OEAP Remote LAN & MAC Filtering

i.va · ‎09-19-2013

I am currently trying to set up the Remote LAN feature with MAC Filtering with WLC & ISE. I want to use Central Web Authentication, but the client connected to the wired port 4 of the OEAP does not get redirected. On the WLC I see the correct web redirect URL and ACL being applied (client details), but the redirect on the client itself is not taking place. The RADIUS NAC state of the wired client is also shown as "RUN" instead of the expected "CENTRAL_WEBAUTH_REQD". No anchoring is configured for the Remote LAN, since it is not supported in this WLC software release.

Anybody have any ideas? Is this supported at all? The redirect is working fine with wireless on the OEAP.

WLC 5508 7.4.110.0

AIR-OEAP602I-E-K9

ISE 1.2.0.899

Shankar Ramanathan · ‎09-22-2013

Need "show run-config" output. Make a mention of the wlan.

Make sure you are using even numbered wlan on RLAN to be mapped to port 4.

i.va · ‎09-22-2013

Hi,

Thanks for the reply! I have attached the show run-config command, but replaced some sensitive data. The WLAN ID is "44" with name "HomeOffice_RemoteLAN_Port4"

I have set it up by following the guide here (also with correct group mapping): http://www.cisco.com/en/US/products/ps11579/products_tech_note09186a0080b7f10e.shtml#t100

The general function seems fine. I get an IP address and can Ping, but there is no redirect. Hope you can help me!

Regards

Shankar Ramanathan · ‎09-23-2013

You are trying web-auth redirect on rlan correct? On remote lan 44 config:

Remote LAN Configuration

Remote LAN Identifier............................ 44

Profile Name..................................... HomeOffice_RemoteLAN_Port4

Status........................................... Enabled

MAC Filtering.................................... Enabled

AAA Policy Override.............................. Enabled

Maximum number of Associated Clients............. 0

Number of Active Clients......................... 0

Exclusionlist Timeout............................ 60 seconds

Session Timeout.................................. 86400 seconds

User Idle Timeout................................ 300 seconds

User Idle Threshold.............................. 0 Bytes

NAS-identifier................................... XXX-XXXXXX

Webauth DHCP exclusion........................... Disabled

Interface........................................ homeoffice

Remote LAN ACL................................... unconfigured

DHCP Server...................................... Default

DHCP Address Assignment Required................. Enabled

PMIPv6 Mobility Type............................. none

Radius Servers

Authentication................................ 10.65.30.220 1812

Authentication................................ 10.65.30.221 1812

Accounting.................................... 10.65.30.220 1813

Accounting.................................... 10.65.30.221 1813

Interim Update............................. Disabled

Dynamic Interface............................. Disabled

Dynamic Interface Priority.................... wlan

Local EAP Authentication......................... Disabled

Security

802.1X........................................ Disabled

Web Based Authentication...................... Disabled

Web-Passthrough............................... Disabled

AVC Visibilty.................................... Disabled

AVC Profile Name................................. None

Flow Monitor Name................................ None

802.11u........................................ Disabled

MSAP Services.................................. Disabled

i.va · ‎09-23-2013

Yes that is correct, but I want to do MAC Filtering and redirect to ISE, and not use the local WLC Web Auth. Thats why the option is disabled. I also have this configured for WLAN ID 20, which is redirecting fine

I now have a tac case open on this issue.

Shankar Ramanathan · ‎09-24-2013

Glad you opened a TAC case on this. Not sure if i understood the problem description correct here. If you are trying for a RADIUS NAC solution on OEAP, this is not a supported feature on RLAN.