cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1477
Views
5
Helpful
9
Replies

Cisco WLC Wired Guest using Guest Anchor and ISE as CWA

babai
Level 1
Level 1

Hi All 

 

I am trying to find if its possible to use Cisco WLC Wired Guest Solution with ISE as CWA. Wired Guest Solution on WLC fits well within organizations who would not like to extend a DMZ (guest) vlan into their Corporate LAN but I am not sure if this solution could you used with Cisco Identity Services Engine for CWA. 

 

If this is possible please could anyone share some configuration. 

 

Thanks in advance

9 Replies 9

Francesco Molino
VIP Alumni
VIP Alumni

Hi

 

Yes you can have cwa working with an anchor wlc.

Take a look on this documentation:

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html#anc11

 

All config like ssid, acl must be the same on both wlcs. The foreign one is the one taking with ISE.

 

 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Hi Francesco

 

My issue is with WLC's Wired Guest feature with ISE as CWA. 
The Wireless Anchor CWA with ISE is working but its the Wired Guest Feature on WLCs which I want to integrate with ISE as CWA. 

 

Thanks

Sorry i misred.
Never done that way for wired guest.
I can take a look on documentation and try in my lab.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Thanks Francesco

 

I would highly appreciate. 

Yeah no problem. Give me some time to review it.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Hi francesco

 

I would like to let you know that i have now been able to make it work to an extent in my lab. 

Thanks 

ok nice. Thanks for letting me know.
Can you share your hints on this? I'll try it anyway in lab.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Hi francesco

 

Sure. Theres no Cisco documents on this and TAC today came back saying that this cannot be done. But I have it working. Its useful where customer dont want to extend DMZ vlan as layer 2 in their core. 

 

1. Configure Wired Guest on Foreign and Anchor WLC and select RADIUS servers as AAA

2. Enable Web Auth as L3 Security

3. In my case I couldnt apply the pre auth acl via GUI as it was reverting back to None. So added it via CLI. 

Pre auth acl had DHCP, DNS and Access to ISE and Deny rest

4. I added the pre auth acl only in Anchor 

5. On Anchor Security -> Web Auth - > Web Login page select External and copy the URL from ISE Portal Test URL for Guest Portal. 

6. Policy on ISE is Switch Web Auth for Authentication and select the Guest User Identities (Weekly, Daily and Contractor)  in Authorization Policy and Return PermitAccess. 

 

 

 

 

7. Dont forget to enable https web auth redirect on Guest Anchor
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: