Configuring CWA on WLC and ISE

In this post we will see how to configure Central Web Authentication (CWA).

The topology in this example is as follows.

WLC configuration

1. Add RADIUS Authentication Server

2. Configuring WLAN

MAC Filtering must be checked in the WLAN settings.
Enable AAA Override and select ISE NAC.

3. Configuring DNS for the virtual interface

4. Configuring ACL, Allow DNS and Radius server traffic

FlexConnect APs need to be configured with FlexConnect ACLs
and require additional configuration. See the links in the references for details.

Configuring ISE

1. Add Network Device

2. Add Network Access User

3. Add Authorization Profile

You should enter the vlan of the dynamic interface created in the WLC.

4. Configuring Policy Sets

It is really important to choose <Continue> here.
The order of the Authorization Policy is really important here.

Client connection

After the client connects to the SSID, open the browser to access any address, and the browser will redirect to the webauth page.


Central Web Authentication on the WLC and ISE Configuration Example

Troubleshooting Web Authentication on a Wireless LAN Controller (WLC)

Web Authentication on WLAN Controller

Wireless LAN Controller Web Authentication Configuration Example

Central Web Authentication with FlexConnect APs on a WLC with ISE Configuration Example