HTML WLC ISE WebAuth
Hi all
Am trying to build several Portal comments, the selection of the feedback portal based on the wlan, they come from.
The game works... good url is sent to the client using the av pair is the portal itself that gives me problems.
I built a set of Web pages using the code in the engine Services identity Cisco, version 1.1.1 User Guide
but its not complete, aka, condition do not work, designation lack, lack of code etc.
Is there a more complete document explaining the code, the naming convention for the Web page? or I could download the whole comments portal page edit them and reupload to my 4 new portals?
last spring, you could somone show me what they have done to achieve this?
Any help would be really appreciated
THX
Eric,
You should be able to get the html code using your browser to the debugging session. Just redirect you as you would on the default portal and retrieve the html code.
Thank you
Tarik Admani
* Please note the useful messages *.
Tags: Cisco Security
Similar Questions
-
Clock synchronization on WLC ISE and AD
Hello
I'm stuck in NTP, deployed WLC CWA using ISE which is integrated into AD. I tried to use AD as source NTP but no luck (universal fact that Cisco uses NTP while Microsoft uses SNTP).
The question is, if the time is not synchronized between WLC, ISE and AD; redirect Web stopped work and no authentication takes place.
I tried software installting Meinbergglobal NTP to distribute time to my Cisco devices. It works with Cisco devices, but it acts as master and does not synchronize its time with AD.
I am trying to find a way to sync with Microsoft Cisco, is it possible in this world to do?
Help, please...
Thanks in advance
DO NOT USE MS NTP/SNTP as a source of time is valid. MS is the WORST method SNTP/NTP because MS does NOT conform to the NTP/SNTP standards.
-
Create multiple SSID - WLC - ISE 1.4 comments
Hello
I wonder if there is a way to create several comments about WLC SSID with specify policy on ISE 1.4?
I tried to create 2 comments SSID with 2 policies. The point is that it is the first policy that matches any SSID.
Any idea?
Concerning
Eric
Add airespace-wlan-id to your strategy on the ISE, ISE will use the WLAN-id to match the correct strategy
-
Cisco vWLC and issue of ISE Central Web Authetication
Hello!
I have a problem with a central Web authentication wireless. CWA woking fine wired.
My APs woking FlexConnect mode with local switching. When I connect to the WLAN with CWA, web page with the portal asked to not open, but I see, this redirection works...
When I try to ping ISE and have an odd result:
[email protected]/ * /: ~ $ ping 10.10.2.47
PING 10.10.2.47 (10.10.2.47) 56 (84) bytes of data.
64 bytes from 10.10.2.47: icmp_seq = 5 ttl = 63 times = 1.45 ms
64 bytes from 10.10.2.47: icmp_seq = 8 ttl = 63 times = 2.22 ms
64 bytes from 10.10.2.47: icmp_seq = 10 ttl = 63 times = 1.43 ms
^ C
-10.10.2.47 - ping statistics
21 packets transmitted, received 3, 85% packet loss, time 20106ms
RTT min/avg/max/leg = 1.430/1.703/2.223/0.367 ms
When I change the WIFI open network security or any other method, ping to ISE work very well. Help, please!
Web Auth (CWA) Centre works different controllers/APs works in mode FlexConnect. Please consult this guide and check if you have a similar setup.
If so, please post screenshots with your configs (ACL redirect, political in ISE and WLC SSD settings).
In addition, the version of the code you run in your controller and ISE.
Thank you for evaluating useful messages!
-
Compatibility of switches access with ISE
Hi all
I need some advice on models of switches buy to support almost all of the features that the ISE offeres... Mainly...
MAB, 802. 1 x, Web Auth, CoA, dACL, SGA...
Now, I've been reviewing the Cisco 2960 switches and sheets advise that they support some features, but then when I look at the compatibility of the access network Cisco ISE device list that was updated in December 2013... When you look under Cisco 2960, he advises that they support only 802.1 x, & MAB?
I'm planning for the future deployment of ISE features to access switches in our network, but need to ensure that A) existing switches support these features and B) new switches that we buy will support these features.
Is there a more accurate document available, or someone has had experience with the current Cisco 2960 switches and how they work well with the ISE?
Thank you
Mario
Take a look at this link instead:
http://www.Cisco.com/c/en/us/TD/docs/security/ISE/1-2/compatibility/ise_sdt.html
DACL, WebAuth (both local and Central) is certainly supported. SGA/SGT isn't right...
Thanks for the note!
-
ISE Corp. Internet access static user authentication
Hello gentlemen,
I have a small question on the type of authentication that I can use for the CORP users who want to access Internet & some in-house applications on their Android devices and they should not be re - authenticate when they move between sites to connect to the same SSID when they film in different sites.
The configuration looks like below: -.
USER (needs static auth to move between sites)--> SSID--> WLC--> ISE (common to all sites)
Please can you suggest the best way for users to type Android with name of user and password similar authentication when they move in different sites.
Thank you
D
Hello
you have 2 choices:
-users log on SSID using their Active Directory/LDAP credentials. Once they connect, credentials are stored on their devices, and they will be able to reconnect without repeating the authentication.
-make BYOD, this means you force, was the first connection, users to enroll a certificate. More secure solution. In reality, they authenticate the 1st time with their powers AD/LDAP and before obtaining access, they will be popup to a web portal to register their devices.
the 1st solution requires only basic licenses and 2nd requires MORE licenses. Basic license, have to buy you them once that's all. As well, it is the licence renewal (1y, 3y and I think more than 5 years).
on deployments, than I do today, companies prefer the use of certificates from the user/password and the server certificate is ISE. In this case, you are not related to the systems guys, and if something is compromised, you can manage the revocation of certificate directly to the LSE instead of ask a person to system to disable the user account on AD.
hope this is clear.
Thank you
PS: Please do not forget to rate and score as good response if this solves your problem
-
Hello, we are trying to create a Web Auth SSID using Active Directory to authenticate users. Someone has it as the fields on the map of WCS in AD?
Gregg
Hello
I did what you want before.
The indices of the configuration is the following:
1. in ACS, make sure 'Group - external database Mapping' is well done. Make sure you of what an ad group is mapped to the local group of ACS
2 to GBA, change local group setting, make sure that "IETF Radius attribute - 006 Service Type" is "framed".
3. in WLC or WCS, change "Setting WLAN", RADIUS adjustment and RADIUS point break at the ACS.
BTW, the WLC for WebAuth authentication request does SSID information.
* Please note if useful *.
-
I was now all day and fight a little bit. Someone at - it a doc very detailed on-site sponsor guest access approved with ISE 2.x and WLC code version 8.2.110.0.
I went through the process of implementation of the portals to the best of my abilities. I have my users who authenticate with ISE with PEAP for Wireless Corp. so I know it works.
How can I tell WLC/ISE which SSID I use for guest access? Also my customer get IP address, then it should be redirected?
I get this error on the WLC:
* apfReceiveTask: 20:37:31.136 Jun 13: % CSA-3-CLIENT_NO_ACCESS: apf_80211.c:4285 Authentication failed for the customer: c0:cc:f8:17: of: 25. ACL substitute incompatibility of AAA server.
And I see this in splunk:
June 13-15:50:28 10.20.0.60 June 13-15:50:28 ise01 CISE_Passed_Authentications 0000157854 4 0 15:50:28.428 2016-06-13-05:00 0006695154 5200 NOTICE Passed-authentication: authentication successful, ConfigVersionId = 90, IP = 10.20.63.14, DestinationIPAddress = 10.20.0.60, DestinationPort = 1812, UserName=C0-CC-F8-17-DE-25, Protocol = RADIUS, RequestLatency = 12, NetworkDeviceName = BNA-WLC2500-01, username is c0ccf817de25, NAS-IP-Address = 10.20.63.14, NAS-Port = 1 Type of Service = call check, Framed-MTU = 1300, Called-Station-ID=d8-b1-90-08-87-b0:TEST_GUEST, Calling-Station-ID=c0-cc-f8-17-de-25 Identify NAS = _GUEST, Acct-Session-Id = 575f1c94/c0: cc:f8:17: of: 25 / 23, NAS-Port-Type = Wireless-IEEE 802.11, Tunnel-Type =(tag=0) VLAN, Tunnel-Medium-Type =(tag=0) 802, Tunnel-Private-Group-ID =(tag=0) 142, cisco-av-pair is audit-session-id is 0a143f0e0000000f575f1c94, Airespace-Wlan-Id = 3, OriginalUserName = c0ccf817de25, NetworkDeviceProfileName = Cisco, NetworkDeviceProfileId = 8ade1f15-aef1-4a9a-8158-d02e835179db, IsThirdPartyDeviceFlow = false,
I can't reach the SSID from my iphone... but it looks like his tent. I suppose an ACL is wrong or a policy is wrong. I think that I have trouble with the VLANs that are pushed to clients.
Any help would be great thanks...
Could you send a screenshot of the configuration of the radius server in the WLC (detail page please).
Did you take a glance at the wlc/monitor clients if the ACL has been pushed for authenticated clients? What is the result?
Thank you
-
new redirect URL of ISE 1.3 for WLC (Webauth external URL)
Hello
Could someone tell me the URL of ISE 1.3 for WLC?
ISE1.2 was:
https://ISE-1.Cisco.local:8443/guestportal/login.action
Yes, the structure has been changed since version 1.2, and I did bother understand since there is now a button 'Portal test URL. Have you tried? Or do you still need to be able to manually browse for it?
If you still need search manually it then you can use the test button to get the URL and then save it :)
Thank you for evaluating useful messages!
-
Hello
We run 3xWLC controller with 800 AP using ISE 1.2 for authentication wireless 802. 1 x. I was looking in the config of the ISE and notice of 400 edge cheating only 2x2960s are configured with 802. 1 x (ISE RADIUS config) and SNMP and only 2 of the port is 2 ap tie with swtich remaining ports.and the 3XWLC in network devices.
I do not understand how an access point is to do this work (802.1 x) because it is location on different site and people are connecting to various different locations. ISE almost run/do 11 876 profiled ends.
version 12.2
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$ fokm$ lesIWAaceFFs.SpNdJi7t.
!
Test-RADIUS username password 7 07233544471A1C5445415F
AAA new-model
Group AAA dot1x default authentication RADIUS
Group AAA authorization network default RADIUS
Group AAA authorization auth-proxy default RADIUS
start-stop radius group AAA accounting dot1x default
start-stop radius group AAA accounting system by default
!
!
!
!
AAA server RADIUS Dynamics-author
Client 10.178.5.152 server-key 7 151E1F040D392E
Client 10.178.5.153 server-key 7 060A1B29455D0C
!
AAA - the id of the joint session
switch 1 supply ws-c2960s-48 i/s-l
cooldown critical authentication 1000
!
!
IP dhcp snooping vlan 29,320,401
no ip dhcp snooping option information
IP dhcp snooping
no ip domain-lookup
analysis of IP device
!
logging of the EMP
!
Crypto pki trustpoint TP-self-signed-364377856
enrollment selfsigned
name of the object cn = IOS - Self - signed - certificate - 364377856
revocation checking no
rsakeypair TP-self-signed-364377856
!
!
TP-self-signed-364377856 crypto pki certificate chain
certificate self-signed 01
30820247 308201B 0 A0030201 02020101 300 D 0609 2A 864886 F70D0101 04050030
2 060355 04031325 494F532D 53656 C 66 2 AND 536967 6E65642D 43657274 30312E30
69666963 33363433 37373835 36301E17 393330 33303130 30303331 0D 6174652D
305A170D 2E302C06 1325494F 03550403 32303031 30313030 30303030 5A 303031
532D 5365 6C662D53 69676E65 642D 4365 72746966 69636174 652 3336 34333737
06092A 86 4886F70D 01010105 38353630 819F300D 00308189 02818100 0003818D
B09F8205 9DD44616 858B1F49 A27F94E4 9E9C3504 F56E18EB 6D1A1309 15C20A3D
31FCE168 5A8C610B 7F77E7FC D9AD3856 E4BABDD1 DFB28F54 6C24229D 97756ED4
975E2222 939CF878 48D7F894 618279CF 2F9C4AD5 4008AFBB 19733DDB 92BDF73E
B43E0071 C7DC51C6 B9A43C6A FF035C63 B53E26E2 C0522D40 3F850F0B 734DADED
02030100 01A 37130 03551 D 13 6F300F06 0101FF04 05300301 01FF301C 0603551D
11041530 13821150 5F494D2B 545F5374 61636B5F 322D312E 301F0603 551D 2304
18301680 1456F3D9 23759254 57BA0966 7C6C3A71 FFF07CE0 A2301D06 03551D0E
04160414 56F3D923 75925457 BA09667C 6C3A71FF F07CE0A2 2A 864886 300 D 0609
F70D0101 5B1CA52E B38AC231 E45F3AF6 12764661 04050003 81810062 819657B 5
F08D258E EAA2762F F90FBB7F F6E3AA8C 3EE98DB0 842E82E2 F88E60E0 80C1CF27
DE9D9AC7 04649AEA 51C49BD7 7BCE9C5A 67093FB5 09495971 926542 4 5A7C7022
8D9A8C2B 794D99B2 3B92B936 526216E0 79 D 80425 12B 33847 30F9A3F6 9CAC4D3C
7C96AA15 CC4CC1C0 5FAD3B
quit smoking
control-dot1x system-auth
dot1x critical eapol
!
pvst spanning-tree mode
spanning tree extend id-system
No vlan spanning tree 294-312,314-319,321-335,337-345,400,480,484-493,499,950
!
!
!
errdisable recovery cause Uni-directional
errdisable recovery cause bpduguard
errdisable recovery cause of security breach
errdisable recovery cause channel-misconfig (STP)
errdisable recovery cause pagp-flap
errdisable recovery cause dtp-flap
errdisable recovery cause link-flap
errdisable recovery cause FPS-config-incompatibility
errdisable recovery cause gbic-invalid
errdisable recovery cause psecure-violation
errdisable cause of port-mode-failure recovery
errdisable recovery cause dhcp-rate-limit
errdisable recovery cause pppoe-AI-rate-limit
errdisable recovery cause mac-limit
errdisable recovery cause vmps
errdisable recovery cause storm-control
errdisable recovery cause inline-power
errdisable recovery cause arp-inspection
errdisable recovery cause loopback
errdisable recovery cause small-frame
errdisable recovery cause psp
!
internal allocation policy of VLAN ascendant
!
!
interface GigabitEthernet1/0/10
switchport access vlan 320
switchport mode access
IP access-group ACL-LEAVE in
authentication event fail following action method
action of death server to authenticate the event permit
living action of the server reset the authentication event
multi-domain of host-mode authentication
open authentication
authentication order dot1x mab
authentication priority dot1x mab
Auto control of the port of authentication
periodic authentication
authentication violation replace
MAB
dot1x EAP authenticator
dot1x tx-time 10
spanning tree portfast
spanning tree enable bpduguardinterface GigabitEthernet1/0/16
switchport access vlan 320
switchport mode access
IP access-group ACL-LEAVE in
authentication event fail following action method
action of death server to authenticate the event permit
living action of the server reset the authentication event
multi-domain of host-mode authentication
open authentication
authentication order dot1x mab
authentication priority dot1x mab
Auto control of the port of authentication
periodic authentication
authentication violation replace
MAB
dot1x EAP authenticator
dot1x tx-time 10
spanning tree portfast
spanning tree enable bpduguard
interface GigabitEthernet1/0/24
switchport access vlan 320
switchport mode access
IP access-group ACL-LEAVE in
authentication event fail following action method
action of death server to authenticate the event permit
living action of the server reset the authentication event
multi-domain of host-mode authentication
open authentication
authentication order dot1x mab
authentication priority dot1x mab
Auto control of the port of authentication
periodic authentication
authentication violation replace
MAB
dot1x EAP authenticator
dot1x tx-time 10
spanning tree portfast
spanning tree enable bpduguard
!
interface GigabitEthernet1/0/33
switchport access vlan 320
switchport mode access
IP access-group ACL-LEAVE in
authentication event fail following action method
action of death server to authenticate the event permit
living action of the server reset the authentication event
multi-domain of host-mode authentication
open authentication
authentication order dot1x mab
authentication priority dot1x mab
Auto control of the port of authentication
periodic authentication
authentication violation replace
MAB
dot1x EAP authenticator
dot1x tx-time 10
spanning tree portfast
spanning tree enable bpduguard
interface GigabitEthernet1/0/34
switchport access vlan 320
switchport mode access
IP access-group ACL-LEAVE in
authentication event fail following action method
action of death server to authenticate the event permit
living action of the server reset the authentication event
multi-domain of host-mode authentication
open authentication
authentication order dot1x mab
authentication priority dot1x mab
Auto control of the port of authentication
periodic authentication
authentication violation replace
MAB
dot1x EAP authenticator
dot1x tx-time 10
spanning tree portfast
spanning tree enable bpduguard
!
interface GigabitEthernet1/0/44
switchport access vlan 320
switchport mode access
IP access-group ACL-LEAVE in
authentication event fail following action method
action of death server to authenticate the event permit
living action of the server reset the authentication event
multi-domain of host-mode authentication
open authentication
authentication order dot1x mab
authentication priority dot1x mab
Auto control of the port of authentication
periodic authentication
authentication violation replace
MAB
dot1x EAP authenticator
dot1x tx-time 10
spanning tree portfast
spanning tree enable bpduguard!
interface GigabitEthernet1/0/46
switchport access vlan 320
switchport mode access
IP access-group ACL-LEAVE in
authentication event fail following action method
action of death server to authenticate the event permit
living action of the server reset the authentication event
multi-domain of host-mode authentication
open authentication
authentication order dot1x mab
authentication priority dot1x mab
Auto control of the port of authentication
periodic authentication
authentication violation replace
MAB
dot1x EAP authenticator
dot1x tx-time 10
spanning tree portfast
spanning tree enable bpduguardinterface GigabitEthernet1/0/48
switchport access vlan 320
switchport mode access
IP access-group ACL-LEAVE in
authentication event fail following action method
action of death server to authenticate the event permit
living action of the server reset the authentication event
multi-domain of host-mode authentication
open authentication
authentication order dot1x mab
authentication priority dot1x mab
Auto control of the port of authentication
periodic authentication
authentication violation replace
MAB
dot1x EAP authenticator
dot1x tx-time 10
spanning tree portfast
spanning tree enable bpduguard
!
interface GigabitEthernet1/0/49
Description link GH
switchport trunk allowed vlan 1,2,320,350,351,401
switchport mode trunk
MLS qos trust dscp
IP dhcp snooping trust
!interface GigabitEthernet1/0/52
Description link CORE1
switchport trunk allowed vlan 1,2,29,277,278,314,320,401
switchport mode trunk
MLS qos trust dscp
IP dhcp snooping trust
!
!
interface Vlan320
IP 10.178.61.5 255.255.255.128
no ip-cache cef route
no ip route cache
!
default IP gateway - 10.178.61.1
IP http server
IP http secure server
IP http secure-active-session-modules no
active session modules IP http no
!
!
Access IP extended ACL-AGENT-REDIRECT list
deny udp any any domain eq bootps
permit tcp any any eq www
permit any any eq 443 tcp
IP extended ACL-ALLOW access list
allow an ip
IP access-list extended by DEFAULT ACL
allow udp any eq bootpc any eq bootps
allow udp any any eq field
allow icmp a whole
allow any host 10.178.5.152 eq 8443 tcp
permit tcp any host 10.178.5.152 eq 8905
allow any host 10.178.5.152 eq 8905 udp
permit tcp any host 10.178.5.152 eq 8906
allow any host 10.178.5.152 eq 8906 udp
allow any host 10.178.5.152 eq 8909 tcp
allow any host 10.178.5.152 eq 8909 udp
allow any host 10.178.5.153 eq 8443 tcp
permit tcp any host 10.178.5.153 eq 8905
allow any host 10.178.5.153 eq 8905 udp
permit tcp any host 10.178.5.153 eq 8906
allow any host 10.178.5.153 eq 8906 udp
allow any host 10.178.5.153 eq 8909 tcp
allow any host 10.178.5.153 eq 8909 udp
refuse an entire ip
Access IP extended ACL-WEBAUTH-REDIRECT list
deny ip any host 10.178.5.152
deny ip any host 10.178.5.153
permit tcp any any eq www
permit any any eq 443 tcpradius of the IP source-interface Vlan320
exploitation forest esm config
logging trap alerts
logging Source ip id
connection interface-source Vlan320
record 192.168.6.31
host 10.178.5.150 record transport udp port 20514
host 10.178.5.151 record transport udp port 20514
access-list 10 permit 10.178.5.117
access-list 10 permit 10.178.61.100
Server SNMP engineID local 800000090300000A8AF5F181
SNMP - server RO W143L355 community
w143l355 RW SNMP-server community
SNMP-Server RO community lthpublic
SNMP-Server RO community lthise
Server SNMP trap-source Vlan320
Server SNMP informed source-interface Vlan320
Server enable SNMP traps snmp authentication linkdown, linkup cold start
SNMP-Server enable traps cluster
config SNMP-server enable traps
entity of traps activate SNMP Server
Server enable SNMP traps ipsla
Server enable SNMP traps syslog
Server enable SNMP traps vtp
SNMP Server enable traps mac-notification change move threshold
Server SNMP enable traps belonging to a vlan
SNMP-server host 10.178.5.152 version 2 c lthise mac-notification
SNMP-server host 10.178.5.153 version 2 c lthise mac-notification
!
RADIUS attribute 6 sur-pour-login-auth server
Server RADIUS attribute 8 include-in-access-req
RADIUS attribute 25-application access server include
dead-criteria 5 tent 3 times RADIUS server
test the server RADIUS host 10.178.5.152 auth-port 1812 acct-port 1813 username test-RADIUS 7 key 03084F030F1C24
test the server RADIUS host 10.178.5.153 auth-port 1812 acct-port 1813 username test-RADIUS 7 key 141B060305172F
RADIUS vsa server send accounting
RADIUS vsa server send authenticationany help would be really appreciated.
I'm not sure that completely understand the question; But if LSE is only political wireless, then none of the wired switches need any configuration of ISE.
Access points tunnel all wireless traffic to the WLC on CAPWAP (unless you use FlexConnect). This is the configuration 802. 1 x on the WLC that implements policies defined in ISE.
Switches wired never need to act as an access network (n) device and so do not need to be defined in ISE unless or until you want to apply policies of ISE for wired devices...
-
WebAuth LOCAL with Wireless Lan Controller and ISE
Greetings,
We intend to set up a centralised comments with sponsored webauth wireless network. I didn't know that this will not work with our current WLC code (6.0.199.4) as 7.2 or later version is required.
We have a project to upgrade the WLCs but he won't be ready before the deadline for the completion of the reviews wireless.
I am using local WebAuth temporarily until the WLCs are ready. My questions are:
1. am I correct that I can still authenticate ISE?
2. Since local webauth does not cost support, does that mean I can't apply a pre or post auth ACL?
3. can someone point me to a good guide for configuring local webauth?
Thank you!
Hi Leroy,
In CWA you can push the AVPs desire in the final result because of the nature of the flow:
-Comments will connect to the SSID.
-WLC send wireless MAB ask (1st authentication). In response, ISE returns accepted with url-redirect-acl and redirect url.
-WLC updates the client session and once http (s) generated WLC redirects the customer to ISE according to AVPs received at the 1st auth(MAB request).
-The customer enters the identification information in the portal. ISE valid creds and refers to WLC one type COA to re-authenticate.
-WLC re authenticates the client (2nd authentication) session, and at this point ISE can support AVPs custom as names of VLANS, Interfaces or space air dynamic ACLs.
