LWA Process with the ISE Guest Portal

1.The browser tries to fetch a web page.

2. The WLC intercepts the HTTP(S) request and redirects it to the ISE.
Several key pieces of information are stored in that HTTP redirect header. Here is an example of the redirect URL:
https://mlatosieise.wlaaan.com:8443/portal/PortalSetup.action?portal=27963fb0-e96e-11e4-a30a-005056bf01c9#&ui-state=dialog?switch_url=https://1.1.1.1/login.html&ap_mac=b8:be:bf:14:41:90&client_mac=28:cf:e9:13:47:cb&wlan=mlatosie_LWA&redirect=yahoo.com/
From the example URL, you can see that the user tried to reach “yahoo.com.” The URL also contains information about the Wireless Local Area Network (WLAN) name (mlatosie_LWA), and the client and access point (AP) MAC addresses. In the example URL, 1.1.1.1 is the WLC, and mlatosieise.wlaaan.com is the ISE server.

3. The user is presented with the ISE guest login page and enters the username and password.

4. The ISE performs authentication against its configured identity sequence.

5. The browser redirects again. This time, it submits credentials to the WLC. The browser provides the username and password that the user entered in the ISE without any additional interaction from the user. Here is an example GET request to the WLC.
GET /login.html?redirect_url=http://yahoo.com/&username=mlatosie%40cisco.com&password=ityh&buttonClicked=4&err_flag=0
Again, the original URL (yahoo.com), the username (mlatosie@cisco.com), and the password (ityh) are all included.

Note: Although the URL is visible here, the actual request is submitted over Secure Sockets Layer (SSL), which is indicated by HTTPS, and is hard to intercept.

6.The WLC uses RADIUS in order to authenticate that username and password against the ISE and allows access.

7.The user is redirected to the specified portal. Refer to the “Configure external ISE as the webauth URL” section of this document for more information.