02-11-2021 12:28 PM - edited 07-05-2021 01:13 PM
Hi,
I am new to Mobility Express 3800 Access points and struggling to get it working for Guest users. I want to configure Guest WLAN using Central Web Authentication via ISE. In ME, I have configured my AP as attached guest_wlan_internal.png. Can some one please confirm these WLAN settings are correct for Web Central Authentication?
In WLAN Security Tab > Captive Portal: I have only three options to select, that is Internal Splash Page, CMX Portal, and External Splash Page.
I have configured the ACL in VLAN & Firewall tab to allow traffic to ISE, DNS, HTTP, HTTPS for the redirection to work. I can see user successfully associate with the SSID and ISE shows MAB authentication successful. But Guest users never gets re-directed to the Sponsored_Guest_Portal.
In the Logs, I can see the users are getting IP Address assigned once MAB is successful and their DNS request is reaching to the DNS server.
In ISE I have configured the Redirection profile as attached in ise_redirection_profile.
I am unfortunately seen several documentations of Mobility Express but still can't find correct settings for my Mobility Express running code 8.5.
Thanks in advance.
Regards,
Solved! Go to Solution.
02-11-2021 10:53 PM - edited 02-11-2021 10:54 PM
It looks like ME needs to be running 8.7 or above to use this feature so if you are stuck on 8.5 due to AP hardware you will have to find an alternative.
You actually don't want to use captive portal/guest network as the ME AP will be told by ISE via a AAA-Override to use the pre-auth ACL and web auth re-direct. As per the instructions in the link below, select Security Type as Central Web Auth which will then automatically enable most of the supporting settings.
This other forum link indicates you may need to activate Captive Network Assistant but I'm not sure if that depends on your software version. Ignore the BYOD (Single-SSID) config in this link.
02-12-2021 03:00 PM - edited 02-12-2021 03:01 PM
Thanks Ric,
I am looking to upgrade to 8.7 hopefully sometime next week on one of the APs to test. But can you please clarify what do you mean by:
"You actually don't want to use captive portal/guest network as the ME AP will be told by ISE via a AAA-Override to use the pre-auth ACL and web auth re-direct. As per the instructions in the link below, select Security Type as Central Web Auth which will then automatically enable most of the supporting settings."
Do I not need to enable the Sponsored Guest Portal in ISE ?
If yes then do you mean I should only create guest users via Sponsored Admin Portal and once AP are upgraded to 8.7 or latest release, the "Central Web Auth" option on AP will still prompt user to key in their credentials? And since MAB and Guest Flow rules will already be created in the ISE, the re-direct will work?
Thanks
02-13-2021 05:04 AM
Setup your ISE central web auth rules as any other setup and create your guest users as static accounts or sponsor - it's up to you but you don't have to use sponsor portal.
That second link I posted is the most useful as it outlines the ME configurations required to work with CWA.
Also yes completely agree with rrudling that you should be running 8.10 if your APs support it as 8.7 and 8.9 are deferred and 8.8 isn't being developed anymore.
Cheers,
Ric
02-11-2021 10:53 PM - edited 02-11-2021 10:54 PM
It looks like ME needs to be running 8.7 or above to use this feature so if you are stuck on 8.5 due to AP hardware you will have to find an alternative.
You actually don't want to use captive portal/guest network as the ME AP will be told by ISE via a AAA-Override to use the pre-auth ACL and web auth re-direct. As per the instructions in the link below, select Security Type as Central Web Auth which will then automatically enable most of the supporting settings.
This other forum link indicates you may need to activate Captive Network Assistant but I'm not sure if that depends on your software version. Ignore the BYOD (Single-SSID) config in this link.
02-12-2021 03:00 PM - edited 02-12-2021 03:01 PM
Thanks Ric,
I am looking to upgrade to 8.7 hopefully sometime next week on one of the APs to test. But can you please clarify what do you mean by:
"You actually don't want to use captive portal/guest network as the ME AP will be told by ISE via a AAA-Override to use the pre-auth ACL and web auth re-direct. As per the instructions in the link below, select Security Type as Central Web Auth which will then automatically enable most of the supporting settings."
Do I not need to enable the Sponsored Guest Portal in ISE ?
If yes then do you mean I should only create guest users via Sponsored Admin Portal and once AP are upgraded to 8.7 or latest release, the "Central Web Auth" option on AP will still prompt user to key in their credentials? And since MAB and Guest Flow rules will already be created in the ISE, the re-direct will work?
Thanks
02-13-2021 04:59 AM
> I am looking to upgrade to 8.7 hopefully sometime next week
Don't use 8.7! While that is the first release to support the feature, 8.7 was a short-lived release, many bugs, not updated since 2018.
If you're going to upgrade then go for 8.10.142.0: https://software.cisco.com/download/home/286304536/type/286289839/release/8.10.142.0
02-13-2021 05:04 AM
Setup your ISE central web auth rules as any other setup and create your guest users as static accounts or sponsor - it's up to you but you don't have to use sponsor portal.
That second link I posted is the most useful as it outlines the ME configurations required to work with CWA.
Also yes completely agree with rrudling that you should be running 8.10 if your APs support it as 8.7 and 8.9 are deferred and 8.8 isn't being developed anymore.
Cheers,
Ric
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide