This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
Problem: When connecting to the CWA ssid, the client gets redirected to: https://lab-ise01.lab.local:8443/guestportal/gateway?sessionId=3c02a8c00000000878430a51&action=cwa
but the link times out.
I'm currently following this guide: https://supportforums.cisco.com/docs/DOC-26442
Any thoughts or suggestions are appreciated.
Info: ISE 1.1.1 and vWLC 184.108.40.206 is installed on vmware. Identity Source: Internal Users. AP is in FlexConnect mode. MAC filtering enable, no layer 3 security. Allow AAA Override enabled. Radius NAC enabled.
Win7/iPad - - - AP----labswitch-----switch-----switch-----VMware
(Traffic does not pass through FW and there are no ACL on the switches.)
ACL on WLC:
Client on WLC
Can you see if DNS is working for the client?
Sent from Cisco Technical Support iPad App
I thought I might be hitting the bug mentioned in the following thread. https://supportforums.cisco.com/thread/2191587
Oddly enough, updating the vWLC to v220.127.116.11 did not resolve the problem. (ISE is v1.1.2)
I still cannot reach anything from the the CWA wlan unless I remove CWA.
Are you sending the airespace acl so the client can hit the ise node with the dns services allowed. Please provide the screenshots of the client session from the wlc. Also hover over the green button in the ise live authentications portal and provide a screenshot of the radius attributes that are sent back to the controller.
Sent from Cisco Technical Support Android App
I am having this exact issue as well. I followed the FlexConnect Wireless BYOD guide but I just timeout getting the redirect page. I've even opened the ACL to any/any. The guide makes mention of sending a flex ACL as the CWA Airespace-ACL-Name but that does not appear right. Controller is on 7.4 and ISE 1.1.2
Another test is to copy the redirect url from the WLC and swap domain name part in the url to the ISE IP address, then past it in the browser. Just to test without DNS and narrow down the troubleshooting.
Accoding with this behaviour, I have a similar problem with the renew of the IP address. In a similar scenario (ISE1.1.2 + vWLC 7.3.101. + CWA + DVLAN assigment); for test purposses I need to use the AP in flexconnect mode with central control and traffic data due to vWLC does not support APs in a local mode.
Applying WCA in a SSID with a "non-routed" interface and two interfaces for both different profiles. Client passes CWA profile in "non route" subnet when redirected; after a successful web authetication ISE sends to WLC the new attributes including the new VLAN, new ACL and the access-accept, but the client is not trying to change the IP address through DHCP.
I use two rules for authentication
First: Guest Redirection; condition "Wireless MAB" then "WLC-CWA" (central authentication - ACL-POSTURE-REDIRECT)
Second (This rule above the first) Guest Traffic; Condition "Network access: UseCase EQUALS GuestFlow) then "Guest Permit Access"(with includes new vlan assigment in function of the role based - new ACL asigment - Termination-Action=0)
WLC shows me the data correctly, it changes the interface, the ACL and changes the client status to RUN but maintains the IP address belonging to the old VLAN (non-routed vlan)
Could be possible that this bug will be hitting me?
Are there any Radius Attribute to force a DHCP IP procces for this devices?
Thanks in advanced.
The client dosent know that the WLC changed VLAN and is not asking for a new IP.
To get that you need to use the 802.1x supplicant on the client, hence its better to only use ACL for MAB/guest flow.
On a switch you can bounce the port but I dont think there is a good way to do that on wireless.
it's work only for windows.
1. Click on "Administration" menu
2. Click on "Guest Management"
3. Click on "Settings"
4.Expand "Guest". Expand "Mult-Portal Configuration"
5. Click on "DefaultGuestPortal" or the name of a custom portal you may have created
6. Enable "Vlan DHCP Release".
here is a link: https://supportforums.cisco.com/docs/DOC-18325