Hi Charles,

this is great information, thanks for linking this.

However, to be a bit more specific on the need of this deployment...

The customer is looking to do webauth for guests. Setting up all the clients for dot1x may not be possible as the client count could reach into the hundreds.  Not to mention, this is for a trade show, and the clients won't be on-site until the day of the show. So getting everyone to configure the service may not be accomplishable.

The customers main requirement is the use of an AUP, and being able to monitor. Ideally, they would like to posture, as this has been a manual procedure, but are aware that this is unlikely.

Any thoughts on what i may be able to accomplish?

I tried setting up radius authZ profiles for webauth, using the controller to authenticate and ISE for authorization, but this isn't working as planned

AUP is a sub of Posturing, but posturing is not a good idea for guest flows.  I would create an AUP with an Any role and use the ISE for both Authenticate and Authorize.

I have linked the following document so that you may see the different AUP Configurations available.

http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_pos_pol.html

Here is a quick chart to look at, as well:

Again,  please let me know if this fixes your issue.  If it does, please rate this answer and mark your question as Answered.

Charles Moreton

Hi Charles,

Are you sure this is a correct statement ?

DACLs are also supported on the WLC 4400 ?

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

According to this matrix, they are supported with a caveat "Wireless (An ISE Inline Posture node is required  if the WLC does not support CoA as discussed in Footnote #4. WLCs with  the code specified in this table do support CoA without an ISE Inline  Posture node)"

So the WLC 4400 is NOT itself processing or using the DACL

http://www.cisco.com/en/US/docs/security/ise/1.1/compatibility/ise_sdt.html#wp55038

Unifed controllers only use NAMED ACLs. ISE uses a radius attriubute to impose the named ACL from the wlc onto the client.

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

Chalres that chart is a type o ? States dACL but (4) says different ..

⁴

Wireless LAN Controllers (WLCs) do not support downloadable ACLs (dACLs), but support named ACLs. WLCs prior to release 7.0.116.0 do not support CoA and require deployment of an ISE Inline Posture Node to support posture services. Use of Inline Posture Node requires WLC version 7.0.98 or later. Autonomous AP deployments (no WLC) also require deployment of an Inline Posture Node for posture support. Profiling services are currently supported for 802.1X-authenticated WLANs only on the WLC with CoA support. HREAP is not supported. WLCs do not currently support MAC Authentication Bypass (MAB).

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."