Cisco 9800 with ISE Central Web Authentication

  1. Define the AAA server and server group. I normally define the Radius server on both Anchor and Foreign controllers just to keep the config consistent.



2. Define the AAA authorization and accounting method list that will be tied to the AAA server


3. Configure the WLAN on both Foreign and Anchor



4. Create the Policy Profile on the Foreign Controller




4.a Create an identical policy profile, the differences will be the mobility anchor tab and the VLAN. The export anchor check box must be enabled in order to terminate the tunnel.



5. Create a policy tag in order to define the SSIDs that should be broadcast


6.Create an ACL that will redirect the traffic to Cisco ISE.

Note: For the redirection ACL, think for deny action as a deny redirection (not deny traffic), and permit action as permit redirection.

Redirect ALC

Note: If you end the ACL with a “permit ip any any” instead of a permit focused on port 80, the WLC will also redirect HTTPS, which is often undesirable as it will have to provide its own certificate and will always create a certificate violation


7. Add the WLC to the AAA server



8. Create an authorization policy that will be returned by the AAA server. The Radius server will return the redirection ACL that was created on the WLC.

The first ACL is for CWA

The second ALC is pushed down via COA and will permit internet only


9. Create the policy set




Create guest account via sponsor portal



Test the configuration



Troubleshooting 101 – check AAA server logs


The issue indicates that the account is not yet active.



Test login again…






Verify successful auth on AAA server




Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.