03-18-2015 04:38 AM - edited 07-05-2021 02:44 AM
Hi All,
I'm hitting a rather unusual issue with our Guest WLAN users. Firstly let me describe the topology:-
2 x 5508 WLC controllers one Foreign and one Anchor. Mobility tunnel between the two WLC's as the Guest WLAN is on the WLC sitting in the DMZ.
30+ 2702i AP's running in FlexConnect mode for Dot1X WLAN and Central Switching for Guest WLAN.
Cisco ISE 1.3 acting as Radius server and providing Authentication and Authorisation policies.
Dot1x Authentication and Authorisation works fine with Dynamic VLAN assignment based on AD memberships.
The issue is with the Guest WLAN is that from a security perspective we weren't allowed to use the Central Web Authentication using L2 MAC filtering with the L3 Security of None as described in Cisco Document: 115732.
So the Guest WLAN has been set up with no L2 security and the L3 Security of Web Policy with Web Authentication to External Server i.e. Cisco ISE and RADIUS override on the Advanced tab of the Guest WLAN.
So a client connects to the Guest WLAN SSID > receives the DHCP IP address hosted by the Anchor WLC and then one opens a browser types in the URL and the Security message is presented > Continue to this website (not recommended) selected and the process of receiving the Web Redirect Sign On Web page begins and hangs around forever.
Depending on the Client i.e. Apple IPAD the sign on page loads correctly although can be slow to start with but a successful login is completed, but with windows clients and MAC Air books there is an issue with the browser either timing out the page and a retry is necessary or we can't move beyond the following page - https://x.x.x.x:8443/portal /PortalSetup.action?portal=194a5780-5e4e-11e4-b905-005056bf2f0a?switch_url=https://1.1.1.1/login.html&client mac=00:23:4e:86:98:3c&wlan=GUEST&redirect=www.cisco.com/
Any suggestions would be really appreciated with this as it's creating a lot of frustration.
Thanks in advance.
Regards,
Mark
Solved! Go to Solution.
03-19-2015 03:11 AM
Hi Mark,
Yes Guest Cert will need to be external. Because Guest Users if they have a non-corporate laptop for example will not have your Internal Company Certs installed in their browser (that you loaded onto ISE), so they cannot trust your internal Cert.
If your open Firefox or IE under Options/Security View Certificates you will see a list, if its a Guest you will see well known public Certs like Geotrust, Verisign etc.
For my setup I brought a GeoTrust cert and loaded this into ISE, this way Guests will always Trust the Geostrust ISE cert like https://guest.com for example and the login will appear and be trusted.
03-18-2015 06:49 AM
Is the SSL certificate presented to the users device an external trusted certificate, i.e - Geotrust?
03-18-2015 07:43 AM
Hi Stephen,
No it's an internal CA cert for the ISE server. Should it be an external CA trusted certificate?
Thanks,
Mark
03-19-2015 03:11 AM
Hi Mark,
Yes Guest Cert will need to be external. Because Guest Users if they have a non-corporate laptop for example will not have your Internal Company Certs installed in their browser (that you loaded onto ISE), so they cannot trust your internal Cert.
If your open Firefox or IE under Options/Security View Certificates you will see a list, if its a Guest you will see well known public Certs like Geotrust, Verisign etc.
For my setup I brought a GeoTrust cert and loaded this into ISE, this way Guests will always Trust the Geostrust ISE cert like https://guest.com for example and the login will appear and be trusted.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide