Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1399
Views
0
Helpful
2
Replies

External webauth with flexconnect

Kasper Roholt
Level 1
Level 1

‎05-23-2012 12:51 PM - edited ‎07-03-2021 10:12 PM

Hi

Trying to use ise (1.1) as an external webauth within a flexconnect/h-reap setup (WLC:7.2.103)... Can't get it to work.. After a lot of testing/troubleshooting found this: http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080736123.shtml#webauth

That says: "External web Authentication is only supported on a centrally switched WLAN"

Anyone can explain why/how this should be an issue....Anypne got it to work?

BG

Kasper

1 person had this problem
Labels:
0 Helpful
2 Replies 2

Stephen Rodriguez
Cisco Employee
Cisco Employee

‎05-23-2012 02:24 PM

It has to do with the traffic flow. For external webauth you need the pre-auth acl configured allowing the client to reach the ISE. But the WLC doesn't have that control of the guest traffic is going to be locally switched.

Steve

Sent from Cisco Technical Support iPhone App

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered
0 Helpful

wireless wlc
Level 1
Level 1
In response to Stephen Rodriguez

‎09-21-2012 07:28 AM

hi Stephen,

  Can you please explain the traffic flow for HREAP AP with an SSID which is webauth configured and local switching enabled ? This is how i see it :

1. client sends DHCP request and gets IP on locally defined VLAN on the HREAP AP

during this, the controller get to know of the client association via the CAPWAP control message from HREAP AP

2. Client opens browser and enter website address (google.com) and gets the controller webauth login page

is this step  happening in the capwap tunnel or outside it ? the TCP communication between client and WLC

3. Client enters username and password for webauth

but the wlc virtual IP is not routed anywhere, so how will the username and password reach the wlc ? (through the capwap tunnel ? )

4. controller checks the username/password eiither locally defined or can be on a nac guest server or ISE ?

if the username/password reaches the controller, it should be able to verify the credentials wtih an external entity like NGS oR ISE ?

regards

Joe

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card