Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2755
Views
0
Helpful
3
Replies

LWA Guest Access with ISE and WLC

Go to solution
myanuary
Level 1
Level 1

‎02-22-2013 01:42 AM - edited ‎03-10-2019 08:07 PM

Hi guys,

Our Company try to implement Guest Access with ISE dan WLC with Local Web Auth Method. But there is problem that comes up with the certificate. This is the scenario :

1. Guests try to connect wifi with SSID Guest

2. Once it connect, guests open the browser and try to open a webpage (example: cisco.com)

3. Because, guests didn't login, so it redirect to "ISE Guest Login Page" (url became :

https://ise-hostname:8443/guestportal/Login.action?switch_url=https://1.1.1.1/login.html&wlan=Guest&redirect=www.cisco.com/

)

4. If there is no ISE Guest Login Page installed, message Untrusted Connection message will appear, but it will be fine if they "Add Exception and install the certificate"

oke1.png

5. After that the Guest Login Page will appear, and guests input their username and password.

oke2.png

6. Login success and they will be redirected to www.cisco.com and there is pop up from 1.1.1.1 (WLC Virtual Interface IP) with logout button.

The problem happen in scenario 6, after login success, the webpage with ISE IP address and message certificate error for 1.1.1.1 is appear.

oke3.png

I know it happened when guests didn't have the WLC Login Page Certificate...

My Question is, is there a way to tunneling WLC Certificate on ISE ? Or what can we do to make ISE validate WLC Certificate, so guests doesn't need to install WLC Certificate/ Root Certificate before connect to Wifi ?

Thx 4 your answer and sorry for my bad English....

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Peter Koltl
Level 7
Level 7

‎02-27-2013 12:50 AM

Don't mix WLC Local Web Authentication with ISE Guest Portal. Choose either one or the other. I would suggest Guest Portal + WLC CWA.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Peter Koltl
Level 7
Level 7

‎02-27-2013 12:50 AM

Don't mix WLC Local Web Authentication with ISE Guest Portal. Choose either one or the other. I would suggest Guest Portal + WLC CWA.

0 Helpful

Go to solution
myanuary
Level 1
Level 1
In response to Peter Koltl

‎02-27-2013 01:57 AM

Thx for your reply Peter, your solution is right,

i don't choose CWA, because their DNS is not stable...

i've found the problem...

the third-party CA is revoked, so there is no way it will success until it fixed...

and there is no guarantee, they will fix it soon..

so solution that we choose is by disable "HTTPS" on WLC...

"config network web-auth secureweb disable".

"config network web-auth secureweb disable".

"config network web-auth secureweb disable".

"config network web-auth secureweb disable".

"config network web-auth secureweb disable"

thank you all...

0 Helpful

Go to solution
nspasov
Cisco Employee
Cisco Employee
In response to myanuary

‎03-01-2013 08:49 AM

I would recommend that you get yourself a new certificate instead of disabling HTTPS. You can get a new public cert pretty cheap from godaddy, etc. That way your credentials are not passed unprotected.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents