Hi Muhsi,

Thanks for your question.

It depends what type of authentication with redirection are you trying to configure and on what platform. I will try to cover all scenarios in the response below.

1. In case you are talking about CWA (central web auth) configurarion, you will need configure WLAN profile with MAC authentication / AAA override and RADIUS NAC. Redirect-ACL has also be configured on WLC and it must allow access to DNS and ISE servers and also can allow access to any additional resources that are considered to be accessible by your local security policy for users in pre-authentication state.  After initial MAC authentication, ISE will send redirect-ACL and redirect-URL in corresponding RADIUS AV-pairs. Any traffic that is denied in Redirect-ACL will be redirected to login portal on ISE. More details on that type of access can be found via this link: WLC CWA with ISE
2. In case you are interested in LWA with redirection to external login portal, then you need configure web-authentication policy on WLAN profile and assign corresponding Redirect-ACL  directly to SSID configuration. Redirect-URL can either be defined in global configuration or over-ride on WLAN. Details regarding on LWA configuration with external portal can be found via following link: WLC LWA with ISE

Those configuration follow the same logic, though different command syntax, with IOS XE controllers (the major difference is  with ACL entries, with IOS XE controllers traffic that is permitted without redirection is defined with 'deny' statements).

1. CWA configuration on 3650/3850/5760: CWA configuration on NGWC
2. LWA configuration on 3650/3850/5760: LWA configuration on NGWC

Post authentication ACL defines what resources are available to client after web-authentication is performed, it's regulated by your company security policies requirements.

Hi Roman.

Thanks 
In the ACL-REDIRECT the below ace meaning

eans do not redirect dns request and redirect any www ?
deny udp any any eq domain
permit tcp any any eq www

What about the postauthentication acl ,
Where should I apply the postauth ACL
Is it ok applying it on the core switch interface vlan ?

Thanks

Hi Muhsi,

Correct, given that you have following entries in ACL-REDIRECT:

deny udp any any eq domain
permit tcp any any eq www

means don't redirect DNS traffic, but redirect all HTTP traffic

Post-authentication ACL is also defined on controller as it will be sent to WLC / NGWC in RADIUS AV-pairs during authorization phase, since policy enforcement are done on controller per client session and not on core switch. In that ACL you define traffic that is permitted with 'permit' statement and traffic that needs to be dropped with 'deny'.

Hi,

Can you give an example for  post-authentication acl and how do we assign the post-acl in ise

Thanks

Hi Muhshi,

Example can be simple as this:

Extended IP access list post-auth
    10 permit ip any any

Can be more restrictive, allowing internet access only:

Extended IP access list post-auth
    10 deny ip any 192.168.0.0 0.0.255.255
    20 deny ip any 172.0.0.0 0.31.255.255
    30 deny ip any 10.0.0.0 0.255.255.255

Again, as I mentioned earlier all depends on the access restrictions you want to enforce for the guest users or users connected with web-auth.

As for configuration, that ACL (post-auth) ACL can also be configured on the controller and sent back during authorization, in that case it's configured as either of below parameters (depending on WLC platform) under corresponding authorization profile on ISE in 'Common Tasks' section:

• 'Filter-ID' --- for IOS XE controllers
• 'Airespace --- ACL Name' for Aironet WLCs

With IOS XE controllers you can also use dynamic ACL assignment, in that case ACL is defined on ISE which is more scalable option as only one instance of ACL is kept on central AAA server, rather independent ACLs per WLC.

In attached documentation you can find more details on dACL functionality and configuration details.

Hi Roman,

I have a customer with a small site, only 7 APs managed by a pair of 2504 WLCs running 8.0.133. I recently updated the controller software so they could support new 3702 APs, and moved them from Prime Infrastructure 1.3 to 3 at the same time. Naturally, that caused a flood of questions!

The 2504s run AP-based HA, so the WLCs can get out of synch in terms of local users and their credentials, because they are effectively running as stand-alone controllers.

Is there any way of using Prime (or anything else!) to automatically synchronize the users/credentials across the two WLCs?

Hi Roman 

1 - I have a vWLC running 8.2 code, in a densely populated office. Recently the vWLC RRM features has been putting 2600 APs on the same channel on the 802.1a interface.

What would cause this to happen? 

2 - In the SNMP trap logs I see many instanced where 'Rogue AP are removed from Base Radio MAC'. What does this mean?

3- The SNMP Trap logs are not sent to syslog , why is this? I have set syslog to debug level. How can I get SNMP trap logs sent to syslog? 

Hi Mohamed,

Thanks for your questions.

1. Is the issue specific to 2602 APs? What channel APs are set to? I would recommend following in this case, on WLC under 'Management -> SNMP -> Trap Controls -> Auto RF' enable 'Channel Update' traps.  Then whenever you get channel update on AP, WLC will also log the reason behind the change in traplogs and you can view it with either 'show traplog' or in UI under 'Management -> SNMP - Trap Logs>'.
2. For that one can you paste example of the exact trap you are getting?
3. Looks are confusing SNMP and SYSLOG, those are two separate protocols. SNMP traps are need to be sent to NMS (Network Management System) or to Trap receiver server.

Hi,

As per my understanding you running 2x 2504 in 1+1 redundancy and you want to keep configuration synchronized between WLCs.

That platform doesn't support SSO redundancy, so you have to be sure to apply same configuration on both WLC.

I would recommend you to use Prime infrastructure to define WLC templates and apply those templates to WLCs from PI, please refer to the link below regarding template configuration for local mgmt users in PI:

http://www.cisco.com/c/en/us/td/docs/net_mgmt/prime/infrastructure/3-0/user/guide/pi_ug/config-temp.html#62301

Let me know if that helps.

Hi Roman,

Your description of the use of N+1 redundancy is correct, but sorry, my description was not as clear as it could have been!

These are not management users: When new WLAN users attempt to associate with the AP, the WLCs present a splash page to which the users have to add their username/password to be allowed to associate with the AP.

To summarise, I want to be able to use PI to replicate what the Lobby Ambassador sees on one WLC on the other, so that if one WLC fails, the users logon is available on the other automatically

Hi Jblake,

So the question was about local netuser accounts on WLC for guest authentication.

First you will need to sync-up current configuration on both controllers for that:

1. In WLC CLI "config passwd-cleartext enable"; that will disable account passwords encryption
2. Then in CLI use 'show run-config commands' and from output provided you can get guest account configuration commands, e.i:

• netuser add guest1 cisco123 wlan 0 userType guest lifetime 3600 description test_guest
  
   netuser add guest2 cisco345 wlan 0 userType guest lifetime 1800 description

3. Do the same with other controller.
4. Then using some text editor tool create unified configuration for guest accounts, copy and paste it to each WLC.
5. Enable password encryption "config passwd-cleartext disable"

After that I would recommend you to use Prime Infrastructure Ambassador Account for centralized management of guest accounts on WLCs.

http://www.cisco.com/c/en/us/td/docs/net_mgmt/prime/infrastructure/3-0/administrator/guide/PIAdminBook/maint_user_access.html#86231

Let me know if that helps or should you have any questions.

Hi Roman,

The first part of the advice works well, and allows me to manually duplicate netusers on each WLC and thereby synchronise them. However, I must have missed the point with regards using the Ambassador account. The manual says:

Step 1 Log in to Prime Infrastructure as a lobby ambassador.

Step 2 Choose Select a command > A dd User Group > Go.

which makes perfect sense, but when I try to select the "Add User Group", its not there: see attached screenshot

Am I doing something wrong, or is the manual at fault?

Hi Jblake,

It's mistype in manual, has to be written as  'Add Guest User' option'.