cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2691
Views
0
Helpful
7
Replies

WLC (Foreign-Anchor), problem with the external web auth --> ISE

armando.barrera
Level 1
Level 1

hello guys

I am currently designing a platform for a guest network, which must be isolated from the local network, the following equipment:

  • ISE 1.2 (Cisco SNS- 3415-K9)
  • WLC 7.0.230.0 (Cisco controller 5508)---> wlc Foreign
  • WLC 7.0.230.0 (Cisco controller 5508)---> wlc Anchor.

The EoIP tunnel between wlc is performed successfully.

The wireless client gets IP address of the anchor wlc (DHCP server).

Test 1:

I configure the WLC ANCHOR with local web authentication (internal), the wireless client is authenticated by WLC and navigate successfully.

Test 2:

Configure the WLC to anchor external web authentication (ISE). configure a user in ISE guest portal.

The wireless client gets IP address of the anchor wlc (DHCP server), attempting to navigate not display the guest portal.

Debug a wireless client trying to connect to the guest network is attached.

1 Accepted Solution

Accepted Solutions

That is correct.... they have a minimum required code version that is supported for this.

Thanks,

Scott

*****Help out other by using the rating system and marking answered questions as "Answered"*****

-Scott
*** Please rate helpful posts ***

View solution in original post

7 Replies 7

Scott Fella
Hall of Fame
Hall of Fame

You need to use a pre-auth acl when using an external WebAuth. I also don't know if ISE supports that version of WLC code.

See table 1

http://www.cisco.com/c/en/us/td/docs/security/ise/1-1-1/compatibility/ise_sdt.html#wp86757

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Hi Scott

I'm using the following settings in the anchor wlc, attached print screen (wlc anchor setting.jpg)wlc anchor setting.jpg

I can´t configure external web authentication if the code of the WLC is not supported by the ISE?

Thk..

That is correct.... they have a minimum required code version that is supported for this.

Thanks,

Scott

*****Help out other by using the rating system and marking answered questions as "Answered"*****

-Scott
*** Please rate helpful posts ***

Hi Scott

Wlc anchor and foreign must have the same code?
I can only update the anchor wlc to version 7.3 and keep wlc foreing code 7.0.230 ?

Thk...

No they don't... its prefered, but not a requirement.

http://www.cisco.com/c/en/us/td/docs/wireless/compatibility/matrix/compatibility-matrix.html#pgfId-149658

Thanks,

Scott

*****Help out other by using the rating system and marking answered questions as "Answered"*****

-Scott
*** Please rate helpful posts ***

Thanks for your help Scott...

Now I presents another problem with the guest portal page. The wireless client obtains IP address and managed to reach the guest portal page, then enter the username and password page tells me it was successful. When I try to browse again brings me to the portal visitor page and asks me to enter user name and password.

test 1:

the username and password created for away was verified.

Scoot will have some implementation details with the same scenario I am developing? I think I'm missing some details in the ISE does not allow me to navigate the entrance for visitors to be successful.

Hard to say... do you see any logs for the client trying to connect?  Are they failing?  I don't know your full setup, but here is a simple guide that you may want to skim over and verify you did everything:

http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html

Thanks,

Scott

*****Help out other by using the rating system and marking answered questions as "Answered"*****

-Scott
*** Please rate helpful posts ***
Review Cisco Networking for a $25 gift card