I have one fabric subnet which I use only for ISE Certificate Provisioning. I have WLAN with related subnet. I want people when connected to this WLAN, to browsers pop up ISE certificate provisioning page. I configured WLAN passthrough in L3 security but when people are associating to WLAN they are getting redirected to https://192.168.0.1/XXXXXXX which is WLC`s virtual interface but it is not accessible. I wonder maybe as in fabric network data traffic is not passing through WLC, webauth won`t work. If no, it should work, please guide me accomplish this.
I have setup something similar to this before without any issues.
Have you configured the ISE certificate provisioning portal with an FQDN and then set this FQDN as the External Web Auth URL under the Guest WLAN within DNA Center? Note that when you enter an FQDN as the Web Auth URL, DNAC should resolve this to an IP address which it then programs in the WLC Redirect ACL so you need to ensure that your internal DNS is setup correctly.
A few areas to note:
A Guest WLAN that is configured to use Web Policy with either Web Authentication or Web Passthrough (internal or external) is fully supported with fabric enabled wireless. Please see the Appendix in the SD-Access Wireless Design and Deployment guide for a list of supported SD-Access wireless features.
If your using internal Web Authentication/Passthrough, the URL redirect to the WLC's internal web portal is initially centrally switched using CAPWAP. As a result, the wireless endpoint does not need to reach the WLC via the fabric. Once the wireless endpoint passes user authentication (or clicks accept if using Web Passthrough) the wireless traffic is then switched at the fabric AP/Edge using VXLAN encapsulation. If your using external Web Authentication/Passthrough, all traffic is VXLAN encapsulated at the AP/Edge so the wireless endpoint will need direct access to the external IP address that is hosting the web portal (as well as DNS for FQDN resolution). In your scenario, the wireless endpoint will need direct access to ISE to reach the certificate provisioning portal.
Can you check your configuration and make sure that the wireless endpoint IP pool/VN can reach the ISE IP address that is hosting the certificate provisioning portal? Can you also check that the WLC External Redirect ACL (that DNAC automates) has been configured with the correct ISE IP address?
Thanks a lot for your comment. The problem is with creating SSID as guest from DNAC is that DNAC not allowing me to put password to the SSID. It has either Open or WebAuth but my case is to make web redirect after PSK authentication.
Creating an SSID for a guest wireless network supports Layer 2 security with the following encryption and authentication types:
Enterprise: You can configure either WPA2 or WPA3 security authentication by checking the respective check boxes. By default, the WPA2 check box is checked.WPA3 is the latest version of WPA, which is a suite of protocols and technologies that provide authentication and encryption for Wi-Fi networks. WPA3-Enterprise provides high-grade security protocols for sensitive data networks.
Personal: You can configure both WPA2 and WPA3 or configure WPA2 and WPA3 individually by checking the respective check boxes.
Open Secured: From the Assign Open SSID drop-down list, choose an open SSID to associate with the open SSID. Associating secures the open SSID. You must have an open SSID created before associating it with the open secured SSID
Open: The open policy provides no security. It allows any device to connect to the wireless network without any authentication.
Based on the above, with DNAC 2.1.2.X you can create a Guest wireless network and set L2 security to WPA2 Personal with PSK and L3 security to Web Policy with External Web Passthrough.
Listen: https://smarturl.it/CCRS9E25 Follow us: twitter.com/ciscochampions
With applications and users everywhere, the networks are now, more than ever, being tasked with delivering consistent protection while providing an exceptional user exper...
Listen: https://smarturl.it/CCRS9E24 Follow us: https://twitter.com/CiscoChampion
Cisco Radio Aware Routing addresses several of the challenges faced when merging IP routing and radio communications in mobile networks, especially those exhibiti...
Listen: https://smarturl.it/CCRS9E23 Follow us: https://twitter.com/CiscoChampion The Wi-Fi 6E Catalyst 9136 access point takes advantage of the 6-GHz band to produce a network that is more reliable and secure, with higher throughput, more ...
When moving from OSPFv2 to OSPFv3, there are many changes in the format of the LSAs Type, but the most known changes are: IP prefix informations are no longer carried in Type-1 LSA and Type-2 LSA, new LSAs Type 8 and 9 are added to carry these prefixes.