Are you using eap-fast or mac filtering to get the workgroup bridge authenticated to the same ssid? I had a chance to skim through the thread an it seems that you are being redirected to the web portal for authentication, is that correct? If you are using mac filtering then we may have to manually add all the WGB to a specific endpoint group and build a policy so that all WGB on receive an access-accept with no additional attributes.
If that is not the case please summarize where you are at this point.
In order to do PROFILING/POSTURING and all that for wireless clients here is what's needed:
Need to go to WLC (wireless controller) and choose RADIUS/NAC for the SSID.
So SSID = test RADIUS/NAC - then all normal clients go through ISE and get postured and profiled and all that works fine except...
WGBs cannot connect to SSID=test at all and they do not appear on ISE as an attempt at all.
As soon as I remove option RADIUS/NAC from WLC wgb connects and shows up on ISE fine and get authenticated ---> you would say well there you go that's ur problem , well yeah but if i DISABLE Radius/Nac option from WLC I lose the ability to control normal users that connect to SSID=test so it would just be PERMIT/DENY ACCESS based on username and the whole point of ISE would be ACS or Simple Radius Server.
Do you get my point?
P.s so for me to POSTURE/PROFILE wireless clients I need to use RADIUS/NAC option and for WGBs I have to setup a NEW SSID and leave that SSID without RADIUS/NAC option so it can only authenticate through ISE and not posture/profile clients, and I do not need to posture/profile clients behind WGB (it would be great but I don't necessarily need to, and I know they don't support CoA Change of Access attribute in RADIUS)
How are you associating your WGB to the production SSID? Are you using mac filtering or eap-fast (excuse my ignorance since this a AAA forum I am not well versed in the WGB arena).
I think if you can create a test condition where the WGB is statically assigned to a endpoint group, enable mac filtering on the ssid, and select an authoriziation policy where the endpoint group of the WGB matches an access accept only authorization profile (no redirect, no acls, just send the access accept) then this may get the ball rolling and drop the webauth messages you are seeing the in the debugs. Let me know if that works.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...