10-30-2020 06:32 AM
Hi everyone,
I have one fabric subnet which I use only for ISE Certificate Provisioning. I have WLAN with related subnet. I want people when connected to this WLAN, to browsers pop up ISE certificate provisioning page. I configured WLAN passthrough in L3 security but when people are associating to WLAN they are getting redirected to https://192.168.0.1/XXXXXXX which is WLC`s virtual interface but it is not accessible. I wonder maybe as in fabric network data traffic is not passing through WLC, webauth won`t work. If no, it should work, please guide me accomplish this.
BR,
Orkhan Rustamli
10-31-2020 04:23 AM - edited 10-31-2020 01:28 PM
I have setup something similar to this before without any issues.
Have you configured the ISE certificate provisioning portal with an FQDN and then set this FQDN as the External Web Auth URL under the Guest WLAN within DNA Center? Note that when you enter an FQDN as the Web Auth URL, DNAC should resolve this to an IP address which it then programs in the WLC Redirect ACL so you need to ensure that your internal DNS is setup correctly.
A few areas to note:
A Guest WLAN that is configured to use Web Policy with either Web Authentication or Web Passthrough (internal or external) is fully supported with fabric enabled wireless. Please see the Appendix in the SD-Access Wireless Design and Deployment guide for a list of supported SD-Access wireless features.
If your using internal Web Authentication/Passthrough, the URL redirect to the WLC's internal web portal is initially centrally switched using CAPWAP. As a result, the wireless endpoint does not need to reach the WLC via the fabric. Once the wireless endpoint passes user authentication (or clicks accept if using Web Passthrough) the wireless traffic is then switched at the fabric AP/Edge using VXLAN encapsulation. If your using external Web Authentication/Passthrough, all traffic is VXLAN encapsulated at the AP/Edge so the wireless endpoint will need direct access to the external IP address that is hosting the web portal (as well as DNS for FQDN resolution). In your scenario, the wireless endpoint will need direct access to ISE to reach the certificate provisioning portal.
Can you check your configuration and make sure that the wireless endpoint IP pool/VN can reach the ISE IP address that is hosting the certificate provisioning portal? Can you also check that the WLC External Redirect ACL (that DNAC automates) has been configured with the correct ISE IP address?
11-03-2020 04:22 AM
Thanks a lot for your comment. The problem is with creating SSID as guest from DNAC is that DNAC not allowing me to put password to the SSID. It has either Open or WebAuth but my case is to make web redirect after PSK authentication.
Is it possible?
11-03-2020 06:32 AM - edited 11-03-2020 06:39 AM
What version of DNA Center are you running and what model and version of WLC are you using?
Note that DNA Center 2.1.2.X introduced the ability to configure a Guest SSID with Layer 2 Security support.
Cisco DNAC 2.1.2.X release notes
Creating an SSID for a guest wireless network supports Layer 2 security with the following encryption and authentication types:
Based on the above, with DNAC 2.1.2.X you can create a Guest wireless network and set L2 security to WPA2 Personal with PSK and L3 security to Web Policy with External Web Passthrough.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide