![]() ![]() ![]() Now you're going to add one TACACS Profile for each role that you plan to use with the WLC. Aaron Wolandįigure 7 - Deployment Screen Prepare the Authorization Resultsĭevice Administration AAA is ready on ISE, but you have no policies and no Authorizations to send down to the WLC yet. Enable the device admin service (it is off by default). If you haven't already, ensure that device administration is enabled on the ISE policy services node under Administration > System > Deployment, select your ISE PSN, as seen in Figure 7. Click on the WLC or Click Add to create a new one.Įnsure the Network Device Groups are assigned properly and the TACACS+ Shared Secret is configured correctly. Navigate to Work Centers > Device Administration > Network Resources > Network Devices. Next, you should ensure your Cisco WLC itself is added to ISE and has the TACACS+ shared secret configured. With that group, we can ensure that a device administration policy set is built just for these devices and their unique way of doing Device Administration. ![]() The point is - let's ensure that these Cisco WLCs have their own group for a device type. If you've been following my guidance all these years, then you will already have a detailed set of hierarchical Network Device Groups (NDGs), such as those displayed in Figure 5. Within the ISE GUI, Navigate to Work Centers > Device Administration > Network Device Groups. At this point, you need to add the WLC as a TACACS+ NAD on ISE. Now the ISE Node has been added to the WLC for use with TACACS+, but the WLC is not authenticating users for login yet. Aaron Wolandįigure 4 - WLC TACACS+ Authorization Server Navigate to Security > AAA > TACACS+ > Authorization and click New.įill in the Server IP Address and the Shared Secret as seen in Figure 4, and click Apply. Navigate to Security > AAA > TACACS+ > Accounting and click New.įill in the Server IP Address and the Shared Secret as seen in Figure 3, and click Apply. Aaron Wolandįigure 2 - WLC TACACS+ Authentication Server Once the user click the accept button they will be allowed onto the networkĪt this time the user should also be redirected to the specified web portal.Navigate to Security > AAA > TACACS+ > Authentication and click New.įill in the Server IP Address and the Shared Secret as seen in Figure 2, and click Apply. They are presented with an accept button. At this time the controller should present the custom web portal to the user.Īgain, with web passthrough captive portal the user is not required to enter a username and password. ![]() Although the user is in the run state notice that the “auth method” is “web auth”. A user than can pass traffic through the controller is in the run state. The user has a VALID IP address from the DMZ. Type the following command for each MAC address you want to deauth. User does not have access to the network and is NOT on the WLCĪ quick way to deauth a user is from the CLI. The controller is NOT tied to AAA, it host the custom web page and intercepts the initial HTTP request and presents the consent/aup page to the user. Authentication is NOT in use, the user either agree or reject the user acceptance page. Web passthrough is meant to be a simple guest solution. WLAN Config – As usual the configurations must be identical A public certificate is also required on the DMZ Anchor. In my testing the custom web page is “housed” on the Anchor controller not on the Foreign. Once i verify that the client device can obtain and IP i then apply the AAA polices. This means that i do not apply any type of MAC filtering or AAA polices. My best practice is to test basic connectivity first. The name of the policy and the settings on both the Anchor and Foreign must MATCH 100% with the exception of the VLAN and mobility anchor Use the standard copy feature from ftp,scp etc to copy the file to the bootflash. Once the file(s) have been downloaded and edited they must be renamed in the following format web_auth_. We see that both devices see each others mobility tunnel as up Items that should be configuredĬustom web page – the sample web consent package can be downloaded from. This lab will demonstrate how to configure a simple web passthrough on the IOS XE 9800 ControllerĬonfigure the IOS XE 9800 Controllers – as usual the guest users will be dropped off in the DMZīoth WLCs MUST have identical configurationsįirst verify that the mobility tunnel is in an UP state on both the foreign and the anchor FOREIGN ANCHOR ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |