Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1911
Views
15
Helpful
5
Replies

Forescout Mac Filtering Security and Web Policy

Go to solution
Nana Banahene
Level 1
Level 1

‎04-28-2019 07:55 PM - edited ‎07-05-2021 10:17 AM

The rule of thumb is or was the wlan being anchored must be identical on both foreign and anchor, correct? Third party AAA(forescout) is wanting layer 2 security mac filtering on foreign and layer 3 security on anchor(that would mean wlans are not identical in configs). If one configures layer 2 mac filtering on wlan, and layer 3 web policy is not enabled how would clients know it's a WebAuth or can both layer 2 and 3 be configured for the same wlan?

Labels:
0 Helpful
5 Accepted Solutions

Accepted Solutions

Go to solution
Sathiyanarayanan Ravindran
Spotlight
Spotlight

‎04-29-2019 02:30 AM - edited ‎04-29-2019 01:19 PM

Hi Nana Banahene,

 

Yes, Both anchor and Foreign should have the same configuration. 

 

But if you are using Central web-auth, Only you have to enable MAC-Filtering and no L3 Auth is needs to be enabled, On the SSID you have to enable AAA Override to accept the redirection attribute send by the radius server (ISE/Forescout).

 

On this case AAA is performed by Foreign WLC. Refer the link of Central Web-Auth Configuration via Cisco ISE so that you can get a idea on it.

Regards,
Sathiyanarayanan Ravindran

Please rate the post and accept as solution, if my response satisfied your question:)

View solution in original post

Go to solution
Nana Banahene
Level 1
Level 1
In response to Sathiyanarayanan Ravindran

‎04-29-2019 01:34 PM

There is a pre-auth acl I configured that needs to be applied and that can
be applied under layer 3 or wlan interface(but wlan interface will not be
helpful for pre-auth) hence I need to apply it under layer 3. What are my
options to get this pre-auth acl going as well

View solution in original post

0 Helpful

Go to solution
Sathiyanarayanan Ravindran
Spotlight
Spotlight
In response to Nana Banahene

‎04-29-2019 02:10 PM

Pre auth ACL is not required in this case. You have to configure a ACL on the foreign controller for DHCP/DNS and NAC IP access(for redirection page). That ACL name has to be present on the Authorization Profile.

Regards,
Sathiyanarayanan Ravindran

Please rate the post and accept as solution, if my response satisfied your question:)

View solution in original post

Go to solution
Nana Banahene
Level 1
Level 1
In response to Sathiyanarayanan Ravindran

‎04-30-2019 05:47 PM

Yes, on the anchor I have pre-auth acl on L3. I was just concerned that on foreign I have L2 mac filtering, making the configs on foreign different from anchor, but if I understand you correctly, for wlan in question I can do L2 mac filtering on foreign with AAA overide and then do L3 preauth on anchor, and there should be no issues, correct?

View solution in original post

0 Helpful

Go to solution
Sathiyanarayanan Ravindran
Spotlight
Spotlight
In response to Nana Banahene

‎04-30-2019 11:39 PM

Here also both anchor and foreign configuration has to be same. Only thing that changes is who is performing the AAA. 

Also you don’t need to configure L3 on both the controller. Redirection ACL name and URL will be send by the radius server through Authorization profile. You have to create a redirection ACL with only DHCP, DNS and NAC IP on Foreign controller. 

 

Have you referred the link i shared on my previous response? If not pls check it once.

Regards,
Sathiyanarayanan Ravindran

Please rate the post and accept as solution, if my response satisfied your question:)

View solution in original post

5 Replies 5

Go to solution
Sathiyanarayanan Ravindran
Spotlight
Spotlight

‎04-29-2019 02:30 AM - edited ‎04-29-2019 01:19 PM

Hi Nana Banahene,

 

Yes, Both anchor and Foreign should have the same configuration. 

 

But if you are using Central web-auth, Only you have to enable MAC-Filtering and no L3 Auth is needs to be enabled, On the SSID you have to enable AAA Override to accept the redirection attribute send by the radius server (ISE/Forescout).

 

On this case AAA is performed by Foreign WLC. Refer the link of Central Web-Auth Configuration via Cisco ISE so that you can get a idea on it.

Regards,
Sathiyanarayanan Ravindran

Please rate the post and accept as solution, if my response satisfied your question:)

Go to solution
Nana Banahene
Level 1
Level 1
In response to Sathiyanarayanan Ravindran

‎04-29-2019 01:34 PM

There is a pre-auth acl I configured that needs to be applied and that can
be applied under layer 3 or wlan interface(but wlan interface will not be
helpful for pre-auth) hence I need to apply it under layer 3. What are my
options to get this pre-auth acl going as well
0 Helpful

Go to solution
Sathiyanarayanan Ravindran
Spotlight
Spotlight
In response to Nana Banahene

‎04-29-2019 02:10 PM

Pre auth ACL is not required in this case. You have to configure a ACL on the foreign controller for DHCP/DNS and NAC IP access(for redirection page). That ACL name has to be present on the Authorization Profile.

Regards,
Sathiyanarayanan Ravindran

Please rate the post and accept as solution, if my response satisfied your question:)

Go to solution
Nana Banahene
Level 1
Level 1
In response to Sathiyanarayanan Ravindran

‎04-30-2019 05:47 PM

Yes, on the anchor I have pre-auth acl on L3. I was just concerned that on foreign I have L2 mac filtering, making the configs on foreign different from anchor, but if I understand you correctly, for wlan in question I can do L2 mac filtering on foreign with AAA overide and then do L3 preauth on anchor, and there should be no issues, correct?

0 Helpful

Go to solution
Sathiyanarayanan Ravindran
Spotlight
Spotlight
In response to Nana Banahene

‎04-30-2019 11:39 PM

Here also both anchor and foreign configuration has to be same. Only thing that changes is who is performing the AAA. 

Also you don’t need to configure L3 on both the controller. Redirection ACL name and URL will be send by the radius server through Authorization profile. You have to create a redirection ACL with only DHCP, DNS and NAC IP on Foreign controller. 

 

Have you referred the link i shared on my previous response? If not pls check it once.

Regards,
Sathiyanarayanan Ravindran

Please rate the post and accept as solution, if my response satisfied your question:)
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card