05-23-2012 12:51 PM - edited 07-03-2021 10:12 PM
Hi
Trying to use ise (1.1) as an external webauth within a flexconnect/h-reap setup (WLC:7.2.103)... Can't get it to work.. After a lot of testing/troubleshooting found this: http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080736123.shtml#webauth
That says: "External web Authentication is only supported on a centrally switched WLAN"
Anyone can explain why/how this should be an issue....Anypne got it to work?
BG
Kasper
05-23-2012 02:24 PM
It has to do with the traffic flow. For external webauth you need the pre-auth acl configured allowing the client to reach the ISE. But the WLC doesn't have that control of the guest traffic is going to be locally switched.
Steve
Sent from Cisco Technical Support iPhone App
09-21-2012 07:28 AM
hi Stephen,
Can you please explain the traffic flow for HREAP AP with an SSID which is webauth configured and local switching enabled ? This is how i see it :
1. client sends DHCP request and gets IP on locally defined VLAN on the HREAP AP
during this, the controller get to know of the client association via the CAPWAP control message from HREAP AP
2. Client opens browser and enter website address (google.com) and gets the controller webauth login page
is this step happening in the capwap tunnel or outside it ? the TCP communication between client and WLC
3. Client enters username and password for webauth
but the wlc virtual IP is not routed anywhere, so how will the username and password reach the wlc ? (through the capwap tunnel ? )
4. controller checks the username/password eiither locally defined or can be on a nac guest server or ISE ?
if the username/password reaches the controller, it should be able to verify the credentials wtih an external entity like NGS oR ISE ?
regards
Joe
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide