cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1035
Views
11
Helpful
1
Replies

ISE CWA Flow Validation

tolarosa@cisco.com
Cisco Employee
Cisco Employee

Hi Team,

I'm working on an ISE POC with a customer and we ran into an issue with ISE CWA on switches without SVI's in the Data/Access VLAN's. The customer is using an ASA as their default GW for all vlans so every vlan needs to go through policy for communication.  I have put together the attached flow based on information I have read but would like to verify this is correct and I'm not missing anything. Due to the asymmetry of how URL Redirection works, I can see how this will cause a problem with Firewalls.  I have also added some alternative designs in the image.  Is there any Best Practice Designs with this type of scenario?  Also, Is this flow accurate?

ISE CWA Flow_Access Switch WO SVI.jpg

1 Accepted Solution

Accepted Solutions

Craig Hyps
Level 10
Level 10

Summation is correct and yes, we have seen customer's hit issue when default GW is a firewall due to reasons noted.

I have also posted a number of flows here ISE Auth-Feature Flows_v1.pdf and similar scenario is highlighted in an "oldie but goody" guide here IBNS: Web Authentication Deployment and Configuration Guide - Cisco in section titled "TCP Traffic Flow for Login Page When No Layer 3 SVI for Host VLAN Exists on Access Switch".   This older guide is talking about local web auth, but the redirection concepts are the same.

View solution in original post

1 Reply 1

Craig Hyps
Level 10
Level 10

Summation is correct and yes, we have seen customer's hit issue when default GW is a firewall due to reasons noted.

I have also posted a number of flows here ISE Auth-Feature Flows_v1.pdf and similar scenario is highlighted in an "oldie but goody" guide here IBNS: Web Authentication Deployment and Configuration Guide - Cisco in section titled "TCP Traffic Flow for Login Page When No Layer 3 SVI for Host VLAN Exists on Access Switch".   This older guide is talking about local web auth, but the redirection concepts are the same.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: