ISE 1.2 and WLC 7.4 Stability

We are deploying ISE 1.2 for wireless only and have been experiencing a lot of issues with central web auth on controllers on version 7.4MR2. It appears we are hitting a bug, but I am curious what others on ISE 1.2 have found as the best stable WLC code to use? Has anyone been experiencing issues on 7.4 specific to CWA and web redirect? We are encountering a problem where users are getting constantly thrown back to the guest portal page after about 5 to 10 minutes after successfully logging in. Thanks.

Hi,
I have been running 7.4.115.0 on a production system for over 6 months with no visible issues.  The 7.4.115.0 patch is a special release to fix Apple iOS7 captive portal bypass. Other than that, 7.4.110.0 was pretty stable.
You might consider changing the Guest WLAN session timeout on the advanced page on the WLAN in the WLC to a higher number which may fix your re-authentication issue every 5-10 minutes.

Similar Messages

  • Web Redirection Problem on Cisco ISE 1.2 and WLC 7.5

    Hello,
    We are at initial phase of deploying ISE 1.2 in our environment for Wireless Guest Users.
    I have configured ISE and WLC to talk to each other which is working fine. An SSID with MAC-Filtering is also configured on WLC and ACL only allowing ISE and DNS traffice.
    I have configured proper authentication and authorization policies on ISE. Now, when I try to connect my device (laptop and android mobile), I see my device gets associated with the SSID (Demo) and gets the right IP Address from DHCP and right VLAN from WLC. The log process on ISE is as follows.
    11001
    Received RADIUS Access-Request
    11017
    RADIUS created a new session
    11027
    Detected Host Lookup UseCase (Service-Type = Call Check (10))
    15049
    Evaluating Policy Group
    15008
    Evaluating Service Selection Policy
    15048
    Queried PIP
    15048
    Queried PIP
    15004
    Matched rule
    15041
    Evaluating Identity Policy
    15006
    Matched Default Rule
    15013
    Selected Identity Source - Internal Endpoints
    24210
    Looking up User in Internal Users IDStore - B8:B4:2E:A6:7D:75
    24216
    The user is not found in the internal users identity store
    24209
    Looking up Endpoint in Internal Endpoints IDStore - B8:B4:2E:A6:7D:75
    24211
    Found Endpoint in Internal Endpoints IDStore
    22037
    Authentication Passed
    15036
    Evaluating Authorization Policy
    15048
    Queried PIP
    15048
    Queried PIP
    15048
    Queried PIP
    15004
    Matched rule - Guest Redirection
    15016
    Selected Authorization Profile - Test_Profile
    11002
    Returned RADIUS Access-Accept
    I also see a redirect url in the detailed authentication logs. But the problem is that when I open my browser on my device, it doesn't get redirected to the guest portal url. Now since I can't get there, I can't continue with the rest of the process of authentication, COA and final ACL for internet access.
    Can some one please either guide me the correct steps that I need to follow, if I have mis configured something or advise if this is a bug.
    Thanks in advance.
    Jay

    The ACL is definitely used to define what traffic is re-directed to ISE and what traffic is not redirected. Having the permit-all statement at the end will break redirection. If you are using flex-connect then you will need to use flex-connect ACLs and apply those to the flex-connect APs. The links below should give you an idea of what needs to be done:
    http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-000.html
    http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116087-configure-cwa-wlc-ise-00.html
    Thank you for rating helpful posts! 

  • ISE 1.04 and WLC 7.2 - CWA Config?

    Hello, I'm currently deploying a POC for Central WebAuthentication with the new 7.2 Wireless Lan Controller code.
    I'm aware of the differences between LWA and CWA in Catalyst Switches, but I'm having trouble grasping how to configure the CWA on the WLC for wireless guests with open web auth.
    For LWA I did get:
    1- User opens browser
    2- WLC redirects user to ISE Guest page
    3- ISE Guest page sends username/password to WLC,
    4- WLC does a RADIUS PAP request to ISE in order to authenticate user.
    5- ISE authenticates (or not) and send Access-Accept to WLC
    6- WLC lets user go through.
    For CWA the way I see it, it should be:
    1- User opens browser
    2- WLC redirects user to ISE Guest page
    3- ISE Guest page processes username/password internally
    4- ISE authenticates (or not) and sends Access-Accept to WLC
    5- WLC lets user go through.
    The way I see it, we should define  a WLAN's L3 security policy as webauth, with no L2 security, but the question is how to configure the controller so that the ISE doesn't just serve as an external web server and the WLC is not waiting for a username/password from this external webserver, as would LWA work, but instead just gets an Access-Accept from the ISE.
    For the moment LWA is more intuitive given the WLC philosophy of operation. I'm not really seeing how/where to configure 7.2 code to just expect an access-accept from ISE.
    Can anybody enlighten me on how this should be configured/work?
    Any insight is very much appreciated.
    Thanks
    Gustavo Novais

    Hi Brian,
    Complementing Nicolas Darchis idea:
    On SSID Security settings, set Open Authentication and check the MAC Filtering box, do NOT check any type of L3 authentication.
    Then define your RADIUS/ISE servers (enable support for RFC 5734 when defining them) on the SSID, and on the advanced tab of the ssid, enable RADIUS NAC (and aaa override too).
    It is exactly the same thing as when you do RADIUS based mac authentication, except on this case, the RADIUS server will reply with an access-accept + a few attributes (namely airespace-acl/vlan/url-redirect).
    On the ISE, you'll need to match service type: call-check (MAB) RADIUS authentication in order to match requests coming from WLC CWA.
    Then the order will be the exact same as for a switch:
    http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_guest_pol.html#wp1112855
    I needed to put the redirect access-list referenced on ISE CWA, statically on the WLC as a pre-auth ACL (you'll need to define it statically on the WLC - security access-lists).
    Nicolas, I've seen trustsec design guide 2.0 but no CWA on wireless was included... do you have any idea if will it be on trustsec 2.1?
    Thanks & Regards
    Gustavo

  • ISE 1.2 and WLC 7.6.100.0 Flex Config

    I've one SSID used for both Head Office users and branch users. The problem is that branch users are using flexconnect. All the branch users are using vlan 10 as pre authC and vlan 20 after authenctication. But H.O. users are using vlan 50 to connect. Now i've make the AuthZ policy to match wlan-id and wireless 802.1x.
    The question is that how i'll make the H.O. users to match different AuthZ policy and branch users with other AuthZ policy since i need to return different vlan for them.
    Thanks and Regards,
    Zohaib

    Hi Jan,
    Thanks for the reply. I just want to know if there is any other way to identify the users in the policy since im using only default group and the network in operational. Shifting these AP to a new group will be difficult. Is there a way to put NAS-ID on flexconnect group?

  • Ask the Expert: Cisco BYOD Wireless Solution: ISE and WLC Integration

    With Jacob Ideji, Richard Hamby  and Raphael Ohaemenyi   
    Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about  the new Identity Solutions Engine (ISE) and Wireless LAN Controller (WLC) hardware/software, integration, features, specifications, client details, or just questions about  Cisco's Bring-your-own device (BYOD) solution with cisco Experts Richard Hamby, Jacob Ideji, and Raphael Ohaemenyi. The interest in BYOD (Bring You Own Device) solutions in the enterprise has grown exponentially as guests and company users increasingly desire to use personal devices to access .  Cisco BYOD enhances user experience and productivity while providing security, ease-of-administration, and performance. The heart of the Cisco wireless BYOD solution is Identity Solutions Engine (ISE) utilizing the Cisco Unified Wireless portfolio.  Starting with ISE v1.1.1MR and WLC (Wireless LAN Controller) code v7.2.110.0 and higher, end-to-end wireless BYOD integration is reality. 
    Jacob Ideji is the technical team lead in the Cisco authentication, authorization and accounting (AAA) security team in Richardson, Texas. During his four years of experience at Cisco he has worked with Cisco VPN products, Cisco Network Admission Control (NAC) Appliance, Cisco Secure Access Control Server, and Dot1x technology as well as the current Cisco Identity Services Engine. He has a total of more than 12 years experience in the networking industry. Ideji holds CCNA, CCNP, CCSP, CCDA, CCDP, and CISM certifications from Cisco plus other industry certifications.
    Richard Hamby  works on the Cisco BYOD Plan, Design, Implement (PDI) Help Desk for Borderless Networks, where he is the subject matter expert on wireless, supporting partners in the deployment of Cisco Unified Wireless and Identity Services Engine solutions. Prior to his current position, Hamby was a customer support engineer with the Cisco Technical Assistance Center for 3 years on the authentication, authorization, accounting (AAA) and wireless technology teams. 
    Raphael Ohaemenyi  Raphael Ohaemenyi is a customer support engineer with the authentication, authorization and accounting (AAA) team in the Technical Assistance Center in Richardson, Texas, where he supports Cisco customers in identity management technologies. His areas of expertise include Cisco Access Control Server, Cisco Network Admission Control (NAC) Appliance, Cisco Identity Services Engine, and IEEE 802.1X technologies. He has been at Cisco for more than 2 years and has worked in the networking industry for 8 years. He holds CCNP, CCDP, and CCSP certification.
    Remember to use the rating system to let Jacob, Richard and Raphael know if you have received an adequate response.  
    Jacob, Richard and Raphael might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the wireless mobility sub community forum shortly after the event. This event lasts through Oct 5th, 2012. Visit this forum often to view responses to your questions and the questions of other community members.

    OOPS !!
    I will repost the whole messaqge with the correct external URL's:
    In  general, the Trustsec design and deployment guides address the specific  support for the various features of the 'whole' Cisco TS (and other  security) solution frameworks.  And then a drill-down (usually the  proper links are embedded) to the specifc feature, and then that feature  on a given device.  TS 2.1 defines the use of ISE or ACS5 as the policy  server, and confiugration examples for the platforms will include and  refer to them.
    TrustSec Home Page
    http://www.cisco.com/en/US/netsol/ns1051/index.html
    http://www.cisco.com/en/US/solutions/collateral/ns170/ns896/ns1051/product_bulletin_c25-712066.html
    http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5712/ps11637/ps11195/at_a_glance_c45-654884.pdf
    I find this page very helpful as a top-level start to what features and capabilities exist per device:
    http://www.cisco.com/en/US/solutions/ns170/ns896/ns1051/trustsec_matrix.html
    The TS 2.1 Design Guides
    http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns744/landing_DesignZone_TrustSec.html
    DesignZone has some updated docs as well
    http://www.cisco.com/en/US/netsol/ns982/networking_solutions_program_home.html#~bng
    As  the SGT functionality (at this point) is really more of a  router/LAN/client solution, the most detailed information will be in the  IOS TS guides like :
    http://www.cisco.com/en/US/docs/switches/datacenter/sw/6_x/nx-os/security/configuration/guide/b_Cisco_Nexus_7000_NX-OS_Security_Configuration_Guide__Release_6.x.html
    http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_cts/configuration/xe-3s/asr1000/sec-usr-cts-xe-3s-asr1000-book.html
    http://www.cisco.com/en/US/docs/switches/lan/trustsec/configuration/guide/trustsec.html

  • ISE 1.2 With WLC and AD

    Hi everyone,
    What is the steps and Procedure implement Wired and wireless authentication with ISE, WLC and AD for a LAB environment. currently the following are done.
    The wireless network is configured with 2 SSID (Staff and Guest) 
    Active Directory, DNS, DHCP, and  NTP configured & synced.
    ISE and AD running on C220 VMs, and WLC is 5760 Appliance.
    Please provide your thoughts and assistance.
    Regards

