CCIE Enterprise Wireless (v1.0) – 4.4 Guest management – 4.4.b Central web authentication

Posted on Posted in CCIE Enterprise wireless, Cisco 9800 Wireless, Cisco ISE AAA, CWA ISE

Requirements: AAA auth list and accounting list. The configuration should be on both anchor and foreign.



Create WLAN on anchor and foreign





Create an profile – the profile MUST be identical on the anchor and foreign controllers





Add the SSID to the policy tab and tie it to the policy profile


The anchor policy TAG will be the same… with VLAN 666 being the client user VLAN.


Navigate to Mobility tab and enable Export Anchor. This instruct this 9800 WLC that it is the anchor 9800 WLC for any WLAN that uses that Policy Profile. When the foreign 9800 WLC  sends the clients to the anchor 9800 WLC, it informs about the WLAN and the Policy Profile that the client is assigned to, so the anchor 9800 WLC knows which local Policy Profile to use.




Create ISE conditions, authorization profiles and policy sets


ISE Policy set



Create a DACL on the anchor controller -allowing traffic to ISE/DNS

ip access-list extended REDIRECT_TO_ISE
10 deny udp any any eq domain
20 deny udp any eq bootps any
30 deny udp any any eq bootpc
40 deny tcp any host 10.0.0.35 eq 8443
50 permit tcp any any eq www
60 permit tcp any any eq 443

ip access-list extended PERMIT_INTERNET
10 permit ip any any


Test client

Client pulled an IP address – verify client state on both controllers

Foreign – 10.0.0.140

Anchor verification 10.0.66.3


ISE logs




client should be redirected to ise





client able to access the internet

client is denied from accessing internal network resources

denied from accessing an internal ftp server at 10.0.0.5



allowed to access a ftp server in the DMZ

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.