Got an idea brewing in my head and just wondering if it is even possible. Any information or suggestions you can provide (even some Cisco links), would be much appreciated.
I’m currently working on a Wireless Project, that consists of rolling out a Guest Wireless Network to each of the clients 600 Branch Site Stores (at 3 APs each) via the US.Cisco ISE (Plus license) has been purchased and will eventually be placed into the Wireless Network. The version of ISE will be up to me to decide to use.
A FlexConnect WLC will the most updated AirIOS version will be used to manage the WAPs (FlexConnect fashion). Each store will consist of a 2911, Cisco Layer-2 Switch (can't recall model), 2x 2700 APs, and 1x 3700 AP.
There are 3 types of Stores that exist for this particular client, each being a different brand/line. For example Store-A, Store-B, and Store-C. The WLC will host 4 WLANs:
1. CORP-WLAN – Access for Corporate Wireless users back to HDQ
2. GUEST_STORE-A – A Wireless Network for all Guests who are in a Store type A.
3. GUEST_STORE-B - A Wireless Network for all Guests who are in a Store type B.
4. GUEST_STORE-C - A Wireless Network for all Guests who are in a Store type C.
Each guest will be presented with a Guest Web Authentication Page (just accept the TOC/Disclaimer type) that is tailored to the store that the actual guests are in, hence the need for the individual WLANs. What I mean is that the Guest WAP will have that particular store logo on it and etc.
The way this is basically being deployed is by shipping the APs to the stores, allowing them to communicate back to the WLC via DHCP, identifying the APs on a per-store basis, and then placing the APs into the appropriate AP-Groups. The AP-Groups are configured on a per-store basis and configure to only display that particular Stores Guest WLAN and the Guest Web Authentication Page.
As you can see from above, all of requirements and steps can be tedious with each store deployment. I am trying to keep in mind of how annoying this might be to have to manually assist or log all of the MAC Addresses or etc.
I was wondering if there are any alternatives to this setup, possibility involving the ISE (or maybe not?); as ISE will be the future long-term solution.
Would there be any way to implement this process without having to involved manual Engineer intervention? So that we wouldn't have to apply any configurations (such as AP-Groups, 3xWLANs, etc) or configurations on the WLC for this particular task, and instead ISE was somehow able to identify that a customer joined the Guest Wireless Network, was coming from a particular location, and then redirected that customer to the appropriate store related Web Authentication Page?
For example: Joe is in Store-A, he connects to the Guest Wireless Network (1 WLAN), ISE recognizes he’s coming from Store-A, displays the Store-A Web Agreement Page. If Joe was coming from Store-B, he would then receive the Store-B WAP.
Is this at all possible in any way? Or in general, is there any better solution that may be available/recommended to look-into?
WebAuth redirection is configured per WLAN. So you can easily configure 3 different Web redirection pages for 3 different WLAN.
I do not think ISE could help on wireless configuration side (put AP onto correct AP group,etc). I would suggest to have template configuration for a each type of store switch, router, AP, etc. I would suggest to define AP group based on store type, (type A, type B & type C). If you go per-site you will end up 600 AP groups which is the max number of AP groups can be defined on 7500 series. See below for max AP grouping on WLC
Regarding ISE version, I would suggest to go with latest 1.2.1 at the moment. Regarding WLC version you have to use 7.6.x or 8.0.x as of 2700 AP model. I would suggest wait to 8.0 as it gives Advanced features to help FlexConnect deployment (like AP will not reboot while you convert to FlexConnect)
Here is a very good Ciscolive presentation (2014 SF) you should watch. Here is the link to pdf of the presentation
Without ISE, yes you could use the other suggestions below where-by you have a custom web auth page loaded on the WLC (containing multiple versions of pages for each respective store) and then assign the appropriate splash pages for each respective store in the WLAN config (with web-auth override config) ie. store a gets storea.html from the bundle, store b gets storeb.html from the bundle, etc.
With ISE, and presuming your using CWA (with ISE handlng the splash pages), you can house multiple portals on ISE and then use your authorization conditions to determine "where" the client is coming from and assign the respective CWA custom portal. You could then potentially have 1 SSID, but then using a condition based upon the WLC they hit, or the "AP Name", redirect to a different customized portal. It would take a bit more work to get the proper conditions to identify the source of the client, but it's possible.
Thanks a lot for this information, this is exactly what I was looking for.
In reading your response, how would one go about setting something like this up?
If i understand you correctly, what you are saying is that determing the location would be based upon the AP or WLC the client is connecting to? I was kinda looking for something more along the lines of using "location services" or something of that nature.
I am reviewing the following document to assist with the request. http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html
It has examples of using both the WLC/Location as well as adjusting the call station ID to include info such as AP names, or better yet, AP groups. You could then have a condition (probably compound) that checks as follows.
If AuthC is from client in AP Group: X, or Y, or Z
then Result = CWA w/ splash page 1
If AuthC is from client in AP Group: 1, or 2, or 3
then Result = CWA w/ splash page 2
Result = CWA (default)
Generally in a multi-branch/store environment, you would have each "site" in an AP group, such that you could then reference that Group as part of your policy condition.
Also, FYI you can have up to 6,000 AP Groups on your 7510.
Also, since 7.3, there was an increase to the number of FlexConnect group maximums (2,000 groups, 100 APs each), so you should be able to scale just fine, but would suggest running at least a 18.104.22.168 release.
Transferring Crash file from standby: Login to the Active WLC in HA.
From CLI: (Cisco Controller) >transfer upload datatype crash (Cisco
Controller) >transfer upload filename (Cisco
Controller) >transfer upload mode tftp (Cisco Controller) >transfer
This is the start of a display filter cross reference between Wireshark
and OmniPeek. The 1st installment is a table of advanced filters. More
filters will be added as time allows. It is a living doc, so check back
for changes every so often Please feel f...