I am trying to set up wireless MAB with CWA so that when devices connect to the open guest network they are profiled and if they match a device type (iphone, android) they are allowed access to the internet without AUP or Authentication and all other device type (including unknown) is redirected to the guest portal for authentication. My configuration works when devices are correctly profiled, the issue is that it appears that the RADIUS probes are the only profiling components working on the guest side. Devices are being correctly profiled on the corp network segment. The key profiling components I need to get a match on iphone is DHCP and HTTP user agent. Without those all iphones are categorized as an apple device and not iphone. I suspect this is because they are matching the MAC OUI from the RADIUS probe and MAC filtering with NAC RADIUS on the WLC. The ISE is on a seperate LAN from the guest and right now I am only allowing DNS and 8443 through the ASA. I also believe DHCP profiling is not working because the guest DHCP is running on the WLC internal DHCP and is not forwarding requests to the ISE for inspection because it will not relay the request to 2 servers, it just uses a secondary if the primary is unreachable.
Can someone point me in the right direction? I believe my Authentication, Authorization, and Identity Source Sequence, etc configuration is correct, but can post additional details if necessary. My main issue is the profiling probes and getting them working correctly on the guest LAN.
Yes, we created matching identity groups for all the devices that we wanted profiling policies for. The issue was with getting profiling like DHCP, DNS, HTTP user agent, etc to work without authentication. We settled for NMAP scan to get the results we desired.
What we did to get around this was to adjust the profiler policy for Apple-Device to take network scan action when MAC:OUI contains Apple. So basically the device connects to the wireless network, MAC filtering on the WLC identifies the OUI to belong to Apple and initiates an NMAP scan that properly identifies the OS of the iDevice. This allows iPhones to connect and other Apple devices like iPads to be redirected to the login portal.
We can also make similar adjustments to Android and other devices that require profiling to properly identify the device type. In this case, allowing SmartPhones to connect directly to the internet and all other devices to be redirected to the portal.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :