03-29-2013 09:17 AM - edited 03-10-2019 08:14 PM
Hello everyone!
I have a little bit of a complex dilemma in an ISE deployment and I am trying to lean more on how it works technically. Long story short: I am trying to do both machine and user authentication / authorization (per requirements from our Security department) on a wireless network using iDevices (iPads, iPhones, iTouches) that are shared between users. Just an FYI, I know Apple devices are not intended for “multiple users”; hence, why it is a problem I am trying to solve with CWA.
Hardware:
Cisco ISE VM running 1.1.3.124
WLC 5508 running 7.4.100.0
AP 3602I running 7.4.100.0 / IOS 15.2(2)JB$
iPod Touch version 6.1.3(10B329)
Senario:
Rules, NSP is a limited profiling access network. CWA is a limited access network with redirect to centeral web auth on ISE. Standard rule 2 & 3 (which are disabled in this screen shot) are the rules that prove the CWA works on an open SSID.
I have gotten the CWA to work great on an open SSID, however when the process involves EAP-TLS everything works but the redirect. The iPod is properly authorized to the CWA (which is the redirect permission), but when I open a browser the iPod just spins searching for the website; it is never redirected to the ISE. My question is, is this even possible? Is there a trick or order of sequence that needs to be changed? I have been told from a Cisco NCE that specializes in ISE that this “may” or “may not” work, but not given an explanation as to why or why not. And if it’s not possible, why not?
Thank you in advance!
--------------------------------------------------------------------------------
Example, now the user is authorized for CWA, but when a user opens the browser it just sits there spinning.
I checked the WLC “Clients>Details” (from the monitoring page) and I noticed something interesting: