central Web Authentication for Guest Wireless:

 

  1. WiSM2 - 7.6.110.0: Foreing Controller.
  2. WLC 5760 - 03.03.01SE: Anchor Controller.
  3. Cisco ISE 1.1.X


Mobility is UP between controllers. Clients can connect to GUEST SSID, get an IP address but they are never redirected to Cisco ISE Guest Portal for Authentication. Instead of going to ISE Web Portal, they can talk straight to the Internet bypassing any authentication.

I think the Pre-Auth ACL specified in the ISE Authorization Profile is not properly applied to the Clients so they are not restricted to talk to the Internet.
 

This is my configuration:

WiSM2:


1. Radius:


 

2. WLAN GUEST - WLAN ID 2:
 
 


 
3. ACLs:


3.1 Unknown - Pre-Auth ACL that permits traffic to ISE.


 
3.2 Compliant - User sucessfully authenticated: 


3.3 Non-compliant - User is not allowed. 


4. Controller:


 

 

WLC ANCHOR 5760:


aaa new-model
aaa group server radius ISE
 server name ise

aaa authentication dot1x ise_webauth group ISE
aaa authorization network cwa_macfilter group ISE
aaa authorization credential-download ise_webauth group ISE

aaa server radius dynamic-author
 client '10.X.X.X (ISE IP Address)' server-key 7 1363D3AC00070D3E773B27E70A
 auth-type any

ip access-list extended compliant
 permit ip any any
ip access-list extended non-compliant
 deny   ip any any
ip access-list extended unknown
 deny   udp any eq bootps any
 deny   udp any any eq bootpc
 deny   udp any eq bootpc any
 deny   udp any any eq domain
 deny   tcp any any eq domain
 deny   ip any host '10.X.X.X'(ISE IP address)
 deny   ip any host '10.X.X.X'(DHCP Server IP Address)
 permit tcp any any eq www
 permit tcp any any eq 443
!

radius-server attribute 6 on-for-login-auth
radius-server attribute 31 send nas-port-detail mac-only

radius server ise
 address ipv4 '10.X.X.X(ISE IP address)' auth-port 1812 acct-port 1813
 key 7 033771233103226B5B5A0A113C4112
!

wireless mobility controller
wireless mobility group member ip '10.X.X.X WiSM2 Ip Address' public-ip '10.X.X.X WiSM2 Ip Address' group GUEST
wireless mobility group name GUEST
wireless mobility dscp 46

wlan GUEST 2 GUEST
 aaa-override
 client vlan 230
 ip dhcp opt82 format add-ssid
 ip dhcp server 10.X.X.X 
 mac-filtering cwa_macfilter
 mobility anchor
 nac
 peer-blocking drop
 no security wpa
 no security wpa akm dot1x
 no security wpa wpa2
 no security wpa wpa2 ciphers aes
 security dot1x authentication-list ise_webauth
 session-timeout 1800
 no shutdown

 

CISCO ISE:


1. Authorization Profiles:


 


I also configured: Airspace ACL Name = unknown. I am not sure if this is needed?? I have tried with/without this option.


2. Authentication:
 


3. Authorization:
 


 
4. Operations Authentication:
 


 

I never get the point where the profile is Compliant. It is always UnknownProfile/Pending.


Client:


WiSM2:
 


 

ANCHOR 5760:
 
Even the Policy Manager State is "CENTRAL_WEB_AUTH", ACL "unknown" (pre-auth ACL) is applied and Redirect URL is pointing to ISE Guest Portal, clients bypass authentication and can talk straight to the Internet. They are not redirected to Cisco ISE for authentication at any time.


I would appreciate some help to understand why the redirection part of the process is not working and why any client traffic is allowed.
 

Thank you very much.


Joana.

1 person had this problem
Labels:
0 Helpful
33 Replies 33

Ryan Coombs
Level 1
Level 1

‎05-10-2014 10:23 AM

Joana, Sorry I've been swamped at work. Email me at rcoombz@me.com. Let me know what time your available to setup a Webex we can go over your setup and compare it to mine. I know the Guest Portal can be frustrating.
0 Helpful

Joana Manzano
Level 1
Level 1

‎12-12-2014 06:52 AM

Hi,

It is being a while since I created this post, however I would like to add some information in case someone runs into the same problems.

There have been changes in our topology: we replaced the WiSM2 foreign WLC for a 8510 foreign WLC but we have maintained the 5760 Anchor Controller in the DMZ. However the redirection issue to ISE was still not working.

After opening a TAC case we got the scenario working running version 03.03.04SE in the 5760 Anchor Controller (rather than 03.03.01SE that was running from the beginning). This upgrade was everything needed to make the redirection to ISE working. So I am pretty sure the issue was not in the Foreign Controller configuration (either WiSM2 or 8510) or redirection ACLs configured, it was the version running in the 5760 Anchor Controller. 

These are the versions that we are running:

  1. 8510 WLC - 7.6.130.0: Foreing Controller. This is the most stable version that supports New Mobility for this controller.
  2. WLC 5760 - 03.03.04SE: Anchor Controller.
  3. Cisco ISE 1.1.X - We are running a very old version so any newer version should be fine as well.

 

I hope it helps.

 

Joana.

0 Helpful

Bart Slinger
Level 1
Level 1

‎12-12-2014 07:00 AM

Hi,

I was wondering if you have been able to solve this ?

0 Helpful

Joana Manzano
Level 1
Level 1
In response to Bart Slinger

‎12-12-2014 08:31 AM

Yes, see my latest post.

My configuration was right from the beginning. I had to upgrade the 5760 Anchor Controller from version 03.03.01SE to version 03.03.04SE to resolve the redirection issue.

Joana.

0 Helpful
Customers Also Viewed These Support Documents