07-18-2020 02:41 AM - edited 07-05-2021 12:17 PM
Hello All,
I'm trying to configure Guest WLAN with the Cisco ISE HotSpot portal using Auto-Anchor Mobility.
is there any guide describing the whole process?
starting with this reference (https://community.cisco.com/t5/security-documents/ise-guest-access-prescriptive-deployment-guide/ta-p/3640475) on "ISE Guest Access Prescriptive Deployment Guide", I used this reference (https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213913-building-mobility-tunnels-on-catalyst-98.html) on "Building Mobility Tunnels on Catalyst 9800 Wireless Controllers" associated with this one (https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213912-configure-mobility-anchor-on-catalyst-98.html) related to "Configure Mobility Anchor on Catalyst 9800 Wireless Controllers".
from the successful Authentication and authorization I get from Cisco ISE, I can see that all the sessions are being handled ONLY by the Front-end C9800-40 (Foreign WLC) however I was surprised to see (Monitoring > Wireless > AP Statistics > Join Statistics ) that some access points were able to unsuccessfully join to the back-end C9800-40 (the ANCHOR).
what could be the reasons for the failure of the APs to attach to the ANCHOR C9800-40 in the DMZ?
why the ISE PSN seems not to interact with the »C9800-40 in the DMZ?
why is the guest wireless client is not interesting with the »C9800-40 in the DMZ but ONLY with that in the LAN as shown by ISE successful authorization?
Patrice
07-18-2020 07:28 AM
07-22-2020 02:36 AM
Hello Scott,
I was able to verify an set up the mobility tunnel so that the guest client is visible on the Guest Anchor Controller with an IP Address provided by the DHCP server configured on the ANCHOR C9800. I believe the next step is that the guest client should receive the welcome page from Cisco ISE PSN to get authenticated. but by WHOM?
I believe that until the guest client is authorized, all the traffic is the tunnel through the Ccapwap tunnel than the mobility tunnel. so the request to log onto the guest portal is provided also provided through the tunnel.
then the guest client with their IP Address received from the Guest DHCP Pool needs to log on to the Cisco ISE PSN.
In our case, We do not see these attempts blocked by the firewall. Even, we set up NAT and ACL between the subnet assigned to Guest Client and ISE PSN.
Can you explain what is required for the Guest to received access to Cisco ISE Portal?
Patrice
07-22-2020 03:31 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide