cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1781
Views
0
Helpful
7
Replies

Cisco Mobility Express 8.10.130 and CWA with ISE Guest Portal

มาค
Beginner
Beginner
 

Hello all, I need some advise.

I am trying to set up a Guest WLAN on Mobility Express with the ability to authorize guests through a ISE Guest Portal(Sponsored or any other kind).
I have ME 8.5.151 and i purposely upgrade it to 8.10.130.
But in this version i does not see ability to attach url_redirect ACL/pre-auth acl to WLAN. I created redirect ACL under advanced security setting, but i does not see how to map it to WLAN

WLAN Security Settings(will see that no options for redirect acl and preauth acl):wlan_sec_tab.png

 

 Redirect ACL:

redirect_acl.png

 

but in ME version 8.8.100 i see these options (automatic generated redirect ACL and ability to create preauth-acl).

Can I setup Guest WLAN with ISE Guest Portal in this version(8.10.130), or should I upgrade/downgrade to some other verison?

 
 
7 Replies 7

keibler09
Beginner
Beginner

Have you resolved this issue yet?   I am attempting the same configurations and there is a lack of documentation to cover this use case.

 

 

Rps-Cheers
Collaborator
Collaborator

Maybe you can refer to this deployment example:

LWA and CWA for Cisco WLC and Mobility Express

https://timnetworks.rs/wpe/2019/07/01/lwa-and-cwa-for-cisco-wlc-and-mobility-express/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Rps-Cheers | If it solves your problem, please mark as answer. Thanks !

Rps-Cheers

 

    That was a good article but did not resolve the issue in 8.10.151.0.  The support to add an ACL via the CLI seems to have been disabled.  

 

(Cisco Controller) >config
(Cisco Controller) config>flexconnect acl rule add me_cwa_acl_redirect_1 1
   Error! Invalid ACL name.
(Cisco Controller) config>flexconnect acl rule add ?
   <name>         Enter IPv4 ACL name up to 32 alphanumeric characters.
(Cisco Controller) config>flexconnect acl rule add test ?
  <index>        Enter rule index between 1 and 64.
(Cisco Controller) config>flexconnect acl rule add test 1
  Error! Invalid ACL name.

However,  In the Cisco Mobility Express User Guide, Cisco Wireless Release 8.10  on page 115 section "Applying the ACL to WLAN at Pre-Auth Level"  It has you apply the ACL via the GUI..   I am going to try the following sections of the doc and see what happens.

 

Applying the ACL to WLAN at Pre-Auth Level

Applying the ACL to WLAN at Post-Auth Level

Configuring AAA Override in WLAN

 

 

 

 

I think you should create ACL first and then add Rule.

eg.

(Cisco Controller) >config flexconnect acl create test
(Cisco Controller) >config flexconnect acl rule add test 1
(Cisco Controller) >config flexconnect acl apply test
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Rps-Cheers | If it solves your problem, please mark as answer. Thanks !

Rps,

  I apologize for the delay in  getting back to you on this one. I had other fires to put out.  So in the meantime I turned up another AP with mobility express with 8.7 code configured per the instructions and it worked. So then I upgraded it to 8.10.151.0.  After the upgrade it did not work due the the ACL entries being wiped out during the upgrade process but the ACL was still configured without any entries.  So I added the entries into the me_cwa_acl_redirect_1 Pre-auth acl and it started working again on the test AP.  Next I copied the configuration to the existing WLC  and setup a WLAN exactly like the test AP.  The communication seems to be good between the ISE server and ME controller however  the client gets the redirect but does not connect to the URL.  Packet captures show the communication between the controller and ISE and within ISE I can see the authentication and redirect. It almost seems like a DNS issue but the host is resolvable from the client when doing a nslookup.  

redirected URL from the client browser:

https://<HOSTNAME_REMOVED>:8443/portal/gateway?sessionId=03c7a8c00000097f5c730061&portal=50fbc805-6bde-4e28-8a3e-17750f938538&action=cwa&token=aa55c495b3a9f70a9dd74aeba8e57477&redirect=www.msftconnecttest.com/redirect 

 

Windows IPCONFIG Output while connected to SSID OPEN:

Wireless LAN adapter Wi-Fi:

Connection-specific DNS Suffix . :

IPv4 Address. . . . . . . . . . . : 192.168.225.46
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.225.1

C:\Users\VernonNelson>nslookup <HOSTNAME_REMOVED>

Server: <DNS_SERVER_NAME_REMOVED>
Address: 192.168.16.15

 

Name: <HOSTNAME_REMOVED>
Address: 192.168.16.75

 

PRE-AUTH ACL

 

Capture.JPG

 

Any ideas on where to go next would be great.  Downgrading to 10.7 then back up may be an option but would prefer not to have the downtime in production.

 

 

 

 

Maybe you can refer to the following link to set up RADIUS Server and ACL.

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html#anc5

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Rps-Cheers | If it solves your problem, please mark as answer. Thanks !

I don't think it an ACL issue. The ACL is the same on both APs.  I am attaching screenshots of the configuration and the results of the authentications for both on a side by side view.  The left side is the working testing ME and the right is the production ME which does not work.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers