Cisco 9800 Wireless 2024 – Phase 12 – Central Web Authentication (CWA) With Cisco ISE – Part 2

Part 1 can be found here.

Foreign WLC Configuration:

Create a REDIRECT ACL
ip access-list extended REDIRECT
 20 deny tcp any host 10.0.0.37 eq 8443
 21 deny tcp host 10.0.0.37 any eq 8443
 40 deny ip any 72.163.0.0 0.0.255.255
 50 deny tcp any host 10.0.0.37 eq 8905
 60 deny tcp any host 10.0.0.37 eq 8084
 70 permit tcp any any eq www
 80 deny udp any host 10.0.206.7 eq domain
Define the Cisco ISE RADIUS Server

Note: Enter the same RADIUS shared secret for the “CoA key.”

Define the Cisco ISE RADIUS Server Group
Define the Cisco ISE RADIUS AAA Authorization Method List
Define the Cisco ISE RADIUS AAA Accounting Method List
Edit the global “parameter map”
Create the WLAN
Create the Policy Profile and associate it with the DMZ controller.
Add the SSID to the Policy Tag

FlexConnect APs only:

If the AP is in Flexconnect mode, the REDIRECT ACL must be added

DMZ Anchor WLC Configuration:

The configuration can be copied from the WLC and applied via the CLI.

1. Define the AAA RADIUS Server

radius server visepns-002
 address ipv4 10.0.0.37 auth-port 1812 acct-port 1813
 key 7 <KEY>
!
1.b Define the RADIUS dynamic-author

aaa server radius dynamic-author
 client 10.0.0.36 server-key 6 QhaYCSJZM_PFIF`TaZ[B`iCOQPISH_
 client 10.0.0.37 server-key 6 dY`[DCdSgGT]eJCViJTQQbWAABry77

2. Define the AAA Server Group

 aaa group server radius visepsn-002-SG
 server name visepns-002
 ip radius source-interface Vlan666
 deadtime 5
!
3. Define the AAA Authorization Method List

aaa authorization network ISE_CWA_AUTHZ group visepsn-002-SG
!
4. Define the AAA Accounting Method List

aaa accounting identity ISE_CWA_ACCOUNTING start-stop group visepsn-002-SG
!
5. Edit the global "parameter map"

parameter-map type webauth global
 type webauth
 webauth-http-enable
!
6. Create the WLAN/SSID

 wlan 387 policy CWNE387
 wlan 387 1 387
 mac-filtering ISE_CWA_AUTHZ
 no security ft adaptive
 security wpa psk set-key ascii 8 eDBY\Z_DREY67777333
 no security wpa akm dot1x
 security wpa akm psk
 no shutdown
!
7. Create the Policy Profile and terminate the tunnel

wireless profile policy PP_CWA_387
 aaa-override
 accounting-list ISE_CWA_ACCOUNTING
 autoqos mode guest
 description "Policy Profile for SSID 387"
 dhcp-tlv-caching
 no exclusionlist
 http-tlv-caching
 ipv4 acl C9800_ACL_WEBAUTH_REDIRECT
 ipv4 dhcp required
 mobility anchor
 passive-client
 radius-profiling
 service-policy input AutoQos-4.0-wlan-GT-SSID-Input-Policy
 service-policy output AutoQos-4.0-wlan-GT-SSID-Output-Policy
 vlan 666
!
8. Create the REDIRECT ACL

ip access-list extended REDIRECT
 20 deny tcp any host 10.0.0.37 eq 8443
 21 deny tcp host 10.0.0.37 any eq 8443
 40 deny ip any 72.163.0.0 0.0.255.255
 50 deny tcp any host 10.0.0.37 eq 8905
 60 deny tcp any host 10.0.0.37 eq 8084
 70 permit tcp any any eq www
 80 deny udp any host 10.0.206.7 eq domain
!

Note about “export anchor” on the policy profile

Navigate to the Mobility tab and enable Export Anchor. This instructs this 9800 WLC that it is the anchor 9800 WLC for any WLAN that uses that Policy Profile. When the foreign 9800 WLC  sends the clients to the anchor 9800 WLC, the anchor 9800 WLC knows which local Policy Profile to use.


Add the devices to Cisco ISE.
Create the authorization profile.

Create the Policy Set

Verify connectivity

Obtain the account info

Connect to the SSID/WLAN





Change of Authorization (CoA)


Wireless device on the Foreign (internal) WLC

Wireless device on the Anchor (DMZ) WLC

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.