Hello Friends, I have been researching from quite a long period of time for Vlan Assignment in Local Web Auth, But all the docs in the cisco says that switches dont support vlan assignment in LWA, Is that so ?? Can it be done locally or vlan assignment, they dont support at all ?? Please guide me is there a way or not, Please do discuss, i really want to enhance my knowledge n dig deeper into it.
The concept of central web authentication is opposed to local web authentication, which is the usual web authentication on the switch itself. In that system, upon dot1x/mab failure, the switch will failover to the webauth profile and will redirect client traffic to a web page on the switch.
Central web authentication offers the possibility to have a central device that acts as a web portal (here the ISE). The major difference compared to the usual local web authentication is that it is shifted to Layer 2 along with mac/dot1x authentication. The concept also differs in that the radius server (ISE here) returns special attributes that indicate to the switch that a web redirection must occur. This solution has the advantage to eliminate any delay that was necessary for web authentication to kick. Globally, if the MAC address of the client station is not known by the radius server (but other criteria can also be used), the server returns redirection attributes, and the switch authorizes the station (via MAC authentication bypass [MAB]) but places an access list to redirect the web traffic to the portal. Once the user logs in on the guest portal, it is possible via CoA (Change of Authorization) to bounce the switch port so that a new Layer 2 MAB authentication occurs. The ISE can then remember it was a webauth user and apply Layer 2 attributes (like dynamic VAN assignment) to the user. An ActiveX component can also force the client PC to refresh its IP address.
Dear Aqeel Javed, Thanks for your reply, But my question is in Local Web Auth not in CWA, Is there any way to force for Vlan Assignment ?? As we see in dot1x & mab, can we see the Vlan Assignment in LWA ?? Is there any possible way to do it ??
Thanks for your reply. My scenario is, When my client gets authenticated using LWA, he for sure gets the IP from the VLAN Pool that has been assigned, But when i do see in the output in my switch i dont see any VLAN Policy assigned to my client, as it would be assigned when a client is authenticated using dot1x/mab. I just have my query that when my client gets authenticated using Local Web Auth, they do get an ip from the pool/vlan thats been assigned, but i dont see the Vlan policy assigned to them in my output displayed on my switch. So please do assist me in it, When i i went through the cisco docs for switch configuration where i found that "Web-based authentication does not support VLAN assignment as a downloadable-host policy". For more details of this, i have posted the link of where i saw this: http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_55_se/configuration/guide/swwebauth.html. So is there any possibility to get my VLAN Policy downloaded from ISE as in dot1x/mab.
I too have encountered a similar issue in the clients that we were consulting with, a dynamic VLAN assignment is not possible with ISE Local Web Auth because of which we needed to shift the authentication to Central Web Authentication.
Thanks for your reply, And good that even you encountered the same error. And i do agree it will be possible in Central Web Auth, Then is there no way i can force vlan assignment in Local Web Auth to see Vlan Policy ???
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :