Showing results for 
Search instead for 
Did you mean: 

Passthrough WebAuth in Fabric WLAN


Hi everyone,

I have one fabric subnet which I use only for ISE Certificate Provisioning. I have WLAN with related subnet. I want people when connected to this WLAN, to browsers pop up ISE certificate provisioning page. I configured WLAN passthrough in L3 security but when people are associating to WLAN they are getting redirected to which is WLC`s virtual interface but it is not accessible. I wonder maybe as in fabric network data traffic is not passing through WLC, webauth won`t work. If no, it should work, please guide me accomplish this.



Orkhan Rustamli


Rising star
Rising star

Hi @OrkhanRustamli 


I have setup something similar to this before without any issues.


Have you configured the ISE certificate provisioning portal with an FQDN and then set this FQDN as the External Web Auth URL under the Guest WLAN within DNA Center? Note that when you enter an FQDN as the Web Auth URL, DNAC should resolve this to an IP address which it then programs in the WLC Redirect ACL so you need to ensure that your internal DNS is setup correctly. 


A few areas to note:


A Guest WLAN that is configured to use Web Policy with either Web Authentication or Web Passthrough (internal or external) is fully supported with fabric enabled wireless. Please see the Appendix in the SD-Access Wireless Design and Deployment guide for a list of supported SD-Access wireless features.  


If your using internal Web Authentication/Passthrough, the URL redirect to the WLC's internal web portal is initially centrally switched using CAPWAP. As a result, the wireless endpoint does not need to reach the WLC via the fabric. Once the wireless endpoint passes user authentication (or clicks accept if using Web Passthrough) the wireless traffic is then switched at the fabric AP/Edge using VXLAN encapsulation. If your using external Web Authentication/Passthrough, all traffic is VXLAN encapsulated at the AP/Edge so the wireless endpoint will need direct access to the external IP address that is hosting the web portal (as well as DNS for FQDN resolution). In your scenario, the wireless endpoint will need direct access to ISE to reach the certificate provisioning portal.


Can you check your configuration and make sure that the wireless endpoint IP pool/VN can reach the ISE IP address that is hosting the certificate provisioning portal? Can you also check that the WLC External Redirect ACL (that DNAC automates) has been configured with the correct ISE IP address?


Hi @willwetherman 


Thanks a lot for your comment. The problem is with creating SSID as guest from DNAC is that DNAC not allowing me to put password to the SSID. It has either Open or WebAuth but my case is to make web redirect after PSK authentication.

Is it possible?

What version of DNA Center are you running and what model and version of WLC are you using?

Note that DNA Center 2.1.2.X introduced the ability to configure a Guest SSID with Layer 2 Security support. 

Cisco DNAC 2.1.2.X release notes 

Creating an SSID for a guest wireless network supports Layer 2 security with the following encryption and authentication types:

  • Enterprise: You can configure either WPA2 or WPA3 security authentication by checking the respective check boxes. By default, the WPA2 check box is checked.WPA3 is the latest version of WPA, which is a suite of protocols and technologies that provide authentication and encryption for Wi-Fi networks. WPA3-Enterprise provides high-grade security protocols for sensitive data networks.
  • Personal: You can configure both WPA2 and WPA3 or configure WPA2 and WPA3 individually by checking the respective check boxes.
  • Open Secured: From the Assign Open SSID drop-down list, choose an open SSID to associate with the open SSID. Associating secures the open SSID. You must have an open SSID created before associating it with the open secured SSID
  • Open: The open policy provides no security. It allows any device to connect to the wireless network without any authentication.

Based on the above, with DNAC 2.1.2.X you can create a Guest wireless network and set L2 security to WPA2 Personal with PSK and L3 security to Web Policy with External Web Passthrough.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: