Solved: Wireless Guest Authentication via ISE

Scott Plank · ‎02-05-2025

For our guest network, we have a C9800-40 WLC acting as a foreign controller, and a C9800L acting as an anchor controller. The anchor is in our DMZ and helps keep the guest network completely segregated from our internal network. Currently, we have a login portal hosted on the Anchor WLC. The guest SSID is setup on the WLC with a MAC filter to bypass the login portal if the device is added to the correct bypass group in ISE. If not, the users authenticate through the login portal with local guest accounts on the WLC managed by Prime Infrastructure. One of the issues we've run into with the 9800 WLCs is that the "never expires" guest accounts in Prime are not supported by the WLC, and for those it just sets the expiration time to the maximum, which is 1 year. So after 1 year, we have a whole slew of "never expires" guest accounts that expire and stop working and have to be re-added to the anchor WLC.

In order to get around this, I want to look at moving away from local guest accounts on the WLC and use ISE to authenticate guest users via the login portal hosted on the WLC. I've started by setting up a test SSID that duplicates our current guest setup, configured the authentication and authorization on the anchor WLC to point to ISE (via RADIUS), and setup a new Policy Set in ISE for the new SSID. The issue that I'm running into is that if the device has never been seen by ISE before, it will connect to the SSID, obtain an IP address, get redirected to the guest portal on the WLC, successfully authenticate on the guest portal with ISE (I can verify it succeeds in the RADIUS logs in ISE), but then it does not have Internet access. At this point, both the foreign and anchor WLCs show the client in the Run state.

I can now forget the SSID on the client, delete the client from the WLC (either the foreign or the anchor - doesn't matter), then reconnect and I now have Internet access. What piece am I missing to give it Internet access from the get-go without having to do all that? I'm guessing it has something to do with the CoA after the MAC bypass fails and the portal login succeeds? I do have the test SSID configured with "Allow AAA Override" and "NAC State" under Policy Profile > Advanced on both the foreign and anchor WLCs.

The process flow appears to be: Connect to Test Guest SSID > Obtain IP Address > ISE Test Guest SSID Policy Set > Test Guest SSID MAC Bypass Authentication Policy > Test Guest SSID Default Authorization Policy (DenyAccess) > MAB has now failed and client is redirected to Login portal hosted on WLC (this redirect is done by the WLC) > Enter credentials in portal > ISE Test Guest SSID Policy Set > Test Guest SSID Authentication Policy > Test Guest SSID Authorization Policy (PermitAccess) > Is there something after this that I'm missing?

Any help figuring this out would be greatly appreciated. Having a hard time finding documentation/configuration examples for this exact scenario. Most involve ISE hosting the guest portal, which we don't want to do, as doing so would require allowing the guest network to talk to ISE, and we would like our guest network to remain isolated from our internal network.

I checked in ISE under Administration > System > Settings > Profiling and CoA Type is set to Reauth.

This looks fairly similar to what I'm trying to do? It is using older versions of ISE and AireOS WLCs, though: https://community.cisco.com/t5/wireless-mobility-knowledge-base/central-web-authentication-cwa-for-guests-with-ise/ta-p/3121101 - I will probably go through this tomorrow and see if anything in there is helpful.

Scott Plank · ‎03-18-2025

Yes to both. No CoA traffic was seen between ISE and the WLCs. Turns out it's not needed in this setup. TAC actually helped me figure this out last week.

I did some additional testing, which amounted to attempting to connect to the SSID 40 times in a row. Between each attempt, I would remove the device from ISE and deauth the client from the foreign WLC so it would be seen as a brand new client each time. I figured out that the client actually gets succesfully connected about 25% of the time, but 75% of the time it gets stuck in a DNS-only state, despite the authentication succeeding each time.

In this particular setup, we needed to uncheck "Allow AAA Override" and "NAC State" in the Advanced tab of the Policy Profile. For the CLI, this would be the equivalent of:

wireless profile policy <Policy Name>
 no aaa-override
 no nac

I'm guessing it's because we're not actually using ISE to override the VLAN that the client ends up landing in, since we're using a foreign/anchor setup and our guest clients are already in the isolated network and it doesn't change. Just a result of there not being a configuration guide that exactly matches the specific setup that we have, and most of the ones I looked at included using AAA Override and NAC State.

Anyway, after making that change on both the foreign and anchor WLC, the client now works 100% of the time and we're good to start moving forward on this. Shoutout to Zack A. on the Cisco Wireless TAC team for helping me out with this.

View solution in original post

Haydn Andrews · ‎02-05-2025

Looks like your trying to do Central Web Auth with an anchor WLC

The config guide for this is here: https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/216500-catalyst-9800-central-web-authenticati.html

You mention its going to guest portal on the WLC, why not move it to guest portal on ISE?

*****Help out other by using the rating system and marking answered questions as "Answered"*****
*** Please rate helpful posts ***

Scott Plank · ‎02-05-2025

I answered this in the post:

"Most involve ISE hosting the guest portal, which we don't want to do, as doing so would require allowing the guest network to talk to ISE, and we would like our guest network to remain isolated from our internal network."

Scott Plank · ‎02-06-2025

Unfortunately, the config guide you linked is for a guest portal hosted on ISE, and was not helpful.

Scott Fella · ‎02-06-2025

Have you looked at this guide? 9800 LWA with external authentication in ISE:

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-l-wireless-controller/220405-configure-local-web-authentication-with.html

-Scott
*** Please rate helpful posts ***

Scott Plank · ‎02-06-2025

I did - unfortunately, that guide does not cover the MAC bypass piece that allows whitelisted MAC addresses added to the correct group in ISE to bypass the login portal. Is it just not possible to host the login portal on the WLC and have ISE authenticate both MAB and portal logins? I'm currently playing around with having ISE return the redirect URL and a redirect ACL with custom cisco av pairs (see screenshot), but I'm still not quite getting there. With this setup, I get connected, but it just continually adds the url-redirect to the end of the URL in the browser and never pulls up the login portal.

http://guest.wlcportal.org/?redirect=http://guest.wlcportal.org/?redirect=http://guest.wlcportal.org ...etc.

Scott Fella · ‎02-06-2025

Yeah... that is an interesting setup. Since you are using an anchor, what do you see on the anchor controller that ISE sends back.

-Scott
*** Please rate helpful posts ***

Scott Plank · ‎02-06-2025

@Scott Fella wrote:
Yeah... that is an interesting setup. Since you are using an anchor, what do you see on the anchor controller that ISE sends back.

Where would I look for that on the Anchor? We talking logging messages, Wireshark capture, or something else?

Scott Plank · ‎02-06-2025

Just stumbled across this configuration guide, which appears at first glance to be what I'm wanting to do. I'll go through this tomorrow and see what I can figure out: https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/222209-configure-verify-and-troubleshoot-web-au.html

Rich R · ‎03-18-2025

Did you check that CoA is allowed through any ACLs/firewalls between ISE -> WLC (UDP 1700)?
And that ISE IP and radius secret is configured under "aaa server radius dynamic-author"?

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

Scott Plank · ‎03-18-2025

Yes to both. No CoA traffic was seen between ISE and the WLCs. Turns out it's not needed in this setup. TAC actually helped me figure this out last week.

I did some additional testing, which amounted to attempting to connect to the SSID 40 times in a row. Between each attempt, I would remove the device from ISE and deauth the client from the foreign WLC so it would be seen as a brand new client each time. I figured out that the client actually gets succesfully connected about 25% of the time, but 75% of the time it gets stuck in a DNS-only state, despite the authentication succeeding each time.

In this particular setup, we needed to uncheck "Allow AAA Override" and "NAC State" in the Advanced tab of the Policy Profile. For the CLI, this would be the equivalent of:

wireless profile policy <Policy Name>
 no aaa-override
 no nac

I'm guessing it's because we're not actually using ISE to override the VLAN that the client ends up landing in, since we're using a foreign/anchor setup and our guest clients are already in the isolated network and it doesn't change. Just a result of there not being a configuration guide that exactly matches the specific setup that we have, and most of the ones I looked at included using AAA Override and NAC State.

Anyway, after making that change on both the foreign and anchor WLC, the client now works 100% of the time and we're good to start moving forward on this. Shoutout to Zack A. on the Cisco Wireless TAC team for helping me out with this.

Rich R · ‎03-18-2025

Ok thanks - good to know @Scott Plank

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390