Buy or Renew
Buy or Renew
NEW: Try the Beta AI Summary feature on posts in the Routing and SD-WAN forum. Click to go to the forum.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5306
Views
5
Helpful
4
Replies

Mobility Express Configuration for Central Web Authentication not working

Go to solution
Muli
Frequent Visitor
Frequent Visitor

‎02-11-2021 12:28 PM - edited ‎07-05-2021 01:13 PM

Hi,

I am new to Mobility Express 3800 Access points and struggling to get it working for Guest users. I want to configure Guest WLAN using Central Web Authentication via ISE. In ME, I have configured my AP as attached guest_wlan_internal.png. Can some one please confirm these WLAN settings are correct for Web Central Authentication?

 

In WLAN Security Tab > Captive Portal: I have only three options to select, that is Internal Splash Page, CMX Portal, and External Splash Page.

 

I have configured the ACL in VLAN & Firewall tab to allow traffic to ISE, DNS, HTTP, HTTPS for the redirection to work. I can see user successfully associate with the SSID and ISE shows MAB authentication successful. But Guest users never gets re-directed to the Sponsored_Guest_Portal.

 

In the Logs, I can see the users are getting IP Address assigned once MAB is successful and their DNS request is reaching to the DNS server.

 

In ISE I have configured the Redirection profile as attached in ise_redirection_profile.

 

I am unfortunately seen several documentations of Mobility Express but still can't find correct settings for my Mobility Express running code 8.5.

 

Thanks in advance.

 

 

Regards,

 

 

Labels:
Preview file
33 KB
Preview file
31 KB
0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
Ric Beeching
Level 11
Level 11

‎02-11-2021 10:53 PM - edited ‎02-11-2021 10:54 PM

It looks like ME needs to be running 8.7 or above to use this feature so if you are stuck on 8.5 due to AP hardware you will have to find an alternative.

 

You actually don't want to use captive portal/guest network as the ME AP will be told by ISE via a AAA-Override to use the pre-auth ACL and web auth re-direct. As per the instructions in the link below, select Security Type as Central Web Auth which will then automatically enable most of the supporting settings.

 

https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-7/b_cisco_mobility_express_8_7/b_cisco_mobility_express_8_7_chapter_0110.html#concept_40A2549B001F4FED9656FFDA49DC3F53

 

This other forum link indicates you may need to activate Captive Network Assistant but I'm not sure if that depends on your software version. Ignore the BYOD (Single-SSID) config in this link.

 

https://community.cisco.com/t5/security-documents/configuring-cisco-mobility-express-ap-with-ise/ta-p/3641390

-----------------------------
Please rate helpful / correct posts

View solution in original post

0 Helpful

Go to solution
Muli
Frequent Visitor
Frequent Visitor
In response to Ric Beeching

‎02-12-2021 03:00 PM - edited ‎02-12-2021 03:01 PM

Thanks Ric, 

 

I am looking to upgrade to 8.7 hopefully sometime next week on one of the APs to test. But can you please clarify what do you mean by:

 

"You actually don't want to use captive portal/guest network as the ME AP will be told by ISE via a AAA-Override to use the pre-auth ACL and web auth re-direct. As per the instructions in the link below, select Security Type as Central Web Auth which will then automatically enable most of the supporting settings."

 

Do I not need to enable the Sponsored Guest Portal in ISE ?

If yes then do you mean I should only create guest users via Sponsored Admin Portal and once AP are upgraded to 8.7 or latest release, the "Central Web Auth" option on AP will still prompt user to key in their credentials? And since MAB and Guest Flow rules will already be created in the ISE, the re-direct will work?

 

Thanks

 

View solution in original post

0 Helpful

Go to solution
Ric Beeching
Level 11
Level 11
In response to Muli

‎02-13-2021 05:04 AM

Setup your ISE central web auth rules as any other setup and create your guest users as static accounts or sponsor - it's up to you but you don't have to use sponsor portal.