-WLC overrides the client session with the new attributes.
Local Web Auth as you mentioned, there are 2 steps but the WLC "considers" cela a single thread.
To the LWA, the flow is as follows:
-The client connects to the SSID. Since there is no involved L2 auth client through DHCP, captures an IP and arrives at WebAuth_Required. Redirect URL is configured statically on WLC and pre auth ACL allows client access to ISE during the auth phase.
-Customer opens the browser and WLC redirects the customer to ISE, but breast of redirection, there is a 'return to WLC' action which indicates to ISE to send customer WLC virtual IP containing identification information of the client used for auth in portal comments.
-In this way the WLC now "knows" the handed creds to ISE and this way there is a formal request from RADIUS WLC sends to ISE asking these creds. ISE links in return an accept, and this is how the WLC now "knows" that auth is correct and she should move client to RUN.
LOA of the simplest way would be to define an Interface of comments and statically applying a restrictive ACL at the level of the interface rather than wait the AVP of AAA server.
LWA is supported in this version at very low level and basic, but if you want a complex flow involving the pusher of the dynamic attribute you will need something higher to 7.2.110.0.
Recommended version would be 7.6.130.0 as for now.
Kind regards
Antonio
-
Cisco ISE and WLC Access-List Design/scalability
Hello
I have a scenario that wireless clients are authenticated by the ISE and different ACL is applied depending on the rules in the ISE. The problem I have seen is due to the limitation on the Cisco WLC that limit only 64 input access list. As the installer has only a few IVR/interfaces and several different access lists are applied to the same base on user groups interface; I was wondering if there may be an evolutionary design / approach according to which the access list entries can evolve next to create a vlan for each group of users and apply the access list on the interface of layer 3 instead? I illustrated the configuration below for reference:
Group of users 1 - apply ACL 1 - on Vlan 1
User 2 group - apply ACL 2 - on the Vlan 1
3 user group - apply ACL 3 - on the Vlan 1
The problem appears only for wireless users, he does not see on wired users as the ACLs can be applied successfully without restriction as to the switches.
Any suggestion is appreciated.
Thank you.
In fact, you have limitations on the side of the switch as well. Long ACL can deplete resources AAGR of the switch. Take a look at this link:
The new WLCs based on IOS XE and not the old OS Wireless/Aironet will provide the best experience in these matters.
Overall, I see three ways to overcome your current number:
1. reduce the ACL by making them less specific
2 use L3 interfaces on a switch L3 or FW and the ACL is applied to them
3. use the SGT/SGA
I hope this helps!
Thank you for evaluating useful messages!
-
Hello Experts
I LSE with advanced for 1500 user license and I WLC 2504, and I need to integrate the WLC with the ISE in obtaining the ISE features for wireless as posture, restoring users and authentication as well.
My question: is the advanced license is sufficient, or will I install the license wireless to the LSE to have integration...
your comments and input appreciated...
Lydie
Here is some information about the different types of licenses-
http://www.Cisco.com/en/us/docs/security/ISE/1.2/user_guide/ise_man_license.html#wp1074395
Essentially licensed wireless is a little like the basic license if your deployment is 100% wireless, wireless upgrade is equivalent to the license advanced once more for just a wireless deployment.
Basic and advanced covers all (wired, wireless, vpn, etc). There is no restriction for the deployment model.
Thank you
Tarik Admani
* Please note the useful messages *. -
Hello
I have configured ISE and WLC for use with CWA guestportal but there is a problem with the CoA - he won't apply airespace alc after auth to guestportal.
1. on page authC, I configured a MAB wireless to continue if not found user and use an internal users as an identity store.
2. on page authZ I configured a WEBAUTH as a default rule with the following:
Access type = ACCESS_ACCEPT
Cisco-av-pair = url-redirect-acl = ACL-WEBAUTH-REDIRECT
Cisco-av-pair = redirect url =https://ip:port/guestportal/gateway? sessionId = SessionIdValue & action = cwa
3. I've also configured this ACL to WLC to allow
permit any - any icmp and dns
allow all-to-the-ise-8443
ise-to-any license
This part works very well because I could redirect to guestportal and use my guest connection & pw to allow myself. The guest account has been previously generated by portal sponsor and it works too.
