Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

Central Web Auth with Anchor Controller and ISE

Hi All

I have a 5508 WLC on the corporate LAN and another 5508 sat in a DMZ as an anchor controller.

I also have an ISE sat on the corporate LAN.

Authenticate is working fine to the ISE and the client tries to re-direct to the ISE Portal but doesn't get there.

DNS is working fine and the client can resolve the URL of the ISE to the correct IP address.

I have a redirect ACL configured on the foreign controller which permits DNS, DHCP and traffic to and from the ISE.

My questions are:

1. Do I need to re-direct ACL to be present on both the foreign and anchor controllers?

2. Since the Radius requests originate from the foreign controller do I need to configure the ISE server address on the WLAN on the anchor?

3. Does the re-direct ACL need to be enabled on the advanced page of the WLAN on the foreign to over-ride the interface ACL - I don't believe it does.

4. Is ICMP still blocked by the WLC until the web authentication is complete?

 

Thanks.

Regards

Roger

8 REPLIES
Cisco Employee

Hi Roger,Thanks for your

Hi Roger,

Thanks for your brief explanation here are the answers for your queries.

1. Do I need to re-direct ACL to be present on both the foreign and anchor controllers?

The only catch is that since this web authentication method is Layer 2, you have to be aware that it will be the foreign WLC that does all of the RADIUS work. Only the foreign WLC contacts the ISE, and the redirection ACL must be present also on the foreign WLC.

2. Since the Radius requests originate from the foreign controller do I need to configure the ISE server address on the WLAN on the anchor?

Yes, you have to configure the ISE server address on the anchor WLC.

3. Does the re-direct ACL need to be enabled on the advanced page of the WLAN on the foreign to over-ride the interface ACL

Yes, you should override AAA under advanced tab of WLAN as ACL will be present on the foreign WLC.

4. Yes, ICMP will work only after the sucessful web auth is complete.

Please do go through the link below to understand the Anchor-Foreigh Scenario.

http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html#anc11

Regards

Salma

 

New Member

HiOK - I have tested this and

Hi

OK - I have tested this and these are my findings:

1. You only need the redirect ACL on the anchor controller. Its not needed on the foreign controller.

2. The ISE address only needs to be present on the WLAN on the foreign controller. Its not needed on the anchor controller.

I now have a strange issue.

When I connect to the SSID I get an IP address fine.

When I connect to the web browser I get re-directed to the ISE guest portal login page.

When I enter the credentials I get a successful login.

However, when I try and connect to my original URL I get re-directed back to the login page again. This keeps repeating.

 

Any ideas?

 

Regards

 

Roger

The first is when the user

  • The first is when the user associates to the SSID and when the central web authentication profile is returned (unknown MAC address, so you must set the user for redirection).
     
  • The second is when the user authenticates on the web portal. This one matches the default rule (internal users) in this configuration (it can be configured in order to meet your requirements). It is important that the authorization part does not match the central web authentication profile again. Otherwise, there will be a redirection loop. The Network Access:UseCase Equals Guest Flow attribute can be used in order to match this second authentication. The result looks like this:
Bronze

Hi Roger,Please how did you

Hi Roger,

Please how did you resolve the redirection loop? Also were you able to achieve DHCP profiling with the DHCP and DNS coming from the DMZ and no ISE address specified on the Anchor?

New Member

HiI solved this by removing

Hi

I solved this by removing the 5760 foreign controller and using a 2504 controller with legacy mobility between it and the DMZ controller. I also ensured the ISE was only configured on the foreign controller. Everything worked fine so I then switched back to using the 5760 as the foreign controller using converged access mobility to the 5508 DMZ controller. Again I ensured that only the foreign controller had the ISE configured. I also had the firewall rules verified and re-applied. Everything worked OK so I suspect either a glitch in the 5760 or more likely a firewall issue. I wasn't able to re-produce the fault.

Regards

Roger

New Member

Hi,I also sit on the same

Hi,

I also sit on the same Problem, I want to design Central Web Auth with Foreign-Anchor Controllers
As far as I know the following config is needed:
- Guest wlan with mac filtering and so on.
- Redirect ACL on foreign and on anchor controller needed

But now I just think about the TCP/UDP-Connections needed, because controllers and ISE behind Firewalls:
- CWA Redirect (https TCP 8443) tunneld via CAPWAP and EoIP:
Guest-Client <-> foreignWLC (management) <-> (management) anchorWLC (guestVlan) <-> ISE
- CoA (udp 1700):
ISE <-> foreignWLC(management)
ISE <-> anchorWLC(Management) not needed?
- Radius Accounting (udp 1813) only one of both due to CSCuo56780 ?:
foreignWLC (Management) <-> ISE
anchorWLC(Management) <-> ISE

 

Any suggestions/recommendations on the Connections needed ?

 

thank's an best regards

Alois

New Member

Hi AloisI have attached a PDF

Hi Alois

I have attached a PDF document that shows all the port requirements that you should need.

The bug you refer to should have been fixed providing you are on a fairly recent version of code.

Regards

Roger

New Member

Hi Roger, thank's a lot,

Hi Roger,

 

thank's a lot, until now I have not thought about to separate the ISE node types. The port reference clarifies all.
My security concern on the ports reference is still there, but is also clarified, because on a PSN you terminate the guest portal and also need to have direct network communication to backend Systems like AD, LDAP ...).

Thank's and best regards

Alois

1011
Views
5
Helpful
8
Replies
CreatePlease to create content