Hotspots are a portal where users can access an open SSID. Generally, they will need to accept an Acceptable Use Policy before being granted access to the internet. You can have different scenarios than just this lab scenario.
Log into the vWLC. Click the security tab at the top.
Click the New button to add a new AAA server.
Enter the IP address of the ISE server, port number is 1812, and that Support for COA is checked. *** Change of Authorization is a feature that allows a RADIUS server to adjust an active client session. ***
Create a Shared Secret and make note of it as ISE will need to be configured with the same secret. Click Apply.
Next click Accounting from the Security/AAA menu on the left. Hit New and enter the required information.
Next we will log into ISE and configure the WLC as a network device
Go to Work Centers, then Network Resources.
Click Add and fill out the WLC information. Check Radius Auth. Settings and be sure to fill out the Shared Secret we filled out earlier in the WLC.
After you save the network device you can verify it has been added by checking the Network Devices section.
Configuring the Guest SSID
Log into your WLC and click the WLANs tab. Choose Create New from the drop down box and click Go.
Enter a profile name and SSID.
Select Status Enabled, and the correct interface for your guest traffic. *** NOTE: My screen shot doesn’t show the Guest SSID as being enabled ***
Next click the Security tab.
Change Layer 2 Security to None, and check MAC Filtering.
Click AAA Servers, and change the Authentication and Authorization servers to the ISE server via the drop down boxes.
Click the Advanced tab.
Check Allow AAA Override.
Under NAC change the drop down to ISE NAC.
Uncheck Flex Connect Local Switching if enabled.
Check DHCP/HTTP profiling under Radius Client Profiling.
Next we have to create a few ACLs. One for Web Auth Redirect that will allow DNS and traffic to ISE and another ACL for restricting guest access.
You can verify your ACLs have been added to the vWLC from the Access control list section.
Our policy goals will be:
redirect users who connect to the Guest network to a web portal.
Once the AUP has been accepted they will get a new policy applied to them restricting their access to internet only via the ACL we created earlier.
Log in to ISE. Go to Work Centers, Guest Access,Policy Elements.
Click Results and and go to Authorization Profiles.
Click Add to create a new profile.
Give the policy a descriptive name and description.
Scroll down to the Common Tasks and check Web Redirection.
Select Hotspot from the drop down.
Enter WEB_AUTH_REDIRECT as the ACL and the value will be the Hotspot guest portal.
Click Add again, enter a new name and description. This policy will apply the guest restriction ACL we created on the WLC.
Scroll down into the Common Tasks and find Airespace ACL, enter the name Guest_ACL
Now, go to Work Centers, Guest Access, Policy Sets.
Create a new policy set
Add a new profile above the one we just created
This will be for applying the Guest ACL for the user once going through the portal. Conditions will be Wireless_MAB, IdentityGroup = GuestEndpoints, and Guest_Flow. Result will be the Guest_Access policy we created which applies the ACL we created on the WLC.
Lastly, use whatever wireless device to verify you can connect to the new SSID.
The root cause of the issue is 8.5 and later versions need to use c3700 / cx700 to join ME. If your AP version is lower than 8.5 you need to upgrade to ap3g2 and then upgrade to c3700.
After that, you can successfully join the WLC.
For my TFTP server I am using a Synology NAS and running the TFTP Service:
How to setup Synology NAS TFTP
Cisco AP Process
Power the AP off and hold down the mode button.
While the mode button is pressed down hold it and power the AP back on.
Continue to hold the mode button down until the AP’s light goes solid red.
Once the AP is red lit, let go and console into the AP using your console cable.
set IP_ADDR <DEVICE IP ADDRESS>
set NETMASK <SUBNET>
set DEFAULT_GATEWAY <GATEWAY IP>
tar -xtract tftp://<TFTP SERVER IP>/<.TAR FILE> flash:
set BOOT flash:/<.TAR FILE>
set IP_ADDR 10.0.30.53
set NETMASK 255.255.255.0
set DEFAULT_ROUTER 10.0.30.1
tar -xtract tftp://10.0.30.14/ap3g2-rcvk9w8-tar.153-3.JF10.tar flash:
set BOOT flash:/ap3g2-rcvk9w8-mx
My TFTP server is 10.0.30.14
The subnet is a /24
The gateway is 10.0.30.1
initialize tftp, ether and flash services on the AP
Extract the tar file in the TFTP servers root directory (the file is named ap3g2-rcvk9w8-tar.153-3.JF10.tar ) and we are extracting the file into our flash directory.
***DURING THE TAR EXTRACT PROCESS CONTINUE TO HIT SPACE BAR EVERY 1 – 2 SECONDS*** if not than you can receive a premature error.
Set the boot file location and let the AP sit for 5 minutes after finished booting new image you should be able to see it on the WLC and it will be in a Registered State.
WLC GUI – AFTERMATH
Now we can update the AP name, location, set a static IP for the device.
Hardcode the controllers.
The Access Point has now been successfully upgraded and is now registered to the Virutal wireless LAN controller.