Cisco ISE 2.0 – Guest Authentication

This is a 4 part blog series about configuring Cisco ISE 2.0 for WLAN authentication and WLAN Guest authentication (split into two parts) on a Cisco Wireless LAN Controller (WLC).ISEimage

For more guides about configuring (previous) Cisco ISE, see this page.This is part 3, configuring the Cisco WLC for guest access.

Configure WLAN’s on WLC

  1. Navigate to WLAN’s, Create new

Picture12. Configure General Settings:

Picture2

3. Configure Security:

Since ISE v1.1 the recommended approach is to use MAC Filtering instead of Layer 3 Web auth, since this results in many hops from WLC to ISE and back, see this article for more information.

Picture3

Picture5 Picture4

4. configure advanced settings

Picture6

  • Allow AAA Override: Allows ISE to configure settings on behalve of WLC (for example VLAN for client etc)
  • DHCP Addr. Assignment: Tells WLC that client is MANDATORY to use a IP that is delivered by the configured DHCP server.
  • NAC State: The RADIUS NAC allows the ISE to send a CoA request that indicates that the user is now authenticated and is able to access the network. It is also used for posture assessment, in which case the ISE changes the user profile based on the posture result.

Configure Access Lists on WLC

The access list configured below is used in the access-accept of the ISE and defines what traffic is allowed / denied before a user is authenticated using the guest portal.

Local Mode SSID’s:

  1. Navigate to Security, Access Control Lists, Access Control Lists.
  2. Create the following ACL, Name it “CWA_Redirect”. This ACL only allows DNS and traffic over port 8443 (guest portal) between the client and ISE:
    1. Traffic to and from ISE over port 8443 is allowed.
    2. Traffic originating from ISE to everywhere is allowed.
    3. DNS Traffic to and from ISE is allowed.
    4. The rest is denied.

Picture7

  1. The added ACL will not be applied yet but is available for ISE to use it in it’s policies.
  2. Navigate to Management, Logs, Config to add ISE as Syslog server (optional)

 Flexconnect SSID’s

If your guest-WLAN uses FLexconnect, the ACL’s should be created as Flexconnect ACL so they will be checked on the AP, instead of the WLC, where flexconnect traffic does not pass through. A normal ACL is not needed in this case.

  1. Navigate to Wireless, FLexconnect ACL’s
  2. Create the following ACL, Name it “Flex_ACL”. This ACL only allows DNS and traffic over port 8443 (guest portal) between the client and ISE:
    1. Traffic to and from ISE over port 8443 is allowed.
    2. Traffic originating from ISE to everywhere is allowed.
    3. DNS Traffic to and from ISE is allowed.
    4. The rest is denied.

Picture8

Navigate to Wireless tab, select Flex AP, Flexconnect Tab, External WebAuth ACL’s

Policies, Add Flex_ACL

Picture9

This pushes the policy to the AP. It will not be applied yet but is available for ISE to use it in it’s policies.

Thanks to Dominique Hermans (follow him on Twitter) for his great help with these Cisco ISE 2.0 blog posts!