Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
894
Views
0
Helpful
3
Replies

Auto-Anchor Mobility with C9800-40

ciscokapajoeen
Level 1
Level 1

‎07-18-2020 02:41 AM - edited ‎07-05-2021 12:17 PM

Hello All,

 

I'm trying to configure Guest WLAN with the Cisco ISE HotSpot portal using Auto-Anchor Mobility.

is there any guide describing the whole process?

starting with this reference (https://community.cisco.com/t5/security-documents/ise-guest-access-prescriptive-deployment-guide/ta-p/3640475) on "ISE Guest Access Prescriptive Deployment Guide", I used this reference (https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213913-building-mobility-tunnels-on-catalyst-98.html) on "Building Mobility Tunnels on Catalyst 9800 Wireless Controllers" associated with this one (https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213912-configure-mobility-anchor-on-catalyst-98.html) related to "Configure Mobility Anchor on Catalyst 9800 Wireless Controllers".

from the successful Authentication and authorization I get from Cisco ISE, I can see that all the sessions are being handled ONLY by the Front-end C9800-40 (Foreign WLC) however I was surprised to see (Monitoring > Wireless > AP Statistics > Join Statistics ) that some access points were able to unsuccessfully join to the back-end C9800-40 (the ANCHOR).


what could be the reasons for the failure of the APs to attach to the ANCHOR C9800-40 in the DMZ?

why the ISE PSN seems not to interact with the »C9800-40 in the DMZ?

why is the guest wireless client is not interesting with the »C9800-40 in the DMZ but ONLY with that in the LAN as shown by ISE successful authorization?

Patrice

Preview file
118 KB
0 Helpful
3 Replies 3

Scott Fella
Hall of Fame
Hall of Fame

‎07-18-2020 07:28 AM

It’s because you don’t have the 9800’s properly configured. For example, there should be no access points that should join the anchor controller, so udp 5246 and udp 5247 should be blocked from the inside to the dmz. Your guest anchor controller should point to the dmz ISE PSN also unless you are opening up the FW to access a PSN from the internal network.

You should have first defined the access points high availability.
https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/config-guide/b_wl_16_10_cg/ap-priority.html

You should then use this guide you already looked at and setup a test open ssid and make sure the client is tunneled to the dmz, client gets an ip from the dmz and client has access to the internet and internal traffic is blocked.
https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213912-configure-mobility-anchor-on-catalyst-98.html#anc6

Start off simple first and follow each step carefully. Any mistakes in the wlan configuration will cause the anchoring not to work.
-Scott
*** Please rate helpful posts ***
0 Helpful

ciscokapajoeen
Level 1
Level 1
In response to Scott Fella

‎07-22-2020 02:36 AM

Hello Scott,

I was able to verify an set up the mobility tunnel so that the guest client is visible on the Guest Anchor Controller with an IP Address provided by the DHCP server configured on the ANCHOR C9800. I believe the next step is that the guest client should receive the welcome page from Cisco ISE PSN to get authenticated. but by WHOM?

I believe that until the guest client is authorized, all the traffic is the tunnel through the Ccapwap tunnel than the mobility tunnel. so the request to log onto the guest portal is provided also provided through the tunnel.

then the guest client with their IP Address received from the Guest DHCP Pool needs to log on to the Cisco ISE PSN.

In our case, We do not see these attempts blocked by the firewall. Even, we set up NAT and ACL between the subnet assigned to Guest Client and ISE PSN.

 

Can you explain what is required for the Guest to received access to Cisco ISE Portal?

 

Patrice

 

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to ciscokapajoeen

‎07-22-2020 03:31 AM

Since you now have an ssid successfully anchored to the guest anchor controller and working with network connection and internet, now you can move on.

This flow is the same for the AireOS controllers. You can find additional information here:

https://community.cisco.com/t5/security-documents/ise-guest-amp-web-authentication/ta-p/3657224

This guide explains the CWA configuration on both the foreign and anchor:

https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/config-guide/b_wl_16_10_cg/cisco-guest-foreign.html#concept_e5l_1np_njb
-Scott
*** Please rate helpful posts ***
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card