Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
834
Views
10
Helpful
6
Replies

WLC9800 multiple auth using MAB first and then CWA

b_ferguson
Level 1
Level 1

‎01-04-2023 12:05 PM

WLC9800...  I have a SSID with CWA with ISE working just fine and another SSID using MAB.  Customer wanted to collapse these SSIDs into a single one and use MAB first, if that fails then redirect to the CWA portal.  Since the authentication piece is on the WLC and the configuration is either using MAB or CWA, I'm not seeing a good way to do this and wanted to ask the community.  

0 Helpful
6 Replies 6

b_ferguson
Level 1
Level 1
In response to balaji.bandi

‎01-06-2023 06:56 AM

thanks for the response balaji, I'm not seeing authentication profile order on those links.  I see the multiple authentication methods but the customer doesn't want both, if certain users are in a MAB group when they connect to this single SSID, they want them to gain access, if the user isn't in the group then they want the guest authentication portal to open.  

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to b_ferguson

‎01-06-2023 01:40 PM - edited ‎01-06-2023 01:41 PM

I have provided the information on the WLC side, what AAA infrastructure do you have? ISE?

I see the multiple authentication methods but the customer doesn't want both  - this is not both, you need to do an order of operation.

Since you have only single SSID  you need to pass the flow to validate end device based on condition.

If you have ISE the order of operation as below :

the user connects to SSID, and checks in the MAB database, if yes user gets authenticated. 

if not it will move to the next action to redirect to the portal since the user's device MAC is not identified.

example to get an idea :

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

b_ferguson
Level 1
Level 1
In response to balaji.bandi

‎01-09-2023 07:27 AM

I think I'm following this now.  I'm going to test this out later this week and I'll respond back after that.  thanks for passing along these links.  

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to b_ferguson

‎01-10-2023 01:16 PM

sure we will wait for the feedback

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

b_ferguson
Level 1
Level 1
In response to balaji.bandi

‎01-20-2023 08:49 AM

The solution for this scenario was to add "security web-auth on-macfilter-failure" under the wlan as even if the device was in the MAB group in ISE, they were still getting redirected to the web-auth page which was not the desired behavior.  Once that command was added, MAB worked successfully and if the user wasn't in the MAB group they received the webauth page from ISE which was originally working without the command above.  

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card