Part 1 can be found here.
Foreign WLC Configuration:
Create a REDIRECT ACL
ip access-list extended REDIRECT
20 deny tcp any host 10.0.0.37 eq 8443
21 deny tcp host 10.0.0.37 any eq 8443
40 deny ip any 72.163.0.0 0.0.255.255
50 deny tcp any host 10.0.0.37 eq 8905
60 deny tcp any host 10.0.0.37 eq 8084
70 permit tcp any any eq www
80 deny udp any host 10.0.206.7 eq domain
Define the Cisco ISE RADIUS Server
Note: Enter the same RADIUS shared secret for the “CoA key.”
Define the Cisco ISE RADIUS Server Group
Define the Cisco ISE RADIUS AAA Authorization Method List
Define the Cisco ISE RADIUS AAA Accounting Method List
Edit the global “parameter map”
Create the WLAN
Create the Policy Profile and associate it with the DMZ controller.
Add the SSID to the Policy Tag
FlexConnect APs only:
If the AP is in Flexconnect mode, the REDIRECT ACL must be added
DMZ Anchor WLC Configuration:
The configuration can be copied from the WLC and applied via the CLI.
1. Define the AAA RADIUS Server
radius server visepns-002
address ipv4 10.0.0.37 auth-port 1812 acct-port 1813
key 7 <KEY>
!
1.b Define the RADIUS dynamic-author
aaa server radius dynamic-author
client 10.0.0.36 server-key 6 QhaYCSJZM_PFIF`TaZ[B`iCOQPISH_
client 10.0.0.37 server-key 6 dY`[DCdSgGT]eJCViJTQQbWAABry77
2. Define the AAA Server Group
aaa group server radius visepsn-002-SG
server name visepns-002
ip radius source-interface Vlan666
deadtime 5
!
3. Define the AAA Authorization Method List
aaa authorization network ISE_CWA_AUTHZ group visepsn-002-SG
!
4. Define the AAA Accounting Method List
aaa accounting identity ISE_CWA_ACCOUNTING start-stop group visepsn-002-SG
!
5. Edit the global "parameter map"
parameter-map type webauth global
type webauth
webauth-http-enable
!
6. Create the WLAN/SSID
wlan 387 policy CWNE387
wlan 387 1 387
mac-filtering ISE_CWA_AUTHZ
no security ft adaptive
security wpa psk set-key ascii 8 eDBY\Z_DREY67777333
no security wpa akm dot1x
security wpa akm psk
no shutdown
!
7. Create the Policy Profile and terminate the tunnel
wireless profile policy PP_CWA_387
aaa-override
accounting-list ISE_CWA_ACCOUNTING
autoqos mode guest
description "Policy Profile for SSID 387"
dhcp-tlv-caching
no exclusionlist
http-tlv-caching
ipv4 acl C9800_ACL_WEBAUTH_REDIRECT
ipv4 dhcp required
mobility anchor
passive-client
radius-profiling
service-policy input AutoQos-4.0-wlan-GT-SSID-Input-Policy
service-policy output AutoQos-4.0-wlan-GT-SSID-Output-Policy
vlan 666
!
8. Create the REDIRECT ACL
ip access-list extended REDIRECT
20 deny tcp any host 10.0.0.37 eq 8443
21 deny tcp host 10.0.0.37 any eq 8443
40 deny ip any 72.163.0.0 0.0.255.255
50 deny tcp any host 10.0.0.37 eq 8905
60 deny tcp any host 10.0.0.37 eq 8084
70 permit tcp any any eq www
80 deny udp any host 10.0.206.7 eq domain
!
Note about “export anchor” on the policy profile
Navigate to the Mobility tab and enable Export Anchor. This instructs this 9800 WLC that it is the anchor 9800 WLC for any WLAN that uses that Policy Profile. When the foreign 9800 WLC sends the clients to the anchor 9800 WLC, the anchor 9800 WLC knows which local Policy Profile to use.
Add the devices to Cisco ISE.
Create the authorization profile.
Create the Policy Set
Verify connectivity
Obtain the account info
Connect to the SSID/WLAN
Change of Authorization (CoA)
Wireless device on the Foreign (internal) WLC
Wireless device on the Anchor (DMZ) WLC