Hello all, I need some advise.
I am trying to set up a Guest WLAN on Mobility Express with the ability to authorize guests through a ISE Guest Portal(Sponsored or any other kind).
I have ME 8.5.151 and i purposely upgrade it to 8.10.130.
But in this version i does not see ability to attach url_redirect ACL/pre-auth acl to WLAN. I created redirect ACL under advanced security setting, but i does not see how to map it to WLAN
WLAN Security Settings(will see that no options for redirect acl and preauth acl):
but in ME version 8.8.100 i see these options (automatic generated redirect ACL and ability to create preauth-acl).
Can I setup Guest WLAN with ISE Guest Portal in this version(8.10.130), or should I upgrade/downgrade to some other verison?
Maybe you can refer to this deployment example：
That was a good article but did not resolve the issue in 184.108.40.206. The support to add an ACL via the CLI seems to have been disabled.
(Cisco Controller) >config (Cisco Controller) config>flexconnect acl rule add me_cwa_acl_redirect_1 1 Error! Invalid ACL name. (Cisco Controller) config>flexconnect acl rule add ? <name> Enter IPv4 ACL name up to 32 alphanumeric characters. (Cisco Controller) config>flexconnect acl rule add test ? <index> Enter rule index between 1 and 64. (Cisco Controller) config>flexconnect acl rule add test 1 Error! Invalid ACL name.
However, In the Cisco Mobility Express User Guide, Cisco Wireless Release 8.10 on page 115 section "Applying the ACL to WLAN at Pre-Auth Level" It has you apply the ACL via the GUI.. I am going to try the following sections of the doc and see what happens.
Applying the ACL to WLAN at Pre-Auth Level
Applying the ACL to WLAN at Post-Auth Level
Configuring AAA Override in WLAN
I think you should create ACL first and then add Rule.
(Cisco Controller) >config flexconnect acl create test (Cisco Controller) >config flexconnect acl rule add test 1 (Cisco Controller) >config flexconnect acl apply test
I apologize for the delay in getting back to you on this one. I had other fires to put out. So in the meantime I turned up another AP with mobility express with 8.7 code configured per the instructions and it worked. So then I upgraded it to 220.127.116.11. After the upgrade it did not work due the the ACL entries being wiped out during the upgrade process but the ACL was still configured without any entries. So I added the entries into the me_cwa_acl_redirect_1 Pre-auth acl and it started working again on the test AP. Next I copied the configuration to the existing WLC and setup a WLAN exactly like the test AP. The communication seems to be good between the ISE server and ME controller however the client gets the redirect but does not connect to the URL. Packet captures show the communication between the controller and ISE and within ISE I can see the authentication and redirect. It almost seems like a DNS issue but the host is resolvable from the client when doing a nslookup.
redirected URL from the client browser:
Windows IPCONFIG Output while connected to SSID OPEN:
Wireless LAN adapter Wi-Fi:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 192.168.225.46
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.225.1
Any ideas on where to go next would be great. Downgrading to 10.7 then back up may be an option but would prefer not to have the downtime in production.
Maybe you can refer to the following link to set up RADIUS Server and ACL.