I haven't. I had DHCP

d_p_grant · ‎10-14-2014

I'm testing a pair of 5760s for a near-term production rollout. I have the dot1x employee wlan working, but am having trouble with the guest web-auth wlan. We have a foreign controller with connected APs and an anchor controller in the DMZ. We're using an external redirect to the ISE guest portal. ISE is working with our production equipment and hasn't been changed. However, I'm not able to get an IP address assignment to test the ISE redirect. When I remove all of the web-auth configuration, I'm getting an IP address without issues. My configuration is attached below, and would appreciate an extra set of eyes.

!!!!!!!!!!!!
!! Anchor controller
!!!!!!!!!!!!
!
aaa group server radius ISE
server name iseservername
aaa authentication login ISE-MethodList group ISE
!
parameter-map type webauth global
type webauth
virtual-ip ipv4 x.x.127.1 virtual-host guest-redirect.domain.com
!
parameter-map type webauth Guest-param-map
type webauth
redirect for-login https://guestportal.domain.com:8443/guestportal/portal.jsp
redirect portal ipv4 x.x.164.35
!
ip access-list extended Guest-preauth
permit udp any any eq domain
permit udp any eq domain any
permit udp any any range bootps bootpc
permit tcp any any eq 8443
permit tcp any any established
ip access-list extended Guest-redirect-acl
permit tcp any any eq www
!
radius server iseservername
address ipv4 x.x.164.35 auth-port 1812 acct-port 1813
key [verysecretkey]
!
wlan Guest 1 Guest
client vlan 330
ip access-group web Guest-preauth
mobility anchor
no security wpa
no security wpa akm dot1x
no security wpa wpa2
no security wpa wpa2 ciphers aes
security web-auth
security web-auth authentication-list ISE-MethodList
security web-auth parameter-map Guest-param-map
no shutdown

!!!!!!!!!!!!!!!!
!! Foreign Controller
!!!!!!!!!!!!!!!!

wireless management interface Vlan60
!
wlan Guest 1 Guest 1
client vlan 60
mobility anchor x.x.60.160
no security wpa
no security wpa akm dot1x
no security wpa wpa2
no security wpa wpa2 ciphers aes
security web-auth
no shutdown

Rasika Nayanajith · ‎10-14-2014

Have you tried this by enabling DHCP snooping for the vlan 330 on your 5760 & trust 5760 uplink ? In the below I have assume 10G port of 5760 is map to a etherchannel (Po1). Otherwise trust the physical interface.

ip dhcp snooping
ip dhcp snooping vlan 330
!

interface Port-channel x
switchport trunk native vlan x
switchport trunk allowed vlan x,y,z
switchport mode trunk
ip dhcp snooping trust

HTH

Rasika

**** Pls rate all useful responses ****

d_p_grant · ‎10-14-2014

I haven't. I had DHCP snooping on the foreign controller for non-anchored WLANs, but was often not getting DHCP addresses, even though the config was right as far as the documentation was concerned. So I pulled it off and started getting addresses.

Is there something missing or wrong in the above config? I haven't imported a certificate yet, as I was going to work that piece once I had an IP address and could perform a redirect. Is which cert you are using specified as a trustpoint in the non-global parameter-map?

Rasika Nayanajith · ‎10-14-2014

In my production 5760/3850 guest access set up, I have enabled DHCP snooping & things working fine. I am running 3.6E code & Clearpass is the guest portal & not ISE.

Regarding certification, this is what I have done

http://mrncciew.com/2014/07/30/5760-webauth-certificates/

Pls do not forget to rate our responses if you find it useful.

HTH

Rasika

Dhiresh Yadav · ‎10-15-2014

Hi,

You are using web-auth..So ip address should be with out any authentciation. Only thing coming in between is the Mobility tunnel to pick the ip address from Anchor controller. Is one of the 5760 Foreign and the other one Anchor ?

Verify Mobilty tunnel:

> sh wireless mobility summary

>show wireless client mac-address <MAC ADDR> detail

> sh ip device tracking mac <mac-address>

> debug mobility handoff..on Anchor

Regards

Dhiresh

Please rate helpful posts

5760 guest network not receiving IP address