Guest wifi becomes OPEN after the NAC it set from NONE TO ISE NAC

Weezy-F · ‎05-26-2025

Hi All,

I'm just newbie on cisco Wireless. We have guest users that can't connect to our guest wifi using the UN and PW we provided and when they login it was loading only.

After some doing research I found this I set go to our WLC and set the NAC settings from NONE to ISE NAC and it allows the guest users to connect without entering the credentials. Our local IT said that the GUEST WIFI shows not secured and open. I set back the settings of NAS to NONE and rebooted the WLC and issue still persist. I did check our ACL WEB redirect and ISE policy and its all their. The problem is its nor generating logs anymore. I need your help.

I'm thinking its open now, should I disable the guest wifi SSID?

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/216191-troubleshoot-common-cisco-ise-guest-acce.html

https://community.cisco.com/t5/wireless/what-does-nac-state-do/td-p/3859969

marce1000 · ‎05-26-2025

- @Weezy-F What type of wireless controller and software version are you using ?

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Weezy-F · ‎05-26-2025

We are using AIR-CT3504-K9

Saikat Nandy · ‎05-26-2025

I am assuming that you are using CWA. Please ensure that the config is as per - https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213920-central-web-authentication-cwa-on-cata.html.

Weezy-F · ‎05-26-2025

o I just found out that when I compare the settings of all of our WLC in APAC sites, the GUEST WIFI NAC Settings is set to ISE NAC. This will allow the users to enter the UN and PW once only and will automatically connect them. Also I notice the other guest WIFI on other APAC sites are open too so it's safe I think as we have mac filtering and policy, web-auth redirect and policies on CISCO ISE.

But right now we are having an issue again, the local IT said new guest users can't connect on WLC again so I set the NAC to NONE and it allows them to connect again which is weird lol.

Haydn Andrews · ‎05-26-2025

The insecure is due to the SSID using open authentication, captive portals are this way. You would need to set the SSID to OWE which may have client support issues.

Other options are to change to WPA2/3 Enterprise and use EAP-PEAP authentication

*****Help out other by using the rating system and marking answered questions as "Answered"*****
*** Please rate helpful posts ***

Weezy-F · ‎05-26-2025

Hi Haydn,

So I just found out that when I compare the settings of all of our WLC in APAC sites, the GUEST WIFI NAC Settings is set to ISE NAC. This will allow the users to enter the UN and PW once only and will automatically connect them. Also I notice the other guest WIFI on other APAC sites are open too so it's safe I think as we have mac filtering and policy, web-auth redirect and policies on CISCO ISE.

But right now we are having an issue again, the local IT said new guest users can't connect on WLC again so I set the NAC to NONE and it allows them to connect again which is weird lol.

Weezy-F · ‎05-26-2025

I did send you a private message please check.