Cisco Identity Services Engine

Central Web Authentication with FlexConnect APs on a WLC with ISE Configuration Example

Document ID: 116087

Updated: Sep 04, 2013

Contributed by Nicolas Darchis, Cisco TAC Engineer.



This document describes how to configure central web authentication with FlexConnect Access Points (APs) on a Wireless LAN Controller (WLC) with Identity Services Engine (ISE) in local switching mode.

Important Note: At this time, local authentication on the FlexAPs is not supported for this scenario.

Other Documents in this Series



There are no specific requirements for this document.

Components Used

The information in this document is based on these software and hardware versions:

  • Cisco Identity Services Engine (ISE), Release 1.1.2
  • Wireless LAN Controller Software, Release Version -


There are multiple methods to configure central web authentication on the Wireless LAN Controller (WLC). The first method is local web authentication in which the WLC redirects the HTTP traffic to an internal or external server where the user is prompted to authenticate. The WLC then fetches the credentials (sent back via an HTTP GET request in the case of an external server) and makes a RADIUS authentication. In the case of a guest user, an external server (such as Identity Service Engine (ISE) or NAC Guest Server (NGS)) is required as the portal provides features such as device registering and self-provisioning. This process includes these steps:

  1. The user associates to the web authentication SSID.
  2. The user opens their browser.
  3. The WLC redirects to the guest portal (such as ISE or NGS) as soon as a URL is entered.
  4. The user authenticates on the portal.
  5. The guest portal redirects back to the WLC with the credentials entered.
  6. The WLC authenticates the guest user via RADIUS.
  7. The WLC redirects back to the original URL.

This process includes a lot of redirection. The new approach is to use central web authentication which works with ISE (versions later than 1.1) and WLC (versions later than 7.2). This process includes these steps:

  1. The user associates to the web authentication SSID.
  2. The user opens their browser.
  3. The WLC redirects to the guest portal.
  4. The user authenticates on the portal.
  5. The ISE sends a RADIUS Change of Authorization (CoA - UDP Port 1700) to indicate to the controller that the user is valid and eventually pushes RADIUS attributes such as the Access Control List (ACL).
  6. The user is prompted to retry the original URL.

This section describes the steps necessary to configure central web authentication on WLC and ISE.

Network Diagram

This configuration uses this network setup:


WLC Configuration

The WLC configuration is fairly straightforward. A "trick? is used (same as on switches) to obtain the dynamic authentication URL from the ISE. (Since it uses CoA, a session needs to be created as the session ID is part of the URL.) The SSID is configured to use MAC filtering, and the ISE is configured to return an Access-Accept message even if the MAC address is not found so that it sends the redirection URL for all users. 

In addition, RADIUS Network Admission Control (NAC) and AAA Override must be enabled. The RADIUS NAC allows the ISE to send a CoA request that indicates the user is now authenticated and is able to access the network. It is also used for posture assessment in which the ISE changes the user profile based on posture result.

  1. Ensure that the RADIUS server has RFC3576 (CoA) enabled, which is the default.


  2. Create a new WLAN. This example creates a new WLAN named CWAFlex and assigns it to vlan33. (Note that it will not have much effect since the access point is in local switching mode.)


  3. On the Security tab, enable MAC Filtering as Layer 2 Security.


  4. On the Layer 3 tab, ensure security is disabled. (If web authentication is enabled on Layer 3, local web authentication is enabled, not central web authentication.)


  5. On the AAA Servers tab, select the ISE server as radius server for the WLAN. Optionally, you can select it for accounting in order to have more detailed information on ISE.


  6.  On the Advanced tab, ensure Allow AAA Override is checked and Radius NAC is selected for NAC State.


  7. Create a redirect ACL.

    This ACL is referenced in the Access-Accept message of the ISE and defines what traffic should be redirected (denied by the ACL) as well as what traffic should not be redirected (permitted by the ACL). Basically, DNS and traffic to/from the ISE needs to be permitted.

    Note: An issue with FlexConnect APs is that you must create a FlexConnect ACL separate from your normal ACL. This issue is documented in Cisco bug ID CSCue68065 and is fixed in Release 7.5. In WLC 7.5 and later, only a FlexACL is required, and no standard ACL is needed. The WLC expects that the redirect ACL returned by ISE is a normal ACL. However, to ensure it works, you need the same ACL applied as the FlexConnect ACL.

    This example shows how to create a FlexConnect ACL named flexred:


    1. Create rules to permit DNS traffic as well as traffic towards ISE and deny the rest.

      If you want the maximum security, you can allow only port 8443 towards ISE. (If posturing, you must add typical posture ports, such as 8905,8906,8909,8910.)

    2. Choose Security > Access Control Lists to create an identical ACL with the same name. This step is important!


    3. Prepare the specific FlexConnect AP.
      1. Click Wireless, and select the specifc access point.
      2. Click the FlexConnect tab, and click External Webauthentication ACLs. (Prior to version 7.4, this option was named web policies.)


      3. Add the ACL (named flexred in this example) to the web policies area.

WLC configuration is now complete.

ISE Configuration

Create the Authorization Profile

Complete these steps in order to create the authorization profile:

  1. Click Policy, and then click Policy Elements.

  2. Click Results.

  3. Expand Authorization, and then click Authorization profile.

  4. Click the Add button in order to create a new authorization profile for central webauth.

  5. In the Name field, enter a name for the profile. This example uses CentralWebauth.

  6. Choose ACCESS_ACCEPT from the Access Type drop-down list.

  7. Check the Web Authentication check box, and choose Centralized from the drop-down list.

  8. In the ACL field, enter the name of the ACL on the WLC that defines the traffic that will be redirected. This examples uses flexred.

  9. Choose Default from the Redirect drop-down list.

The Redirect attribute defines whether the ISE sees the default web portal or a custom web portal that the ISE admin created. For example, the flexred ACL in this example triggers a redirection upon HTTP traffic from the client to anywhere.


Create an Authentication Rule

Complete these steps in order to use the authentication profile to create the authentication rule:

  1. Under the Policy menu, click Authentication.

    This image shows an example of how to configure the authentication policy rule. In this example, a rule is configured that will trigger when mac filtering is detected.


  2. Enter a name for your authentication rule. This example uses Wireless mab.
  3. Select the plus (+) icon in the If condition field.
  4. Choose Compound condition, and then choose Wireless_MAB.
  5. Choose "Default network access" as allowed protocol.
  6. Click the arrow located next to and ... in order to expand the rule further.
  7. Click the + icon in the Identity Source field, and choose Internal endpoints.
  8. Choose Continue from the If user not found drop-down list. 


This option allows a device to be authenticated (through webauth) even if its MAC address is not known. Dot1x clients can still authenticate with their credentials and should not be concerned with this configuration.

Create an Authorization Rule

There are now several rules to configure in the authorization policy. When the PC is associated, it will go through mac filtering; it is assumed that the MAC address is not known, so the webauth and ACL are returned. This MAC not known rule is shown in the image below and is configured in this section.


Complete these steps in order to create the authorization rule:

  1. Create a new rule, and enter a name. This example uses MAC not known.

  2. Click the plus ( +) icon in the condition field, and choose to create a new condition.

  3. Expand the expression drop-down list.

  4. Choose Network access, and expand it.

  5. Click AuthenticationStatus, and choose the Equals operator.

  6. Choose UnknownUser in the right-hand field.

  7. On the General Authorization page, choose CentralWebauth (Authorization Profile) in the field to the right of the word then.

    This step allows the ISE to continue even though the user (or the MAC) is not known.

    Unknown users are now presented with the Login page. However, once they enter their credentials, they are presented again with an authentication request on the ISE; therefore, another rule must be configured with a condition that is met if the user is a guest user. In this example, If UseridentityGroup equals Guest is used, and it is assumed that all guests belong to this group.

  8. Click the actions button located at the end of the MAC not known rule, and choose to insert a new rule above.

    Note: It is very important that this new rule comes before the MAC not known rule.

  9. Enter a name for the new rule. This example uses IS-a-GUEST.

  10. Choose a condition that will match your guest users.

    This example uses InternalUser:IdentityGroup Equals Guest because all guest users are bound to the Guest group (or another group you configured in your sponsor settings).

  11. Choose PermitAccess in the result box (located to the right of then).

    When the user is authorized on the Login page, ISE restarts a Layer 2 authentication on the switch port and a new MAB occurs. In this scenario, the difference is that an invisible flag is set for ISE to remember that it was a guest-authenticated user. This rule is 2nd AUTH, and the condition is Network Access:UseCase Equals GuestFlow. This condition is met when the user authenticates via webauth and the switch port is set again for a new MAB. You can assign any attributes you like. This example assigns a profile vlan34 so that the user is assigned the VLAN 34 in his second MAB authentication.

  12. Click Actions (located at the end of the IS-a-GUEST rule), and choose Insert new rule above.

  13. Enter 2nd AUTH in the name field.

  14. In the condition field, click the plus (+) icon, and choose to create a new condition.

  15. Choose Network Access, and click UseCase.

  16. Choose Equals as the operator.

  17. Choose GuestFlow as the right operand.

  18. On the authorization page, click the plus (+) icon (located next to then) in order to choose a result for your rule.

    In this example, a preconfigured profile (vlan34) is assigned; this configuration is not shown in this document.

    You can choose a Permit Access option or create a custom profile in order to return the VLAN or attributes that you like.

Enable the IP Renewal (Optional)

If you assign a VLAN, the final step is for the client PC to renew its IP address. This step is achieved by the guest portal for Windows clients. If you did not set a VLAN for the 2nd AUTH rule earlier, you can skip this step.

If you assigned a VLAN, complete these steps in order to enable IP renewal:

  1. Click Administration, and then click Guest Management.

  2. Click Settings.

  3. Expand Guest, and then expand Mult-Portal Configuration.

  4. Click DefaultGuestPortal or the name of a custom portal you may have created.

  5. Click the Vlan DHCP Release check box.

    Note: This option works only for Windows clients.



Once the user is associated to the SSID, the authorization is displayed in the ISE page.


From bottom up, you can see the MAC address filtering authentication that returns the CWA attributes. Next is the portal login with user name. The ISE then sends a CoA to the WLC and last authentication is a layer 2 mac filtering authentication on the WLC side, but ISE remembers the client and the username and applies the necessary VLAN we configured in this example.

When any address is opened on the client, the browser is redirected to the ISE. Ensure Domain Name System (DNS) is configured correctly.


Network access is granted after the user accepts the policies.


On the controller, the Policy Manager state and RADIUS NAC state changes from POSTURE_REQD to RUN.

Updated: Sep 04, 2013
Document ID: 116087