Wireless Setup is disabled by default after fresh installation of Cisco ISE. You can enable Wireless Setup from the ISE CLI with the application configure ise command (select option 17) or by using the Wireless Setup option in the ISE GUI Home page.
Wireless Setup does not work if you upgrade ISE from a previous
version. Wireless Setup is supported only for new ISE installations.
Wireless Setup works only on a Standalone node.
Run only one
instance of Wireless Setup at a time; only one person can run Wireless Setup at
Wireless Setup requires ports 9103 and 9104 to be open. To close those ports, use the CLI to disable Wireless Setup.
If you would
like to start a fresh installation of Wireless Setup after running some flows,
you can use the CLI command
application reset-config ise. This command resets the
ISE configuration and clears the ISE database, but keeps the network
definitions. So you can reset ISE and Wireless Setup, without having to
reinstall ISE and running setup.
If you would
like to start over with Wireless Setup, you can reset both ISE and Wireless
Setup's configuration with the following steps:
application reset-config to reset all ISE
configuration. If you were testing Wireless Setup on a fresh installation, this
command removes the configurations done by Wireless Setup in ISE.
application configure ise, and choose
Reset Config Wi-Fi Setup. This cleans the Wireless
Setup configuration database.
WLC, remove the configurations added by Wireless Setup on the WLC. For
information about what Wireless Setup configures on the WLC, see
Changes to ISE and WLC by Wireless Setup.
You can avoid
these steps by taking a snapshot of the VM after you finish a fresh
installation of ISE.
information about the CLI, see the
Cisco Identity Services Engine
CLI Reference Guide.
You must be an
ISE Super Admin user to use Wireless Setup.
requires at least two CPU cores and 8 GB or memory.
Directory groups and users are supported. After you have created one or more
flows in Wireless Configuration, other types of users, groups, and
authorizations are available for Wireless Setup, but they must be configured on
If you already
defined Active Directory in ISE, and you plan to use this AD for Wireless
name and domain name must be the same. If the names are not the same, then make
them the same in ISE before using that AD in Wireless Setup.
WLC is already configured on ISE, the WLC must have a shared secret configured.
If the WLC definition does not have the shared secret, then either add the
shared secret, or delete the WLC from ISE, before configuring that WLC in
can configure ISE components, but it can't delete or modify them after a flow
has been started. For a list of all the things that Wireless Setup configures
in ISE, see
Changes to ISE and WLC by Wireless Setup
When you start a
flow, you must complete the flow. Clicking a breadcrumb in the flow stops the
flow. As you step through a flow, changes are made to the ISE configuration
dynamically. Wireless Setup provides a list of configuration changes, so you
can manually revert. You can't back up in a flow to make extra changes, with
one exception. You can go back to change Guest or BYOD portal customization.
and Active Directory domains are supported, but each flow can only support one
WLC and one Active Directory.
requires an ISE Basic license to operate. BYOD requires a Plus license.
If you have
configured ISE 2.2 resources before configuring Wireless Setup, Wireless Setup
may have conflicts with an existing policy. If this happens, Wireless Setup
advises you to review the authorization policy after running through the tool.
We recommended that you start with a clean setup of ISE when running Wireless
Setup. Support for a mixed configuration of Wireless Setup and ISE is limited.
is available in English, but not other languages. If you want to use other
languages with your portal, configure that in ISE after running Wireless Setup.
Dual SSID is
supported for BYOD. The Open SSID used in this configuration does not support
guest access, due to conflicts. If you need a portal that supports both guest
and BYOD, you cannot use Wireless Setup, and is out of the scope of this
Do use spaces
in your SSID names.
Email and SMS
self-registered guests, SMS and email notification is supported. These
notifications are configured in the portal customization notification section.
You must configure an SMTP server to support SMS and email notifications. The
cellular providers built in to ISE, which include AT&T, T Mobile, Sprint,
Orange and Verizon, are pre-configured, and are free email to SMS gateways.
chooses their cell provider in the portal. If their provider is not in the
list, then they can't receive a message. You can also configure a global
provider, but that is outside of the scope of this guide. If the guest portal
is configured for SMS and email notification, then they must enter values for
both those services.
Sponsored guest flow does not provide configuration for SMS or email
notification in Wireless Setup. For that flow, you must configure notification
services in ISE.
information about configuring notifications, see
Configure SMTP Server to Support Notificationshttp://www.cisco.com/c/en/us/td/docs/security/ise/2-1/admin_guide/b_ise_admin_guide_21/b_ise_admin_guide_20_chapter_0100.html#ID166 and SMS Gateway Settings
select the SMS provider
Global Default when configuring notifications for a
portal. This provider is not configured (by default).
only supports a standalone setup without HA. If you decide to use extra PSNs
for authentication, then add the ISE IP address of those PSNs to your WLC’s