Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

External webauth with flexconnect


Trying to use ise (1.1) as an external webauth within a flexconnect/h-reap setup (WLC:7.2.103)... Can't get it to work.. After a lot of testing/troubleshooting found this:

That says: "External web Authentication is only supported on a centrally switched WLAN"

Anyone can explain why/how this should be an issue....Anypne got it to work?




Re: External webauth with flexconnect

It has to do with the traffic flow. For external webauth you need the pre-auth acl configured allowing the client to reach the ISE. But the WLC doesn't have that control of the guest traffic is going to be locally switched.


Sent from Cisco Technical Support iPhone App

HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered
New Member

External webauth with flexconnect

hi Stephen,

  Can you please explain the traffic flow for HREAP AP with an SSID which is webauth configured and local switching enabled ? This is how i see it :

1. client sends DHCP request and gets IP on locally defined VLAN on the HREAP AP

during this, the controller get to know of the client association via the CAPWAP control message from HREAP AP

2. Client opens browser and enter website address ( and gets the controller webauth login page

is this step  happening in the capwap tunnel or outside it ? the TCP communication between client and WLC

3. Client enters username and password for webauth

but the wlc virtual IP is not routed anywhere, so how will the username and password reach the wlc ? (through the capwap tunnel ? )

4. controller checks the username/password eiither locally defined or can be on a nac guest server or ISE ?

if the username/password reaches the controller, it should be able to verify the credentials wtih an external entity like NGS oR ISE ?



CreatePlease login to create content