cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Community Helping Community

1191
Views
0
Helpful
2
Replies
Highlighted
Beginner

External webauth with flexconnect

Hi

Trying to use ise (1.1) as an external webauth within a flexconnect/h-reap setup (WLC:7.2.103)... Can't get it to work.. After a lot of testing/troubleshooting found this: http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080736123.shtml#webauth

That says: "External web Authentication is only supported on a centrally switched WLAN"

Anyone can explain why/how this should be an issue....Anypne got it to work?

BG

Kasper

2 REPLIES 2

Re: External webauth with flexconnect

It has to do with the traffic flow. For external webauth you need the pre-auth acl configured allowing the client to reach the ISE. But the WLC doesn't have that control of the guest traffic is going to be locally switched.

Steve

Sent from Cisco Technical Support iPhone App

HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered
Beginner

External webauth with flexconnect

hi Stephen,

  Can you please explain the traffic flow for HREAP AP with an SSID which is webauth configured and local switching enabled ? This is how i see it :

1. client sends DHCP request and gets IP on locally defined VLAN on the HREAP AP

during this, the controller get to know of the client association via the CAPWAP control message from HREAP AP

2. Client opens browser and enter website address (google.com) and gets the controller webauth login page

is this step  happening in the capwap tunnel or outside it ? the TCP communication between client and WLC

3. Client enters username and password for webauth

but the wlc virtual IP is not routed anywhere, so how will the username and password reach the wlc ? (through the capwap tunnel ? )

4. controller checks the username/password eiither locally defined or can be on a nac guest server or ISE ?

if the username/password reaches the controller, it should be able to verify the credentials wtih an external entity like NGS oR ISE ?

regards

Joe

CreatePlease to create content
Content for Community-Ad

August's Community Spotlight Awards