Thanks for your brief explanation here are the answers for your queries.
1. Do I need to re-direct ACL to be present on both the foreign and anchor controllers?
The only catch is that since this web authentication method is Layer 2, you have to be aware that it will be the foreign WLC that does all of the RADIUS work. Only the foreign WLC contacts the ISE, and the redirection ACL must be present also on the foreign WLC.
2. Since the Radius requests originate from the foreign controller do I need to configure the ISE server address on the WLAN on the anchor?
Yes, you have to configure the ISE server address on the anchor WLC.
3. Does the re-direct ACL need to be enabled on the advanced page of the WLAN on the foreign to over-ride the interface ACL
Yes, you should override AAA under advanced tab of WLAN as ACL will be present on the foreign WLC.
4. Yes, ICMP will work only after the sucessful web auth is complete.
Please do go through the link below to understand the Anchor-Foreigh Scenario.
The first is when the user associates to the SSID and when the central web authentication profile is returned (unknown MAC address, so you must set the user for redirection).
The second is when the user authenticates on the web portal. This one matches the default rule (internal users) in this configuration (it can be configured in order to meet your requirements). It is important that the authorization part does not match the central web authentication profile again. Otherwise, there will be a redirection loop. The Network Access:UseCase Equals Guest Flow attribute can be used in order to match this second authentication. The result looks like this:
I solved this by removing the 5760 foreign controller and using a 2504 controller with legacy mobility between it and the DMZ controller. I also ensured the ISE was only configured on the foreign controller. Everything worked fine so I then switched back to using the 5760 as the foreign controller using converged access mobility to the 5508 DMZ controller. Again I ensured that only the foreign controller had the ISE configured. I also had the firewall rules verified and re-applied. Everything worked OK so I suspect either a glitch in the 5760 or more likely a firewall issue. I wasn't able to re-produce the fault.
I also sit on the same Problem, I want to design Central Web Auth with Foreign-Anchor Controllers As far as I know the following config is needed: - Guest wlan with mac filtering and so on. - Redirect ACL on foreign and on anchor controller needed
But now I just think about the TCP/UDP-Connections needed, because controllers and ISE behind Firewalls: - CWA Redirect (https TCP 8443) tunneld via CAPWAP and EoIP: Guest-Client <-> foreignWLC (management) <-> (management) anchorWLC (guestVlan) <-> ISE - CoA (udp 1700): ISE <-> foreignWLC(management) ISE <-> anchorWLC(Management) not needed? - Radius Accounting (udp 1813) only one of both due to CSCuo56780 ?: foreignWLC (Management) <-> ISE anchorWLC(Management) <-> ISE
Any suggestions/recommendations on the Connections needed ?
thank's a lot, until now I have not thought about to separate the ISE node types. The port reference clarifies all. My security concern on the ports reference is still there, but is also clarified, because on a PSN you terminate the guest portal and also need to have direct network communication to backend Systems like AD, LDAP ...).
Transferring Crash file from standby:
Login to the Active WLC in HA.
(Cisco Controller) >transfer upload datatype crash
(Cisco Controller) >transfer upload filename <Desired filename>
(Cisco Controller) >transfer up...
This is the start of a display filter cross reference between Wireshark and OmniPeek.
The 1st installment is a table of advanced filters. More filters will be added as time allows.
It is a living doc, so check back for changes every so often
Please feel ...
I have created a Powershell script to automatically add a Wireless Guest User on Cisco WLCs. (tested on 2500 Series)
The script should be completely self explanatory.
Powershell SNMP Module (Install-Module -Name SNMP)
SNMP Write Access to...