01-14-2013 10:58 AM - edited 03-10-2019 07:58 PM
Hi all,
I have a few questions regarding WebAuth or Guest access with ISE. I have setup a guest portal to do CWA and use ISE guest portal
as the redirect page.
I'm using ISE 1.1.2 and WLC version 7.3.101
1- I have an issue authenticating with Chrome on W7 and android. I receive the splash page, i can authenticate but i always receive this error message. With IE and firefox i can accept and add an exception and authenticate successfully.
How can i fix this issue? What i'm missing?
2- Can we install a 3rd party certificate on ISE like the WLC to get rid of the certificate issue?
3- In a redundant scenario with ISE, how do i setup my WLC to redirect on the backup ISE server if the primary ISE fail? Is it possible?
4- Finally, what is the best design? Use Central Web Auth with WLC internal splash page? OR full CWA with ISE guest portal?
Thanks
SR
01-14-2013 06:48 PM
Hi,
Your best bet is to run true CWA and not use the redirect feature on the controller. Just allow dns and access to port 8443 in the ACL that is referenced by ISE when it sends the CWA redirect. You can use mac filtering as your L2 authentication.
This will help in your redundant scenario so that when one ise goes down the second ise can send the CWA over to it.
As far as certs if you are using mobile devices you may want to consider 3rd party certs.
Let me know if that helps.
Tarik Admani
*Please rate helpful posts*
01-15-2013 07:51 PM
This same problem occurs here, that happens when I use google browser does not work, but with Internet Explorer, everything is fine because it appears the option to accept the two certificates of the ISE and the WLC.
And no problem for ACL already exists for the release works fine in other browsers.
I wonder if this problem solved without using CA, as it occurs in the network visitors.
01-16-2013 05:27 AM
Hi Tarik,
This is a good idea..i will try it.
Is there any special configuration for the failover in the rules?
Thanks
01-16-2013 07:29 AM
For the most part the policy servers are seen as standalone. If you place them in a node group the use a multicast to sync their sessions so that if one of the nodes went down, the peer will send COA to have the users re-authenticate over to it.
Thanks,
Tarik Admani
*Please rate helpful posts*
05-20-2013 12:27 PM
Please review the compatibility matrix link along with the ISE CWA link which might be helpful
http://www.cisco.com/en/US/docs/security/ise/1.1.1/compatibility/ise_sdt.html
09-12-2013 02:38 AM
Central Web Authentication (CWA) for guests with ISE:
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: