Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Multi-Store Guest Network - Automatically receives appropiate Web Auth Page (POSSIBLE)???

Hey Guys-

  Got an idea brewing in my head and just wondering if it is even possible.  Any information or suggestions you can provide (even some Cisco links), would be much appreciated.

I’m currently working on a Wireless Project, that consists of rolling out a Guest Wireless Network to each of the clients 600 Branch Site Stores (at 3 APs each) via the US.
  Cisco ISE (Plus license) has been purchased and will eventually be placed into the Wireless Network.  The version of ISE will be up to me to decide to use.


The Setup

A FlexConnect WLC will the most updated AirIOS version will be used to manage the WAPs (FlexConnect fashion).  Each store will consist of a 2911, Cisco Layer-2 Switch (can't recall model), 2x 2700 APs, and 1x 3700 AP.

There are 3 types of Stores that exist for this particular client, each being a different brand/line.  For example Store-A, Store-B, and Store-C.
The WLC will host 4 WLANs:

1.  CORP-WLAN – Access for Corporate Wireless users back to HDQ

2.  GUEST_STORE-A – A Wireless Network for all Guests who are in a Store type A.

3.  GUEST_STORE-B - A Wireless Network for all Guests who are in a Store type B.

4.  GUEST_STORE-C - A Wireless Network for all Guests who are in a Store type C.

Each guest will be presented with a Guest Web Authentication Page (just accept the TOC/Disclaimer type) that is tailored to the store that the actual guests are in, hence the need for the individual WLANs.  What I mean is that the Guest WAP will have that particular store logo on it and etc.

The way this is basically being deployed is by shipping the APs to the stores, allowing them to communicate back to the WLC via DHCP, identifying the APs on a per-store basis, and then placing the APs into the appropriate AP-Groups.  The AP-Groups are configured on a per-store basis and configure to only display that particular Stores Guest WLAN and the Guest Web Authentication Page.

As you can see from above, all of requirements and steps can be tedious with each store deployment.  I am trying to keep in mind of how annoying this might be to have to manually assist or log all of the MAC Addresses or etc.


The Idea

I was wondering if there are any alternatives to this setup, possibility involving the ISE (or maybe not?); as ISE will be the future long-term solution.

Would there be any way to implement this process without having to involved manual Engineer intervention?  So that we wouldn't have to apply any configurations (such as AP-Groups, 3xWLANs, etc) or configurations on the WLC for this particular task, and instead ISE was somehow able to identify that a customer joined the Guest Wireless Network, was coming from a particular location, and then redirected that customer to the appropriate store related Web Authentication Page?

For example:  Joe is in Store-A, he connects to the Guest Wireless Network (1 WLAN), ISE recognizes he’s coming from Store-A, displays the Store-A Web Agreement Page.  If Joe was coming from Store-B, he would then receive the Store-B WAP.

Is this at all possible in any way?  Or in general, is there any better solution that may be available/recommended to look-into?

7 REPLIES
VIP Purple

HiWebAuth redirection is

Hi

WebAuth redirection is configured per WLAN. So you can easily configure 3 different  Web redirection pages for 3 different WLAN.

 

I do not think ISE could help on wireless configuration side (put AP onto correct AP group,etc). I would suggest to have template configuration for a each type of store switch, router, AP, etc. I would suggest to define AP group based on store type, (type A, type B & type C). If you go per-site you will end up 600 AP groups which is the max number of AP groups can be defined on 7500 series. See below for max AP grouping on WLC

http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Mobility/emob73dg/emob73/ch7_HREA.html#wp1100643

 

Regarding ISE version, I would suggest to go with latest 1.2.1 at the moment. Regarding WLC version you have to use 7.6.x or 8.0.x as of 2700 AP model. I would suggest wait to 8.0 as it gives Advanced features to help FlexConnect deployment (like AP will not reboot while you convert to FlexConnect)

Here is a very good Ciscolive presentation (2014 SF) you should watch. Here is the link to pdf of the presentation

BRKEWN-2016 -Architecting Network for Branch Offices with Cisco Unified Wireless 

 

Pls do not forget to rate all useful responses

 

HTH

Rasika

 

 

New Member

Thanks Rasika!Ugh that stinks

Thanks Rasika!

Ugh that stinks, so it seems that the manual intervention would be necessary regardless.  I was looking for more of an automated approach.

 

Thank you for the help again!

Cisco Employee

It would be awesome if a lot

It would be awesome if a lot of these things were automatic but then hey what we do to earn a living.

If you wanted to use the same SSID you could just change the WLAN profile name and have multiple ssids of the same name each with a different profile.

Without ISE, yes you could

Without ISE, yes you could use the other suggestions below where-by you have a custom web auth page loaded on the WLC (containing multiple versions of pages for each respective store) and then assign the appropriate splash pages for each respective store in the WLAN config (with web-auth override config) ie. store a gets storea.html from the bundle, store b gets storeb.html from the bundle, etc.

 

With ISE, and presuming your using CWA (with ISE handlng the splash pages), you can house multiple portals on ISE and then use your authorization conditions to determine "where" the client is coming from and assign the respective CWA custom portal.   You could then potentially have 1 SSID, but then using a condition based upon the WLC they hit, or the "AP Name", redirect to a different customized portal.  It would take a bit more work to get the proper conditions to identify the source of the client, but it's possible.

New Member

@davatkins-  Thanks a lot for

@davatkins-

  Thanks a lot for this information, this is exactly what I was looking for.

In reading your response, how would one go about setting something like this up?

If i understand you correctly, what you are saying is that determing the location would be based upon the AP or WLC the client is connecting to?  I was kinda looking for something more along the lines of using "location services" or something of that nature.

I am reviewing the following document to assist with the request.
http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html

Correct, you can have a

Correct, you can have a condition on the ISE to validate the WLC the client comes from, but this would mean that your use-cases for the splash page were separated by WLC.

In your case, with the Flex WLC, I imagine that's not the case. 


Take a look at this doc, I think this is exactly what you're after: https://supportforums.cisco.com/sites/default/files/ise_location-based_web_portals-v2.pdf

It has examples of using both the WLC/Location as well as adjusting the call station ID to include info such as AP names, or better yet, AP groups.  You could then have a condition (probably compound) that checks as follows.

 

If AuthC is from client in AP Group: X, or Y, or Z

then Result = CWA w/ splash page 1


If AuthC is from client in AP Group: 1, or 2, or 3

then Result = CWA w/ splash page 2

Etc...

Else if

Result = CWA (default)

 

Generally in a multi-branch/store environment, you would have each "site" in an AP group, such that you could then reference that Group as part of your policy condition.


Let me know if that helps!

Thanks

Also, FYI you can have up to

Also, FYI you can have up to 6,000 AP Groups on your 7510.

Also, since 7.3, there was an increase to the number of FlexConnect group maximums (2,000 groups, 100 APs each), so you should be able to scale just fine, but would suggest running at least a 7.4.121.0 release.

http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-4/configuration/guides/consolidated/b_cg74_CONSOLIDATED/b_cg74_CONSOLIDATED_chapter_01011111.html

http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-4/configuration/guides/consolidated/b_cg74_CONSOLIDATED/b_cg74_CONSOLIDATED_chapter_010001111.html#ID1324

135
Views
8
Helpful
7
Replies
CreatePlease to create content