Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

CWA with Cisco 3850 and ISE

Hi All

I am trying to sup up Central Web Auth for use with a 3850 and ISE.

All I want to do is use a Sponsor to create guest accounts and to then use CWA. I'm not bothered about Self Registration or anything else.

The Sponsor bit is fine but I'm struggling with the configuration of the 3850 and ISE - particulalry in regard to the required ACLs.

Does anyone have a complete configuration guide to achieveing this.

I would re-iterate that I am not using a 5500 or 4400 WLC - I am using a 3850.

I have had it working to the point where I get directed to the login page but even if I don't login I still have access to the internet.

I'm sure I've got the authorization element of the ISE wrong but I'm struggling to see what the problem is.

Thanks

Regards

Roger                  

4 REPLIES
New Member

CWA with Cisco 3850 and ISE

The documentation is OK although not brilliant.

What it fails to explain is the fact that the access list on the 3850 actually works in reverse - so to allow traffic from the 3850 to the ISE you have to deny it.

Additionally, if you include an explicit deny on the end of the ACL, all traffic gets allowed - it's a bug. The workaround is to only use the implicit commands.

Here's a copy of the ACL that works:

ip access-list extended cwa_redirect

deny   udp any any eq bootpc

deny   udp any eq bootpc any

deny   udp any any eq bootps

deny   udp any eq bootps any

deny   udp any host 10.25.3.60 eq domain

deny   tcp any host 10.25.3.60 eq domain

deny   udp any host 10.26.3.41 eq domain

deny   tcp any host 10.26.3.41 eq domain

deny   tcp any host 10.25.2.10 eq 8443

deny   tcp any host 10.26.2.10 eq 8443

permit tcp any any eq www

permit tcp any any eq 443

ip access-list extended cwa_redirect

deny   udp any any eq bootpc

deny   udp any eq bootpc any

deny   udp any any eq bootps

deny   udp any eq bootps any

deny   udp any host 10.25.3.60 eq domain

deny   tcp any host 10.25.3.60 eq domain

deny   udp any host 10.26.3.41 eq domain

deny   tcp any host 10.26.3.41 eq domain

deny   tcp any host 10.25.2.10 eq 8443

deny   tcp any host 10.26.2.10 eq 8443

permit tcp any any eq www

permit tcp any any eq 443

Regards

Roger

Silver

Re: CWA with Cisco 3850 and ISE

Make sure your DACL are correctly configured.check the following link ,here you will find all the related guide required to deployed ISE and these are step by step guides

http://www.cisco.com/c/en/us/solutions/enterprise/design-zone-security/landing_DesignZone_TrustSec.html

New Member

CWA with Cisco 3850 and ISE

The link you have provided is something I am aware of. However, if you look at the document you will see that it is based on using a legacy controller such as the 5508. It does not include converged access controllers such as the 3850 or 5760.

The ACL requirements for the converged access controllers are different to the requirements of the 5508.

The ACL I have shown works and provides central web auth with the ISE.

Regards

Roger

414
Views
0
Helpful
4
Replies
CreatePlease login to create content