I'm testing a pair of 5760s for a near-term production rollout. I have the dot1x employee wlan working, but am having trouble with the guest web-auth wlan. We have a foreign controller with connected APs and an anchor controller in the DMZ. We're using an external redirect to the ISE guest portal. ISE is working with our production equipment and hasn't been changed. However, I'm not able to get an IP address assignment to test the ISE redirect. When I remove all of the web-auth configuration, I'm getting an IP address without issues. My configuration is attached below, and would appreciate an extra set of eyes.
!!!!!!!!!!!! !! Anchor controller !!!!!!!!!!!! ! aaa group server radius ISE server name iseservername aaa authentication login ISE-MethodList group ISE ! parameter-map type webauth global type webauth virtual-ip ipv4 x.x.127.1 virtual-host guest-redirect.domain.com ! parameter-map type webauth Guest-param-map type webauth redirect for-login https://guestportal.domain.com:8443/guestportal/portal.jsp redirect portal ipv4 x.x.164.35 ! ip access-list extended Guest-preauth permit udp any any eq domain permit udp any eq domain any permit udp any any range bootps bootpc permit tcp any any eq 8443 permit tcp any any established ip access-list extended Guest-redirect-acl permit tcp any any eq www ! radius server iseservername address ipv4 x.x.164.35 auth-port 1812 acct-port 1813 key [verysecretkey] ! wlan Guest 1 Guest client vlan 330 ip access-group web Guest-preauth mobility anchor no security wpa no security wpa akm dot1x no security wpa wpa2 no security wpa wpa2 ciphers aes security web-auth security web-auth authentication-list ISE-MethodList security web-auth parameter-map Guest-param-map no shutdown
Have you tried this by enabling DHCP snooping for the vlan 330 on your 5760 & trust 5760 uplink ? In the below I have assume 10G port of 5760 is map to a etherchannel (Po1). Otherwise trust the physical interface.
ip dhcp snooping ip dhcp snooping vlan 330 !
interface Port-channel x switchport trunk native vlan x switchport trunk allowed vlan x,y,z switchport mode trunk ip dhcp snooping trust
I haven't. I had DHCP snooping on the foreign controller for non-anchored WLANs, but was often not getting DHCP addresses, even though the config was right as far as the documentation was concerned. So I pulled it off and started getting addresses.
Is there something missing or wrong in the above config? I haven't imported a certificate yet, as I was going to work that piece once I had an IP address and could perform a redirect. Is which cert you are using specified as a trustpoint in the non-global parameter-map?
You are using web-auth..So ip address should be with out any authentciation. Only thing coming in between is the Mobility tunnel to pick the ip address from Anchor controller. Is one of the 5760 Foreign and the other one Anchor ?
Transferring Crash file from standby: Login to the Active WLC in HA.
From CLI: (Cisco Controller) >transfer upload datatype crash (Cisco
Controller) >transfer upload filename (Cisco
Controller) >transfer upload mode tftp (Cisco Controller) >transfer
This is the start of a display filter cross reference between Wireshark
and OmniPeek. The 1st installment is a table of advanced filters. More
filters will be added as time allows. It is a living doc, so check back
for changes every so often Please feel f...
I have created a Powershell script to automatically add a Wireless Guest
User on Cisco WLCs. (tested on 2500 Series) The script should be
completely self explanatory. Prerequisites: Powershell SNMP Module
(Install-Module -Name SNMP) SNMP Write Access to y...