 

That second link I posted is the most useful as it outlines the ME configurations required to work with CWA.

 

https://community.cisco.com/t5/security-documents/configuring-cisco-mobility-express-ap-with-ise/ta-p/3641390

 

Also yes completely agree with rrudling that you should be running 8.10 if your APs support it as 8.7 and 8.9 are deferred and 8.8 isn't being developed anymore.

 

Cheers,

Ric

-----------------------------
Please rate helpful / correct posts

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Ric Beeching
Level 11
Level 11

‎02-11-2021 10:53 PM - edited ‎02-11-2021 10:54 PM

It looks like ME needs to be running 8.7 or above to use this feature so if you are stuck on 8.5 due to AP hardware you will have to find an alternative.

 

You actually don't want to use captive portal/guest network as the ME AP will be told by ISE via a AAA-Override to use the pre-auth ACL and web auth re-direct. As per the instructions in the link below, select Security Type as Central Web Auth which will then automatically enable most of the supporting settings.

 

https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-7/b_cisco_mobility_express_8_7/b_cisco_mobility_express_8_7_chapter_0110.html#concept_40A2549B001F4FED9656FFDA49DC3F53

 

This other forum link indicates you may need to activate Captive Network Assistant but I'm not sure if that depends on your software version. Ignore the BYOD (Single-SSID) config in this link.

 

https://community.cisco.com/t5/security-documents/configuring-cisco-mobility-express-ap-with-ise/ta-p/3641390

-----------------------------
Please rate helpful / correct posts
0 Helpful

Go to solution
Muli
Frequent Visitor
Frequent Visitor
In response to Ric Beeching

‎02-12-2021 03:00 PM - edited ‎02-12-2021 03:01 PM

Thanks Ric, 

 

I am looking to upgrade to 8.7 hopefully sometime next week on one of the APs to test. But can you please clarify what do you mean by:

 

"You actually don't want to use captive portal/guest network as the ME AP will be told by ISE via a AAA-Override to use the pre-auth ACL and web auth re-direct. As per the instructions in the link below, select Security Type as Central Web Auth which will then automatically enable most of the supporting settings."

 

Do I not need to enable the Sponsored Guest Portal in ISE ?

If yes then do you mean I should only create guest users via Sponsored Admin Portal and once AP are upgraded to 8.7 or latest release, the "Central Web Auth" option on AP will still prompt user to key in their credentials? And since MAB and Guest Flow rules will already be created in the ISE, the re-direct will work?

 

Thanks

 

0 Helpful

Go to solution
Rich R
VIP
VIP
In response to Muli

‎02-13-2021 04:59 AM

> I am looking to upgrade to 8.7 hopefully sometime next week

Don't use 8.7!  While that is the first release to support the feature, 8.7 was a short-lived release, many bugs, not updated since 2018.

If you're going to upgrade then go for 8.10.142.0: https://software.cisco.com/download/home/286304536/type/286289839/release/8.10.142.0

 

------------------------------
Please click Helpful if this post helped you and Accept as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
Field Notice: FN74383 APs Running 17.12.4/5/6/6a May Run Out of Flash Space Preventing Upgrades
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

Go to solution
Ric Beeching
Level 11
Level 11
In response to Muli

‎02-13-2021 05:04 AM

Setup your ISE central web auth rules as any other setup and create your guest users as static accounts or sponsor - it's up to you but you don't have to use sponsor portal.

 

That second link I posted is the most useful as it outlines the ME configurations required to work with CWA.

 

https://community.cisco.com/t5/security-documents/configuring-cisco-mobility-express-ap-with-ise/ta-p/3641390

 

Also yes completely agree with rrudling that you should be running 8.10 if your APs support it as 8.7 and 8.9 are deferred and 8.8 isn't being developed anymore.

 

Cheers,

Ric

-----------------------------
Please rate helpful / correct posts
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card