Solved: WLC (Foreign-Anchor), problem with the external web auth --> ISE

armando.barrera · ‎02-26-2014

hello guys

I am currently designing a platform for a guest network, which must be isolated from the local network, the following equipment:

ISE 1.2 (Cisco SNS- 3415-K9)
WLC 7.0.230.0 (Cisco controller 5508)---> wlc Foreign
WLC 7.0.230.0 (Cisco controller 5508)---> wlc Anchor.

The EoIP tunnel between wlc is performed successfully.

The wireless client gets IP address of the anchor wlc (DHCP server).

Test 1:

I configure the WLC ANCHOR with local web authentication (internal), the wireless client is authenticated by WLC and navigate successfully.

Test 2:

Configure the WLC to anchor external web authentication (ISE). configure a user in ISE guest portal.

The wireless client gets IP address of the anchor wlc (DHCP server), attempting to navigate not display the guest portal.

Debug a wireless client trying to connect to the guest network is attached.

Scott Fella · ‎02-26-2014

That is correct.... they have a minimum required code version that is supported for this.

Thanks,

Scott

*****Help out other by using the rating system and marking answered questions as "Answered"*****

-Scott
*** Please rate helpful posts ***

View solution in original post

Scott Fella · ‎02-26-2014

You need to use a pre-auth acl when using an external WebAuth. I also don't know if ISE supports that version of WLC code.

See table 1

http://www.cisco.com/c/en/us/td/docs/security/ise/1-1-1/compatibility/ise_sdt.html#wp86757

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

armando.barrera · ‎02-26-2014

Hi Scott

I'm using the following settings in the anchor wlc, attached print screen (wlc anchor setting.jpg)

I can´t configure external web authentication if the code of the WLC is not supported by the ISE?

Thk..

Scott Fella · ‎02-26-2014

That is correct.... they have a minimum required code version that is supported for this.

Thanks,

Scott

*****Help out other by using the rating system and marking answered questions as "Answered"*****

-Scott
*** Please rate helpful posts ***

armando.barrera · ‎02-26-2014

Hi Scott

Wlc anchor and foreign must have the same code?
I can only update the anchor wlc to version 7.3 and keep wlc foreing code 7.0.230 ?

Thk...

Scott Fella · ‎02-26-2014

No they don't... its prefered, but not a requirement.

http://www.cisco.com/c/en/us/td/docs/wireless/compatibility/matrix/compatibility-matrix.html#pgfId-149658

Thanks,

Scott

*****Help out other by using the rating system and marking answered questions as "Answered"*****

-Scott
*** Please rate helpful posts ***

armando.barrera · ‎02-27-2014

Thanks for your help Scott...

Now I presents another problem with the guest portal page. The wireless client obtains IP address and managed to reach the guest portal page, then enter the username and password page tells me it was successful. When I try to browse again brings me to the portal visitor page and asks me to enter user name and password.

test 1:

the username and password created for away was verified.

Scoot will have some implementation details with the same scenario I am developing? I think I'm missing some details in the ISE does not allow me to navigate the entrance for visitors to be successful.

Scott Fella · ‎02-27-2014

Hard to say... do you see any logs for the client trying to connect? Are they failing? I don't know your full setup, but here is a simple guide that you may want to skim over and verify you did everything:

http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html

Thanks,

Scott

*****Help out other by using the rating system and marking answered questions as "Answered"*****

-Scott
*** Please rate helpful posts ***