cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2205
Views
0
Helpful
3
Replies

LWA Guest Access with ISE and WLC

Hi guys,

Our Company try to implement Guest Access with ISE dan WLC with Local Web Auth Method. But there is problem that comes up with the certificate. This is the scenario :

1. Guests try to connect wifi with SSID Guest

2. Once it connect, guests open the browser and try to open a webpage (example: cisco.com)

3. Because, guests didn't login, so it redirect to "ISE Guest Login Page" (url became :

https://ise-hostname:8443/guestportal/Login.action?switch_url=https://1.1.1.1/login.html&wlan=Guest&redirect=www.cisco.com/

)

4. If there is no ISE Guest Login Page installed, message Untrusted Connection message will appear, but it will be fine if they "Add Exception and install the certificate"

oke1.png

5. After that the Guest Login Page will appear, and guests input their username and password.

oke2.png

6. Login success and they will be redirected to www.cisco.com and there is pop up from 1.1.1.1 (WLC Virtual Interface IP) with logout button.

The problem happen in scenario 6, after login success, the webpage with ISE IP address and message certificate error for 1.1.1.1 is appear.

oke3.png

I know it happened when guests didn't have the WLC Login Page Certificate...

My Question is, is there a way to tunneling WLC Certificate on ISE ? Or what can we do to make ISE validate WLC Certificate, so guests doesn't need to install WLC Certificate/ Root Certificate before connect to Wifi ?

Thx 4 your answer and sorry for my bad English....

Everyone's tags (7)
1 ACCEPTED SOLUTION

Accepted Solutions
Contributor

LWA Guest Access with ISE and WLC

Don't mix WLC Local Web Authentication with ISE Guest Portal. Choose either one or the other. I would suggest Guest Portal + WLC CWA.

3 REPLIES 3
Contributor

LWA Guest Access with ISE and WLC

Don't mix WLC Local Web Authentication with ISE Guest Portal. Choose either one or the other. I would suggest Guest Portal + WLC CWA.

Re: LWA Guest Access with ISE and WLC

Thx for your reply Peter, your solution is right,

i don't choose CWA, because their DNS is not stable...

i've found the problem...

the third-party CA is revoked, so there is no way it will success until it fixed...

and there is no guarantee, they will fix it soon..

so solution that we choose is by disable "HTTPS" on WLC...

"config network web-auth secureweb disable".

"config network web-auth secureweb disable".

"config network web-auth secureweb disable".

"config network web-auth secureweb disable".

"config network web-auth secureweb disable"

thank you all...

Cisco Employee

LWA Guest Access with ISE and WLC

I would recommend that you get yourself a new certificate instead of disabling HTTPS. You can get a new public cert pretty cheap from godaddy, etc. That way your credentials are not passed unprotected.