Showing results for 
Search instead for 
Did you mean: 

How To: Using dCloud and ISE with a Mobility Express Controller



    The following document will enable you to add a Mobility Express Controller to your ISE instance in dCloud.


    You will need a dCloud ERK (Endpoint Router Kit) to be able to use the Mobility Express controller with the dCloud Mobility Deep Dive demo.


    This validation was done with the following models:



    The Secure Access Wizard does not provision the ME-Controller but could be used if you run the Secure Access Wizard Demo and then add the ME Controller to ISE with same WLANs. This hasn't been validated and we will not go through that in this document.


    Reference docs:

    Use the Configuring Cisco Mobility Express AP with ISE as a general configuration guide for Mobility express starting with 8.7 code

    The Cisco Mobility Express Deployment Guide shows how to convert AP to ME


    Connect your AP behind your dcloud Endpoint Router Kit or into a POE switch connected behind it. The POE port will need to be in the data plan associated with your demo


    if the AP is not setup as mobility express you will need to do the following:


    MAYBE Shut off your vWLC in dcloud so the ME doesn’t connect to it. You want your ME AP to be the controller.


    Connect to WKST1. Launch browser and download the ME controller files needed per the guide depending on your AP model and state. Mine was connected to my dcloud WLC so i had to do the following


    Download mobility express software for my AP 3800 (note 8.7 code is supported with ISE COA, URL redirect, etc)

    I  put the file in the TFTP64 directory which is the root


    Try to ping WKST1 TFTP64


    Convert your AP to be a controller

    ap-type mobility-express tftp://YOUR TFTP address/<filename of TAR file with path from root on the TFTP server>

    ap-type mobility-express tftp://


    When running the MEAP setup wizard

    username/password admin/C1sco12345

    management ip from DHCP

    management DHCP scope? unknown

    Setting up an SSID is just for basic setup and is not used with ISE - this doesn’t matter, just moving past the screen

    Employee network name: mymeap

    security ENTER for PSK

    key C1sco12345

    other stuff use defaults


    Now you should get a Cisco Controller prompt


    ping ise at

    This means management is able to get to ISE


    Add your controller to ISE in dCloud

    show interface summary

    the management IP comes from the data vlan for your dcloud demo


    Add ME controller to ISE

    WKST1 launch firefox and login to ISE

    Administration > Network Resources > Network Devices

    Add a network device

    Enter your AP management IP address

    Check the box to enable RADIUS Authentication Settings

    Enter shared secret C1sco12345

    Submit the page


    Launch another tab and connect to your MEAP https//ipaddress

    Login with admin creds

    Switch to expert View



    ISE IP Address


    Only do the guest portion to show its working

    need to copy the url from the WLC when setting up the WLAN

    example: me_cwa_acl_redirect_1


    Skip SECURE/BYOD network


    Need to modify the authorization profile for the guest policies using the

    Policy > Policy Elements > Results > Authorization > Authorization Profiles

    Duplicate the HOTSPOT_REDIRECT Profile and name it HOTSPOT_REDIRECT_ME

    under the Common Tasks > Web Redirection change the ACL to the same one found when you created your WLAN


    Also make sure your Value has a portal selected

    Hotspot Guest Portal (default)


    Submit the profile


    Navigate to Policy > Policy Sets > Guest Access > View the policy set

    Expand the authorization policy

    find the Hotspot Redirect and change the Results/Profiles to HOTSPOT_REDIRECT_ME

    Save the policy


    Save off your dCloud session. This can be used over and over again. If you move your mobility express controller behind another ERK then you will need to update your ISE Network Access Device with the new IP Address. This is because each dCloud router has their own private network



    CreatePlease to create content