Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

Cisco WLC and NAC STATE: RADIUS NAC w/ Conditional Redirect

I would like to get some insight on a particular configuration with a Cisco WLC and Cisco ISE.    

OBJECTIVE:

Provide a web redirect to users who are blacklisted to a 3rd part server which simply states you are black listed, please contact security.

CONFIGURATION:

Cisco WLC has Layer 3 conditional web redirect. When sleeted you MUST uncheck NAC STATE: RADIUS NAC. With the use of radius AV pairs redirect and ACL this works great. No issues

CONCERN:

If I remove NAC STATE: RADIUS NAC, what risk if any might I be exposed to? If there is risk, is there another way to accomplish this ?

Thanks!

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."
__________________________________________________
"Im like bacon, I make your wireless better"

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________
8 REPLIES

Cisco WLC and NAC STATE: RADIUS NAC w/ Conditional Redirect

I'm not 100% sure on this, but I believe if you remove Radius NAC from the WLAN then ISE policies will not be enforced.  I remember having an issue with ISE policies working and it was because I had forgotten to turn on Radius NAC on the WLAN.

Cisco WLC and NAC STATE: RADIUS NAC w/ Conditional Redirect

I was of the same belief.  However I am still seeing ISE enforce general policy. For example - are you an ipad, are you using an AD account then production lite ACL or dynamic vlan.

Im wondering if this is more for agents and posture perhaps ?

+5 Thanks for the response.          

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."
__________________________________________________
"Im like bacon, I make your wireless better"

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________

Cisco WLC and NAC STATE: RADIUS NAC w/ Conditional Redirect

Correct.  I believe ISE will still process the RADIUS authentication and apply the AuthZ profiles, and as far as ISE is concerned it thinks it is doing its job, but the controller will not enforce it for the client for the session because NAC is disabled.

Cisco WLC and NAC STATE: RADIUS NAC w/ Conditional Redirect

Oddly enough the WLC is still enforcing the ISE policy without NAC enabled on the WLC. Like you, I assumed the same. I'm opening a ticket and see what TAC has to say.

Have you done anything similar to the "black list" with a conditional redirect ?

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."
__________________________________________________
"Im like bacon, I make your wireless better"

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________

Cisco WLC and NAC STATE: RADIUS NAC w/ Conditional Redirect

That is odd.  Let me know what they find.

I have not done anything other than the traditional redirect to ISE Blackhole page upon blacklist but you have an interesting idea and I would love to know if it works.

Cisco WLC and NAC STATE: RADIUS NAC w/ Conditional Redirect

JJ,

Do you know if the Black Hole page can be modified ? Also can you have more than one black hole page; BlackHole#1, BlackHole#2 etc ?

Its pretty solid how its working now with a 3rd party server redriect ..

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."
__________________________________________________
"Im like bacon, I make your wireless better"

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________

Cisco WLC and NAC STATE: RADIUS NAC w/ Conditional Redirect

The blackhole page redirects you to a page called blackhole.jsp.  I know that you can customize the Guest Portal and Device Registration pages, but I'm not sure if you can customize the look and feel of the blackhole page.

There is only one blackhole page.

You can, however, modify the language template to customize the blackhole message the user will see. 

I can play around with this in my lab and see what results I get sometime this weekend.

New Member

Cisco WLC and NAC STATE: RADIUS NAC w/ Conditional Redirect

1416
Views
0
Helpful
8
Replies
CreatePlease to create content