WLC external web authentication

vijay kumar · ‎07-17-2013

Hi all,

We are using auto anchor mechanism for guest clients . Anchor controller placed after the Firewall. Guest vlan will be having reachabilty only to internet.

We want to use ISE for web authentication.

Since client subnet is not having reachbility to ISE , redirection page is not coming and we cant allow clients subnet to access internal resource .

So , is there a way WLC will forward the own web auth page to clients , but it needs to check with ISE for the crdentials ?

Thanks for your help

Regards,

Vijay.

mmangat · ‎07-17-2013

Hello,

Here is a short cisco doc that would answer your queries. It also has a configurable example:

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076f974.shtml

vijay kumar · ‎07-17-2013

Hi Mantej Magat ,

thanks for your reply

I have gone through the document . As per it ,

Login page is from external web server , and authentication of users against local data base in WLC.

But our requirement is,

Login page is from WLC , and authentication of users from ISE database .

IS that possible?

Viten Patel · ‎07-17-2013

Yes that is possible.

Under the wlan configurations
• set layer 2 security to none
• set layer 3 to webauth (override to local or make sure global is set to local)
• point to the radius server (ISE) on the AAA servers tab. On the same tab change the authentication priority for webauth to radius > local

Sent from Cisco Technical Support iPhone App

vijay kumar · ‎07-18-2013

Hi Viten ,

Really thanks for your help . It got worked .

But again , ISE and AD communication is not happening properly for L3 SSID.

When the user tries to get connect , he is getting redirect URL . But during the authentication , we are getting error in ISE as

"ise has problems communicating with active directory using its machine credentials " and authentication getting failed .

Apart from this , we have one more SSID configured for L2 auth , and authentication is happening properly between client ,ISE and AD.

But only for L3 it is not working. could you pls suggest

Viten Patel · ‎07-18-2013

Vijay,

can you check what authorization policy are you hitting for L3 auth and L2 auth on ISE? maybe you will need add/modify a rule on ISE.

vijay kumar · ‎07-18-2013

Hi Viten ,

we have allowed the default permit access authorization policy for the clients once it get authenticates.

For authentication policy , in default list we are using external identity store as AD server.

Abhishek Abhishek · ‎07-19-2013

Hello,

As per your query i can suggest you the following solution-

Configure

In this section, you are presented with the information to configure the features described in this document.

Note: Use the Command Lookup Tool (registered customers only) in order to find more information on the commands used in this document.

Complete these steps in order to configure the devices for EAP authentication:

•1. Configure the WLC for basic operation and register the Lightweight APs to the controller.
•2. Configure the WLC for RADIUS authentication through an external RADIUS server.
•3. Configure the WLAN parameters.
•4. Configure Cisco Secure ACS as the external RADIUS server and create a user database for authenticating clients.

Hope this will help you.