Introduction
This document describes how to configure Easy Wireless Setup with Cisco Identity Services Engine (ISE) 2.2 for HotSpot Flow.
Prerequisites
Requirements
Cisco recommends that you have knowledge of these topics:
- ISE
- Guest flows on ISE
- Cisco Wireless LAN Controller (WLC)
Note: This document assumes that there is full IP connectivity between Wireless Lan Controller, ISE server, Active Directory (AD) and Endpoint. Wireless Setup requires at least two CPU cores and 8 GB of memory on the ISE.
Components Used
The information in this document is based on these software and hardware versions:
- ISE 2.2
- WLC 2504 version 8.1.131.0
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Background Information
Easy Wireless Feature Information
Wireless Setup tool provides an easy way to configure wireless flows for 802.1x, guest, and Bring Your Own Device (BYOD) in very short time. It also provides workflows to configure and customize each portal for guest and BYOD, where appropriate. These workflows are much simpler than configuration associated with portal flows in ISE by providing the most common recommended settings. Wireless Setup does many steps for you that you would have to do yourself in ISE and on the WLC, so you can quickly create a working environment. You can use the Wireless Setup created environment to test and develop your flows.
Once the Wireless Setup environment starts to work, you might want to switch to ISE configuration mode, so you can support more advanced configurations.
Key Benefits
- One place to configure all security and access settings.
- Intuitive Workflows with visibility for common use cases.
- Quick start with Basic Authentication, Guest and BYOD.
- You do not need to configure WLC/ISE policy.
- For advanced configuration, you can always switch to ISE configuration mode.
- Non-security user to Demo/PoC the solution within 10 mins.
- Friendly Guest Experience, Seamless onboarding, security best practice configuration.
- Easy to manage / easy to setup when you compare with regular ISE flows.
Limitations
- Only AD as external DB supported for authentication.
- Only English Language is Supported. You can configure other language from ISE gui after finishing the setup.
- No Edit/Deletion is supported in midway. You should have all info handy.
- Only Support in Greenfield Device (not existed before)
- Only ISE Super Admin is able to use Wireless Setup.
- Wireless Dot1x setup requires base license & BYOD requires a Plus License.
- Single and Dual SSID is supported in Wireless setup.
- For ISE 2.2, Wireless Setup is Beta Software. Do not use wireless setup for production.
- One instance of wireless setup can be run by one admin at a time.
- Restore / Upgrade does not show wireless setup menu. Only supported for new installations.
- Chrome Browser is recommended. Mozilla Firefox can be used as a backup browser. Internet Explorer will not support jpeg, only support png images.
- Self register works as it has nothing to do with AD. You can have your own internal user.
- Info that has been pushed already cannot be edited or deleted.
- The ISE admin can not configure the ACL through easy wireless wizard.
- Classic Wireless and only local mode are supported. No flex connect support.
- Anchor / Foreign setup is not supported by Easy Wireless setup.
- No previews in Easy Wireless setup.
- Restored configuration does not give you Wireless setup menu.
- Multi AD and WLC are supported but each flow can support only one.
Configure
In this document, the focus is on the HotSpot flow configuration. For Guest access, there are three types of flows. HotSpot is one of them - typical wi-fi hotspot venues include cafes, libraries, airports, and hotels.
Step 1. Open Wireless Setup
Once you log into the ISE, you can find Wireless Setup Beta in the upper right corner. Click it to start the wizard.
Step 2. Select Guest Access
You should see a window with configuration options. Select Guest Access. In order to extend the options under Guest Access feature, click on the arrow.
Step 3. Select Hotspot Setup
Select Hotspot setup. That would bring you to a new page.
Step 4. Register Wireless LAN Controller
Step 5. Commit Changes
By now the WLC is configured, registered and enabled. Click Commit to jump to the next step.
Step 6. Changes are pushed to WLC
Once you arrive at the commit tab, the changes are pushed down to ISE and Controller and you cannot revert those changes.
Step 7. Configure Wireless Network
Configure your Wireless LAN with a name MyHotSpot. Select interface that should be used on your wireless controller. After login, you should be redirected to a success page. Click on Add.
Step 8. Customize Portal
Wireless LAN is ready at this point.
Click Next and move to next step that is View and customize your portals:
Here you can work on the customization of portal. That includes modification of colors, texts language etc.
In this picture you have a link to portal test URL. That would take you to the HotSpot portal page, where you can verify the result of customization.
If you click Accept on the AUP page, you should be redirected to Success Page. Click Commit to save the changes.
If you commit the changes, you move to the last step of this whole process. Click on the tab Go Live.
Verify
Use this section in order to confirm that your configuration works properly.
You have configured the HotSpot portal from ISE via the Easy Wireless Wizard. You can verify configuration and check it in ISE and WLC GUI. As you can see the new WLAN is created by the name MyHotSpot. You can edit the WLAN and check if Mac Filtering, AAA server, Radius NAC, Allow AAA override, ACL and other options are correctly configured.
On the ISE side, navigate to Work Centers > Guest Access > Network Devices to ensure that you have the WLC added. Check configuration at Policy Elements > Results > Authorization Profiles to see what profiles where added. Check authorization policy as well:
Troubleshoot
This section provides information you can use in order to troubleshoot your configuration.
Set the debug log component wirelesssetuphelper to DEBUG level and look into those files:
show logging application wifisetup/wifisetup_xenia.log
show logging application wifisetup/wifisetup_auth.log
show logging application wifisetup/WLCAgent.INF
Log description:
- wifisetup/wifisetup_xenia.log - used for communication with ISE and all other errors are loged here.
- wifisetup/wifisetup_auth.log - used to see errors for the components trust between each other, login issues, trust issues.
- wifisetup/WLCAgent.INFO - used for WLC related issues, but an error should be thrown in xenia.log as well.
- wifisetup/monit.log
All other logs are not as relevant, as these would give you the information required if there is any error.
Other logs you can look into:
wifisetup/mongodb/mongod.log
wifisetup/vault/vault.log
wifisetup/nginx.access.log
wifisetup/WLCAgent.WARNING
wifisetup/WLCAgent.ISE22P.unknownuser.log.INFO.
wifisetup/WLCAgent.ISE22P.unknownuser.log.WARNING.
wifisetup/certmgmt.log
wifisetup/nginx.error.log