vWLC with Hotspot Guest Access using ISE 2.7

Categories Cisco, ISE
  • Hotspots are a portal where users can access an open SSID. Generally, they will need to accept an Acceptable Use Policy before being granted access to the internet. You can have different scenarios than just this lab scenario.
  • Log into the vWLC. Click the security tab at the top.
  • Click the New button to add a new AAA server.
  • Enter the IP address of the ISE server, port number is 1812, and that Support for COA is checked. *** Change of Authorization is a feature that allows a RADIUS server to adjust an active client session. ***
  • Create a Shared Secret and make note of it as ISE will need to be configured with the same secret. Click Apply.
  • Next click Accounting from the Security/AAA menu on the left. Hit New and enter the required information.
  • Next we will log into ISE and configure the WLC as a network device
  • Go to Work Centers, then Network Resources.
  • Click Add and fill out the WLC information. Check Radius Auth. Settings and be sure to fill out the Shared Secret we filled out earlier in the WLC.
  • After you save the network device you can verify it has been added by checking the Network Devices section.

Configuring the Guest SSID

  • Log into your WLC and click the WLANs tab. Choose Create New from the drop down box and click Go.
  • Enter a profile name and SSID.

Select Status Enabled, and the correct interface for your guest traffic. *** NOTE: My screen shot doesn’t show the Guest SSID as being enabled ***

  • Next click the Security tab.
  • Change Layer 2 Security to None, and check MAC Filtering.
  • Click AAA Servers, and change the Authentication and Authorization servers to the ISE server via the drop down boxes.
  • Click the Advanced tab.
  • Check Allow AAA Override.
  • Under NAC change the drop down to ISE NAC.
  • Uncheck Flex Connect Local Switching if enabled.
  • Check DHCP/HTTP profiling under Radius Client Profiling.
  • Next we have to create a few ACLs. One for Web Auth Redirect that will allow DNS and traffic to ISE and another ACL for restricting guest access.
  • You can verify your ACLs have been added to the vWLC from the Access control list section.

ISE Policies

Our policy goals will be:

  • redirect users who connect to the Guest network to a web portal.
  • Once the AUP has been accepted they will get a new policy applied to them restricting their access to internet only via the ACL we created earlier.
  • Log in to ISE. Go to Work CentersGuest Access, Policy Elements.
  • Click Results and and go to Authorization Profiles.
  • Click Add to create a new profile.
  • Give the policy a descriptive name and description.
  • Scroll down to the Common Tasks and check Web Redirection.
  • Select Hotspot from the drop down.
  • Enter WEB_AUTH_REDIRECT as the ACL and the value will be the Hotspot guest portal.
  • Click Submit.
  • Click Add again, enter a new name and description. This policy will apply the guest restriction ACL we created on the WLC.
  • Scroll down into the Common Tasks and find Airespace ACL, enter the name Guest_ACL
  • Click Submit.
  • Now, go to Work CentersGuest AccessPolicy Sets.
  • Create a new policy set
  • Add a new profile above the one we just created
  • This will be for applying the Guest ACL for the user once going through the portal. Conditions will be Wireless_MABIdentityGroup = GuestEndpoints, and Guest_Flow. Result will be the Guest_Access policy we created which applies the ACL we created on the WLC.
  • Lastly, use whatever wireless device to verify you can connect to the new SSID.
  • Save all configurations and backup if needed.