vWLC with Hotspot Guest Access using ISE 2.7

Categories Cisco, ISE
  • Hotspots are a portal where users can access an open SSID. Generally, they will need to accept an Acceptable Use Policy before being granted access to the internet. You can have different scenarios than just this lab scenario.
  • Log into the vWLC. Click the security tab at the top.
  • Click the New button to add a new AAA server.
  • Enter the IP address of the ISE server, port number is 1812, and that Support for COA is checked. *** Change of Authorization is a feature that allows a RADIUS server to adjust an active client session. ***
  • Create a Shared Secret and make note of it as ISE will need to be configured with the same secret. Click Apply.
  • Next click Accounting from the Security/AAA menu on the left. Hit New and enter the required information.
  • Next we will log into ISE and configure the WLC as a network device
  • Go to Work Centers, then Network Resources.
  • Click Add and fill out the WLC information. Check Radius Auth. Settings and be sure to fill out the Shared Secret we filled out earlier in the WLC.
  • After you save the network device you can verify it has been added by checking the Network Devices section.

Configuring the Guest SSID

  • Log into your WLC and click the WLANs tab. Choose Create New from the drop down box and click Go.
  • Enter a profile name and SSID.

Select Status Enabled, and the correct interface for your guest traffic. *** NOTE: My screen shot doesn’t show the Guest SSID as being enabled ***

  • Next click the Security tab.
  • Change Layer 2 Security to None, and check MAC Filtering.
  • Click AAA Servers, and change the Authentication and Authorization servers to the ISE server via the drop down boxes.
  • Click the Advanced tab.
  • Check Allow AAA Override.
  • Under NAC change the drop down to ISE NAC.
  • Uncheck Flex Connect Local Switching if enabled.
  • Check DHCP/HTTP profiling under Radius Client Profiling.
  • Next we have to create a few ACLs. One for Web Auth Redirect that will allow DNS and traffic to ISE and another ACL for restricting guest access.
  • You can verify your ACLs have been added to the vWLC from the Access control list section.

ISE Policies

Our policy goals will be:

  • redirect users who connect to the Guest network to a web portal.
  • Once the AUP has been accepted they will get a new policy applied to them restricting their access to internet only via the ACL we created earlier.
  • Log in to ISE. Go to Work CentersGuest Access, Policy Elements.
  • Click Results and and go to Authorization Profiles.
  • Click Add to create a new profile.
  • Give the policy a descriptive name and description.
  • Scroll down to the Common Tasks and check Web Redirection.
  • Select Hotspot from the drop down.
  • Enter WEB_AUTH_REDIRECT as the ACL and the value will be the Hotspot guest portal.
  • Click Submit.
  • Click Add again, enter a new name and description. This policy will apply the guest restriction ACL we created on the WLC.
  • Scroll down into the Common Tasks and find Airespace ACL, enter the name Guest_ACL
  • Click Submit.
  • Now, go to Work CentersGuest AccessPolicy Sets.
  • Create a new policy set
  • Add a new profile above the one we just created
  • This will be for applying the Guest ACL for the user once going through the portal. Conditions will be Wireless_MABIdentityGroup = GuestEndpoints, and Guest_Flow. Result will be the Guest_Access policy we created which applies the ACL we created on the WLC.
  • Lastly, use whatever wireless device to verify you can connect to the new SSID.
  • Save all configurations and backup if needed.

Joining a 2702i Cisco AP to Virtual WLC on 8.10

Categories Cisco, Wireless

Issue

  • From the WLC GUI the AP is stuck in downloading state.
  • While consoled into the access point we can see the following errors in the console output.
<!--  /* Font Definitions */  @font-face {font-family:"Cambria Math"; panose-1:2 4 5 3 5 4 6 3 2 4; mso-font-charset:0; mso-generic-font-family:roman; mso-font-pitch:variable; mso-font-signature:3 0 0 0 1 0;} @font-face {font-family:Calibri; panose-1:2 15 5 2 2 2 4 3 2 4; mso-font-charset:0; mso-generic-font-family:swiss; mso-font-pitch:variable; mso-font-signature:-469750017 -1073732485 9 0 511 0;} @font-face {font-family:Consolas; panose-1:2 11 6 9 2 2 4 3 2 4; mso-font-charset:0; mso-generic-font-family:modern; mso-font-pitch:fixed; mso-font-signature:-536869121 64767 1 0 415 0;}  /* Style Definitions */  p.MsoNormal, li.MsoNormal, div.MsoNormal {mso-style-unhide:no; mso-style-qformat:yes; mso-style-parent:""; margin-top:0in; margin-right:0in; margin-bottom:8.0pt; margin-left:0in; line-height:107%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri",sans-serif; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;} .MsoChpDefault {mso-style-type:export-only; mso-default-props:yes; font-family:"Calibri",sans-serif; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;} .MsoPapDefault {mso-style-type:export-only; margin-bottom:8.0pt; line-height:107%;} @page WordSection1 {size:8.5in 11.0in; margin:1.0in 1.0in 1.0in 1.0in; mso-header-margin:.5in; mso-footer-margin:.5in; mso-paper-source:0;} div.WordSection1 {page:WordSection1;} --> 
 ERROR: Image is not a valid IOS image archive.
 Download image failed, notify controller!!! From:7.6.100.0 to 0.0.0.0, FailureCode:3  

<!--  /* Font Definitions */  @font-face {font-family:"Cambria Math"; panose-1:2 4 5 3 5 4 6 3 2 4; mso-font-charset:0; mso-generic-font-family:roman; mso-font-pitch:variable; mso-font-signature:3 0 0 0 1 0;} @font-face {font-family:Calibri; panose-1:2 15 5 2 2 2 4 3 2 4; mso-font-charset:0; mso-generic-font-family:swiss; mso-font-pitch:variable; mso-font-signature:-469750017 -1073732485 9 0 511 0;} @font-face {font-family:Consolas; panose-1:2 11 6 9 2 2 4 3 2 4; mso-font-charset:0; mso-generic-font-family:modern; mso-font-pitch:fixed; mso-font-signature:-536869121 64767 1 0 415 0;}  /* Style Definitions */  p.MsoNormal, li.MsoNormal, div.MsoNormal {mso-style-unhide:no; mso-style-qformat:yes; mso-style-parent:""; margin-top:0in; margin-right:0in; margin-bottom:8.0pt; margin-left:0in; line-height:107%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri",sans-serif; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;} .MsoChpDefault {mso-style-type:export-only; mso-default-props:yes; font-family:"Calibri",sans-serif; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;} .MsoPapDefault {mso-style-type:export-only; margin-bottom:8.0pt; line-height:107%;} @page WordSection1 {size:8.5in 11.0in; margin:1.0in 1.0in 1.0in 1.0in; mso-header-margin:.5in; mso-footer-margin:.5in; mso-paper-source:0;} div.WordSection1 {page:WordSection1;} --> 
 *Feb 13 15:48:34.219: %CAPWAP-5-SENDJOIN: sending Join Request to 10.0.30.50perform archive download capwap:/ap3g2 tar file
 *Feb 13 15:48:34.223: %CAPWAP-6-AP_IMG_DWNLD: Required image not found on AP. Downloading image from Controller.
 *Feb 13 15:48:34.223: Loading file /ap3g2...

Resolution

  • The root cause of the issue is 8.5 and later versions need to use c3700 / cx700 to join ME. If your AP version is lower than 8.5 you need to upgrade to ap3g2 and then upgrade to c3700.
  • After that, you can successfully join the WLC.

TFTP Server

  • For my TFTP server I am using a Synology NAS and running the TFTP Service:
  • How to setup Synology NAS TFTP

Cisco AP Process

  • Power the AP off and hold down the mode button.
  • While the mode button is pressed down hold it and power the AP back on.
  • Continue to hold the mode button down until the AP’s light goes solid red.
  • Once the AP is red lit, let go and console into the AP using your console cable.

Commands

  • set IP_ADDR <DEVICE IP ADDRESS>
  • set NETMASK <SUBNET>
  • set DEFAULT_GATEWAY <GATEWAY IP>
  • tftp_init
  • ether_init
  • flash_init
  • tar -xtract tftp://<TFTP SERVER IP>/<.TAR FILE> flash:
  • set BOOT flash:/<.TAR FILE>

Example

set IP_ADDR 10.0.30.53
 set NETMASK 255.255.255.0
 set DEFAULT_ROUTER 10.0.30.1
 tftp_init
 ether_init
 flash_init
 tar -xtract tftp://10.0.30.14/ap3g2-rcvk9w8-tar.153-3.JF10.tar flash:
 set BOOT flash:/ap3g2-rcvk9w8-mx
  • My TFTP server is 10.0.30.14
  • The subnet is a /24
  • The gateway is 10.0.30.1
  • initialize tftp, ether and flash services on the AP
  • Extract the tar file in the TFTP servers root directory (the file is named ap3g2-rcvk9w8-tar.153-3.JF10.tar ) and we are extracting the file into our flash directory.
  • ***DURING THE TAR EXTRACT PROCESS CONTINUE TO HIT SPACE BAR EVERY 1 – 2 SECONDS*** if not than you can receive a premature error.
  • Set the boot file location and let the AP sit for 5 minutes after finished booting new image you should be able to see it on the WLC and it will be in a Registered State.

WLC GUI – AFTERMATH

  • Now we can update the AP name, location, set a static IP for the device.
  • Hardcode the controllers.
  • The Access Point has now been successfully upgraded and is now registered to the Virutal wireless LAN controller.