Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
674
Views
0
Helpful
2
Replies

Web Authentication via ISE in CWA

Usama Waheed Khan
Level 1
Level 1

‎03-05-2013 11:14 AM - edited ‎07-03-2021 11:40 PM

Hi,

I have setup a SSID "GUEST" which will use web authentication, and i have followed Cisco's CWA document right down to the last step. However, wen i authenticate via Guest portal on ISE i get full access to the network i.e. even the core switches and all, but i just want to give access to the internet. Is this possible? I have tried using the auth acl but to no avail. Tried the authorization profile but still full access to the internet.

P.S : I dont want to create a seperate VLAN for guest and which has access only to the internet.

Regards,

Usama

Labels:
0 Helpful
2 Replies 2

Stephen Rodriguez
Cisco Employee
Cisco Employee

‎03-05-2013 11:21 AM

Well honestly....adding a VLAN dedicated for guests and ACL it from the rest of the network would be the best practice, IMHO.

Other than that, you would need to create an ACL on the WLC, and assign that to the user when the logged in via ISE. Though I'm not sure you could return that attribute without doing 802.1x

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered
0 Helpful

Usama Waheed Khan
Level 1
Level 1
In response to Stephen Rodriguez

‎03-05-2013 11:27 AM

Hi,

Thanks for your reply. Yeh i know tht is the way to go but I want to see what can be done with ISE. See with CWA setup we use the NAC Radius mode and tht accepts CoA but is there any attribute in it tht can be returned that allows this? Furthermore, how do we do it with 802.1x?

Thanks

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card