Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
963
Views
0
Helpful
1
Replies

Central Web Authentication (CWA) for guests with ISE

mM CisCo
Level 1
Level 1

‎02-02-2017 07:41 AM - edited ‎07-05-2021 06:29 AM

Hi Wireless Expert,

Actually I got some curious things whereby need to be exact answer. on my workplace got 2 controller in which both controller have been set up Central Web Authentication for guest with ISE (Please find my attached file).

I got shocked only for guests SSID during roaming and registered to second controller, it will disconnected and will be prompted username and password again, subsequent need login same as username and password again is provided by ISE PORTAL, meaning it is not seamless once registered to second controller and no got sign getting low signal even blank spot, everything during roaming registered to second controller got good signal, and also vice versa got same thing.

Could you tell me, is it normal behavior or need some configuration adjustment to rectify this issues ?

I'll appreciate if someone can explain about this one.

Below is my reference how do i configure Central Web Authentication (CWA) for guests with ISE

https://supportforums.cisco.com/document/110031/central-web-authentication-cwa-guests-ise

Regards,

mM CisCo

Labels:
Preview file
20 KB
0 Helpful
1 Reply 1

Freerk Terpstra
Level 7
Level 7

‎02-02-2017 12:10 PM

I never use the "use case: Guest flow" myself, but create two wireless MAB authorization rules within ISE:

1. Guest - known:
1.1 Wireless MAB
1.2 Radius called station-id ends with "GuestSSID"
1.3 Endpoint Identity Group: "GuestEndpointIdentitygroup"
Result: Permit access

2. Guest - unknown
2.1 Wireless MAB
2.2 Radius called station-id ends with "GuestSSID"
Result: Redirect towards guest portal for registration

Make sure that the configured purging setting for the guest endpoint Identity Group is based on the duration of the guest account. This should be sufficient to have the same behavior across different controllers. Nevertheless I would advise you to review the WLC setup as well; you should keep access-points in the same building on the same controller.

Please rate useful posts... :-)

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card