4. on page authC, I use a dot1x wireless to use internal users
5. in the authZ page I use a "if internal users: Guest can leave COMMENTS" rule
6 rule PROMPT resembles the following:
Access type = ACCESS_ACCEPT
Airespace-ACL-Name = GUEST_INTERNET_ONLY
7. this ACL is configured on the WLC allowing all unless private networks (ISE is also permitted)
After authentication Portal comments, I see a success message and I was able to ping internet but I don't have web access. It looks like CoA and Airespace acl are not working and I continue to use my access ACL-WEBAUTH-REDIRECT-list and I see a strange error messages in newspapers WLC:
* apfReceiveTask: 17:32:27.317 12 Nov: % ENTRY_DONOT_EXIST-3-ACL: acl.c:369 cannot find an ACL by name.
I swear my ACL name spelling is correct and ACL-WEBAUTH-REDIRECT and GUEST_INTERNET_ONLY are on the WLC with counters more!
I have not one point what problem could be...
Any ideas?
P.S. see attach for authentication log Live
You can try "debug client" in the CLI WLC and try to connect with the customer. It you see if the WLC applies your ACL.
Looks like this for my license - all ACLs
* apfReceiveTask: 25 Oct 11:17:05.867: c8:bc:c8:13:4e:35 172.16.10.13 WEBAUTH_REQD (8) change IPv4 ACL 'none' (ACL ID 255) ===> 'PERMIT-ALL' (ACL ID 1)-(calling apf_policy.c:1762)
It must be near the bottom.
And then after all debug disable.
Another question, you can test internet but no web access, as well as the URL? Is DNS works after applying the last ACL?
On this line in the log:
* apfReceiveTask: 17:32:27.317 12 Nov: % ENTRY_DONOT_EXIST-3-ACL: acl.c:369 cannot find an ACL by name.
I get that with CWA to work so I don't know which is linked. (for my setup)
Concerning
MikaelSent by Cisco Support technique iPad App
Post edited by: Mikael Gustafsson
-
WebAuth ISE Central and vWLC 7.4
Hello world
I wonder if anyone has had this scenario works, Cisco ISE comments portal via redirect CWA on an AP connected to a virtual WLC running 7.4. As vWLC can only run flexconnect and no VLAN centrally switched only is supported, how this scenario would be possible, if at all, the AP would have to do the redirect instead of the controller?
Jan,
It works fine, when the customer is in the WEBAUTH-REQD, begging provisioning or Posture_Reqd state traffic is centrally switched. Once the client is in the executing State, then the control message is sent to the AP to put the customer in mode flexconnect.
Thank you
Tarik Admani
* Please note the useful messages *.
Maybe you are looking for
-
Satellite A40-211: cannot create DVD but can creat cd
Hello and sorry for my English...With my laptop, I cant't create DVDs more but always on to the CD I do not understand!Nero say to me that it's over and ok but when I put the dvd in the dvd drive on my laptop, it tells me that is empty! I don't under
-
Re: Need driver Windows 7 for Statelite L310 laptop
Hey, all,. I juz format my Toshiba L310 Lapotop to Windows 7 Statelite, but my bluetooth & other cant of the device will function more...Anyone know where I can get the driver win 7? Thx a lot
-
age of empires 2 high hud Crash
I just installed my copy of age of empires 2 + extension on my computer. When I go in the game everything works fine until I click the diplomacy button on my upper hud, on which the game hangs and I have the option to send an error report. I am curre
-
Download free driver for my Zonet wireless adapter
As a large "retarded" dumb, sometimes I lose my driver disc to my Zonet zew2590, high gain wireless adapter, so I ask you here all you Pro carputer geeks, if anyone of you knows where I can find me a driver download zonet free, please hurry, because
-
Hello While doing the update for Power DVD media player that came with my system I accidentally deleted the program! How can I get that back? Thank you. B lueskygal