Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1484
Views
4
Helpful
6
Replies

ISE CWA WebAuth with WLC

sroberts
Level 1
Level 1

‎01-14-2013 10:58 AM - edited ‎03-10-2019 07:58 PM

Hi all,

I have a few questions regarding WebAuth or Guest access with ISE. I have setup a guest portal to do CWA and use ISE guest portal

as the redirect page.

I'm using ISE 1.1.2 and WLC version 7.3.101

1- I have an issue authenticating with Chrome on W7 and android. I receive the splash page, i can authenticate but i always receive this error message. With IE and firefox i can accept and add an exception and authenticate successfully.

How can i fix this issue? What i'm missing?

2- Can we install a 3rd party certificate on ISE like the WLC to get rid of the certificate issue?

3- In a redundant scenario with ISE, how do i setup my WLC to redirect on the backup ISE server if the primary ISE fail? Is it possible?

4- Finally, what is the best design? Use Central Web Auth with WLC internal splash page? OR full CWA with ISE guest portal?

Thanks

SR

Labels:
0 Helpful
6 Replies 6

Tarik Admani
VIP Alumni
VIP Alumni

‎01-14-2013 06:48 PM

Hi,

Your best bet is to run true CWA and not use the redirect feature on the controller. Just allow dns and access to port 8443 in the ACL that is referenced by ISE when it sends the CWA redirect. You can use mac filtering as your L2 authentication.

This will help in your redundant scenario so that when one ise goes down the second ise can send the CWA over to it.

As far as certs if you are using mobile devices you may want to consider 3rd party certs.

Let me know if that helps.

Tarik Admani
*Please rate helpful posts*

0 Helpful

jonmarso_07
Level 1
Level 1
In response to Tarik Admani

‎01-15-2013 07:51 PM

This same problem occurs here, that happens when I use google browser does not work, but with Internet Explorer, everything is fine because it appears the option to accept the two certificates of the ISE and the WLC.

And no problem for ACL already exists for the release works fine in other browsers.

I wonder if this problem solved without using CA, as it occurs in the network visitors.

0 Helpful

sroberts
Level 1
Level 1
In response to Tarik Admani

‎01-16-2013 05:27 AM

Hi Tarik,

This is a good idea..i will try it.

Is there any special configuration for the failover in the rules?

Thanks

0 Helpful

Tarik Admani
VIP Alumni
VIP Alumni
In response to sroberts

‎01-16-2013 07:29 AM

For the most part the policy servers are seen as standalone. If you place them in a node group the use a multicast to sync their sessions so that if one of the nodes went down, the peer will send COA to have the users re-authenticate over to it.

Thanks,

Tarik Admani
*Please rate helpful posts*

vikasyad
Level 1
Level 1

‎05-20-2013 12:27 PM

Please review the compatibility matrix link along  with the ISE CWA link which might be helpful

http://www.cisco.com/en/US/docs/security/ise/1.1.1/compatibility/ise_sdt.html

http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_40_webauthentication_dg.pdf

0 Helpful

Naveen Kumar
Level 4
Level 4

‎09-12-2013 02:38 AM

Central Web Authentication (CWA) for guests with ISE:

https://supportforums.cisco.com/docs/DOC-26442

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents