Configuring Hotspot Guest Access with Cisco ISE

Been toying with the Cisco vWLC and ISE in the home lab. Evaluation copies of ISE can be found on Cisco’s box share here: https://cisco.app.box.com/v/ISE-Eval

Here are my notes on configuring a Guest Hotspot portal. Hotspots are a simple portal where users will need to accept an Acceptable Use Policy before being granted access to the internet.

Please also see the ISE Guest Access Deployment Guide from Cisco for more details on setting up different Guest Access scenarios: https://community.cisco.com/t5/security-documents/ise-guest-access-deployment-guide/ta-p/3640475

After installing vWLC and ISE, add ISE as a AAA server on the vWLC.

  • Log into the vWLC. Click the security tab at the top.
  • On the left hand menu click Authentication under Radius/AAA.
  • Click the New button to add a new AAA server.
  • Enter the IP address of the ISE server, be sure port number is 1812, and that Support for COA is checked. Create a Shared Secret and make note of it as ISE will need to be configured with the same secret. Click Apply.
  • Next click Accounting from the Security/AAA menu on the left. Hit New and enter the required information.

Next we will log into ISE and configure the WLC as a network device.

  • Go to Work Centers, then Network Resources.
  • Click Add and fill out the WLC information. Check Radius Auth. Settings and be sure to fill out the Shared Secret we filled out earlier in the WLC.

The next step is to configure our Guest WLAN/SSID.

  • Log into your WLC and click the WLANs tab. Choose Create New from the drop down box and click Go.
  • Enter a profile name and SSID.
  • Select Status Enabled, and the correct interface for your guest traffic.
  • Next click the Security tab.
  • Change Layer 2 Security to None, and check MAC Filtering.
  • Click AAA Servers, and change the Authentication and Authorization servers to the ISE server via the drop down boxes.

Click the Advanced tab.

Check Allow AAA Override.

Under NAC change the drop down to ISE NAC.

Uncheck Flex Connect Local Switching if enabled.

Check DHCP/HTTP profiling under Radius Client Profiling.

  • Click New, and for the ACL name type ACL_WEBAUTH_REDIRECT
  • Click Apply, then click the ACL name to start editing.
  • Click Add New Rule.
  • Create a rule allowing destination DNS (udp/53) from any to any.
  • Create a rule allowing source DNS from any to any.
  • Create a rule allowing tcp from ISE to any.
  • Create a rule allowing tcp from any to ISE.
  • Note: In production you would want to limit the DNS entries to just your trusted DNS server.
  • Create a new ACL if you’d like to place any restrictions on your guest network. e.g., blocking access to any private IP space.

Next we’ll create ISE policies to redirect users who connect to the Guest network to a web portal. Once the AUP has been accepted they will get a new policy applied to them restricting their access to internet only via the ACL we created earlier. We’re going to be using the default hotspot portal but you can design your own portals with custom graphics. Cisco also has an ISE portal builder which has an excellent WYSIWYG editor to make custom portal building a snap. The portal builder requires a Cisco login and can be found here: https://isepb.cisco.com/#/

  • Log in to ISE. Go to Work Centers, Guest Access, Policy Elements.
  • Click Results and and go to Authorization Profiles.
  • Click Add to create a new profile.
  • Give the policy a descriptive name and description.
  • Scroll down a bit in the Common Tasks and check Web Redirection.
  • Select Hotspot from the drop down. Enter ACL_WEBAUTH_REDIRECT as the ACL and the value will be the Hotspot guest portal (if you’ve uploaded a customer portal you can select it here).
  • Click Submit.
  • Click Add again, enter a new name and description. This policy will apply the guest restriction ACL we created on the WLC.
  • Scroll down into the Common Tasks and find Airespace ACL, enter the name of the Guest ACL you created earlier. Click Submit.
  • Now, go to Work Centers, Guest Access, Policy Sets.

  • Expand the Default policy set by clicking the arrow on the right.
  • Expand the Authentication Policy be clicking the arrow.
  • Find MAB (MAC Address Bypass) and expand the options menu. Be sure the option for “If User not found” is set to Continue.
  • Next we’ll create our new Authorization Polices for the Guest network. Expand Authorization Policy and select a space to insert the polices. Locate a rule and click the gear, select insert above or below rule to place the new policies where you’d like them.
  • Enter a name for the policy. Select Wireless_MAB as the condition, and Guest_Hotspot as the Profile.
  • Add a new profile above the one we just created
  • This will be for applying the Guest ACL for the user once going through the portal. Conditions will be Wireless_MAB, IdentityGroup = GuestEndpoints, and Guest_Flow. Result will be the Guest_Access policy we created which applies the ACL we created on the WLC.
  • Click Save.

This should be enough configuration to get the Guest Hotspot SSID up and running. Connecting to the new SSID should pop up the AUP, once accepted you should then have access to the internet.

Upgrading a Cisco Wireless LAN Controller

After being recently tasked to upgrade a Cisco Wireless LAN Controller I figured I’d document the process for future reference.

You’ll need either a tftp, ftp, or sftp server as well as the code you’re upgrading the WLC to and the FUS upgrade if necessary.

Some notes on the different requirements:

  • Code can be downloaded to the WLC by either TFTP, FTP, or SFTP.
  • Configuration can be uploaded from the WLC by either TFTP, FTP, or SFTP.
  • Please be aware of the types of access points the version of WLC code supports. Older APs are often unsupported in newer versions of code. For example the WLC i’m upgrading needs to support AIR-LAP1142N-A-K9 access points which are not compatible with release 8.4.X and up, meaning the newest code I could upgrade to is 8.3.140.0. Check the Cisco Wireless Solutions Software Compatibility Matrix to find out what version of code is supported for your APs.
  • It’s also recommended you check the TAC Recommended AireOS Builds to see if the version of code you selected is recommended by TAC or if there may be any bugs you might run into. When in doubt grab the gold star release from Cisco.
  • When downloading your WLC software update check to see if there is a Field Upgrade Software (FUS) package available. The FUS contains various system-related component upgrades (bootloaders, field recovery images, etc.). More info about FUS can be found here.

Before upgrading any software be sure to create a back up of your WLC config.

The following commands configure the upload mode (tftp, ftp, or sftp), what to back up, and where to back it up to.

(wlc1) >transfer upload mode sftp
(wlc1) >transfer upload username sftp
(wlc1) >transfer upload password sftp
(wlc1) >transfer upload datatype config
(wlc1) >transfer upload filename WLC-BACKUP
(wlc1) >transfer upload path .
(wlc1) >transfer upload serverip  X.X.X.X
(wlc1) >transfer upload start

After making a back up of our configuration we may also want to make note of the APs currently joined to the WLC as well as current version of code running.

(wlc1) >show AP join stats summary all 

Number of APs.................................... 166

(wlc1) >show sysinfo 

Manufacturer's Name.............................. Cisco Systems Inc.
Product Name..................................... Cisco Controller
Product Version.................................. 8.0.140.0
RTOS Version..................................... 8.0.140.0
Bootloader Version............................... 8.0.100.0
Emergency Image Version.......................... 8.0.100.0

Now we can configure the transfer method to download the FUS update to the WLC and then reboot the system to apply the update.

(wlc1) >transfer download mode sftp
(wlc1) >transfer download datatype code
(wlc1) >transfer download username sftp
(wlc1) >transfer download password sftp
(wlc1) >transfer download serverip X.X.X.X
(wlc1) >transfer download path .
(wlc1) >transfer download filename AIR-CT8500-K9-2-0-0-0-FUS.aes
(wlc1) >transfer download start


Mode............................................. SFTP
Data Type........................................ Code          
SFTP Server IP................................... X.X.X.X
SFTP Server Port................................. 22
SFTP Path........................................ /
SFTP Filename.................................... AIR-CT8500-K9-2-0-0-0-FUS.aes
SFTP Username.................................... sftp
SFTP Password.................................... *********

This may take some time.
Are you sure you want to start? (y/N) y

(wlc1) > reset system

The system has unsaved changes.
Would you like to save them now? (y/N) y

The system will reboot and apply the FUS update. Keep in mind that this process may take up to 30 – 60 minutes in total.

After applying the FUS update we can follow the same procedure to upload the WLC code.

(wlc1) >transfer download mode sftp
(wlc1) >transfer download datatype code
(wlc1) >transfer download username sftp
(wlc1) >transfer download password sftp
(wlc1) >transfer download serverip X.X.X.X
(wlc1) >transfer download path .
(wlc1) >transfer download filename AIR-CT8500-K9-8-3-140-0.aes
(wlc1) >transfer download start


Mode............................................. SFTP
Data Type........................................ Code          
SFTP Server IP................................... X.X.X.X
SFTP Server Port................................. 22
SFTP Path........................................ /
SFTP Filename.................................... AIR-CT8500-K9-8-3-140-0.aes
SFTP Username.................................... sftp
SFTP Password.................................... *********

This may take some time.
Are you sure you want to start? (y/N) y

Reset the system to apply the update by issuing the reset system command.

You can also have the APs predownload the new software before rebooting your controller. This is useful in large environments where you want to minimize downtime as there is a maximum amount of controllers that can concurrently connect to the WLC to upgrade their software after rebooting the controller.

(wlc1) > config ap image predownload primary

(wlc1) > show ap image all

After rebooting your controller do a show sysinfo to verify your software version.

(wlc1) >show sysinfo 

Manufacturer's Name.............................. Cisco Systems Inc.
Product Name..................................... Cisco Controller
Product Version.................................. 8.3.140.0
RTOS Version..................................... 8.3.140.0
Bootloader Version............................... 8.1.133.7
Emergency Image Version.......................... 8.1.133.7