Requirements: AAA auth list and accounting list. The configuration should be on both anchor and foreign.
Create WLAN on anchor and foreign
Create an profile – the profile MUST be identical on the anchor and foreign controllers
Add the SSID to the policy tab and tie it to the policy profile
The anchor policy TAG will be the same… with VLAN 666 being the client user VLAN.
Navigate to Mobility tab and enable Export Anchor. This instruct this 9800 WLC that it is the anchor 9800 WLC for any WLAN that uses that Policy Profile. When the foreign 9800 WLC sends the clients to the anchor 9800 WLC, it informs about the WLAN and the Policy Profile that the client is assigned to, so the anchor 9800 WLC knows which local Policy Profile to use.
Create ISE conditions, authorization profiles and policy sets
ISE Policy set
Create a DACL on the anchor controller -allowing traffic to ISE/DNS
ip access-list extended REDIRECT_TO_ISE
10 deny udp any any eq domain
20 deny udp any eq bootps any
30 deny udp any any eq bootpc
40 deny tcp any host 10.0.0.35 eq 8443
50 permit tcp any any eq www
60 permit tcp any any eq 443
ip access-list extended PERMIT_INTERNET
10 permit ip any any
Test client
Client pulled an IP address – verify client state on both controllers
Foreign – 10.0.0.140
Anchor verification 10.0.66.3
ISE logs
client should be redirected to ise
client able to access the internet
client is denied from accessing internal network resources
denied from accessing an internal ftp server at 10.0.0.5
allowed to access a ftp server in the DMZ