Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
561
Views
10
Helpful
4
Replies

Cisco 9800 Guest Anchor Wireless Setup

Go to solution
bjmcveety
Level 1
Level 1

‎10-25-2022 12:24 PM

I need some clarification on the setup for guest wireless utilizing c9800-40 as Foreign and c9800-L as the Guest Anchor. The SSID is setup as open[MAC filtering] with a self registered portal through ISE. The Mobility Tunnels are up and both controllers have been added to ISE. Attached is an example of the "guest-redirect" for ISE.... Where do I apply this on the controllers? And do I need to add it to both controllers or just the Guest Anchor?

bjmcveety_0-1666725726711.png

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
bjmcveety
Level 1
Level 1

‎10-26-2022 07:38 AM

Okay, thank you very much to both of you for your help!

 

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Haydn Andrews
VIP Alumni
VIP Alumni

‎10-25-2022 02:04 PM

 

The entries on the foreign don't matter as it will be the anchor WLC applying the ACL to the traffic. The only requirement is that it is there and has some entry. The entries on the anchor have to "deny" access to ISE on port 8443 and "permit" everything else. This ACL is only applied to traffic coming "in" from the client so rules for the return traffic are not needed. DHCP and DNS will pass through without entries in the ACL.

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/216500-catalyst-9800-central-web-authenticati.html#anc11

*****Help out other by using the rating system and marking answered questions as "Answered"*****
*** Please rate helpful posts ***

Go to solution
bjmcveety
Level 1
Level 1
In response to Haydn Andrews

‎10-26-2022 05:13 AM

Thanks Haydn. The guide does not describe where to apply the Redirect ACL on the anchor or the foreign controller.

0 Helpful

Go to solution
Arshad Safrulla
VIP Alumni
VIP Alumni

‎10-26-2022 06:46 AM

You don't have to apply this ACL anywhere. It will be sent as an attribute in the Radius Accept message which ISE will send to WLC, so WLC can allow access from the client to ISE (URL redirection). Once user completes the Guest Flow ISE will send a COA again to the client to allow access to network/Internet.

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla

Go to solution
bjmcveety
Level 1
Level 1

‎10-26-2022 07:38 AM

Okay, thank you very much to both of you for your help!

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card