    You have to implement dot1x and radius between your NAD and ISE device.
    Using the switch 3850, that are the steps: 
    username RADIUS-HEALTH password radiusKey1 privilege 15
    aaa new-model
    aaa authentication login default local
    aaa authentication dot1x default group radius
    aaa authorization network default group radius
    aaa authorization auth-proxy default group radius
    aaa accounting update periodic 5
    aaa accounting auth-proxy default start-stop group radius
    aaa accounting dot1x default start-stop group radius
    !this password will be used to communicate with ISE and to verify reachability
    !between ISE and Switch
    aaa server radius dynamic-author
     client 172.16.1.18 server-key 7 radiuskey
     client 172.16.1.20 server-key 7 radiuskey
    ip domain-name lab.local
    ip name-server 172.16.1.1
    dot1x system-auth-control
    interface GigabitEthernet1/0/3
     switchport mode access
     switchport voice vlan 50
     switchport access vlan 10
     ip access-group ACL-ALLOW in
     authentication event fail action next-method
     authentication event server dead action authorize voice
     authentication event server alive action reinitialize
     authentication host-mode multi-auth
     authentication open
     authentication order dot1x mab
     authentication priority dot1x mab
     authentication port-control auto
     authentication periodic
     authentication timer reauthenticate server
     authentication violation restrict
     mab
     dot1x pae authenticator
     dot1x timeout tx-period 10
     spanning-tree portfast
    ip access-list extended ACL-ALLOW
     permit ip any any
    !the comm between radius and ise will occur on these Port
    ip radius source-interface Vlan100
    logging origin-id ip
    logging source-interface Vlan100
    logging host 172.16.1.20 transport udp port 20514
    logging host 172.16.1.18 transport udp port 20514
    ip radius source-interface Vlan100
    logging origin-id ip
    logging source-interface Vlan100
    logging host 172.16.1.20 transport udp port 20514
    logging host 172.16.1.18 transport udp port 20514
    snmp-server community ciscoro RO
    snmp-server community public RO
    snmp-server trap-source Vlan100
    snmp-server source-interface informs Vlan100
    radius-server attribute 6 on-for-login-auth
    radius-server attribute 8 include-in-access-req
    radius-server attribute 25 access-request include
    radius-server dead-criteria time 10 tries 3
    radius-server vsa send accounting
    radius-server vsa send authentication
    !defining ISE servers
    radius server ISE-RADIUS-1
     address ipv4 172.16.1.20 auth-port 1812 acct-port 1813
     automate-tester username RADIUS-HEALTH idle-time 15
     key radiusKey
    Please be sure that NTP servers and time are synchronized. 
    enable dot1X on windows machine, or using cisco NAM. 
    you can enable debugging on aaa authentication to see the events. 
    you have to create this user on ISE (RADIUS-HEALTH). 
    3850#test aaa group radius username password new-code 
    and observe the result. You are supposed to have user authenticated successfully. 
    You Must also have define these device in ISE on the radius interface.
    ip radius source-interface ..... use this interface ip address to define Ip address of the NAD device in ISE. 
    administration-->network resources -->Network Devices-->Add
    input the name
    input the Ip address for radius communication
    select the authentication settings and field the corresponding shared secret radius key
    select snmp settings and select version 2c. 
    snmp community : ciscoro
    you can customize the polling interval if you want and that all. 
    you are supposed to received message communication between your NAD and ISE. 
    After you can do the procedure for WLC device. 
    I will fill it after you have passed the first steps (3850 authentication). 

  • ISE and WLC

    Dear friends,
    We are using ISE and WLC integrity in our network, we have Corporate and Guest SSID, we configured it but client cant connect to this ssid and cant be authenticated, please see attached files and tell me if i done something wrong in configuration of WLC
    10.10.17.201 is ISE
    Thank you for attention

    Hi,
    After viewing the Trap logs it seems you have checked on validate machine.
    On the client side, make sure you don't check validate machine and then try.

  • ISE and WLC SRE module compatibilty matrix

    Hi all,
    We are running SRE module on router with code of 6.x release .Is there any compatibilty matrix available for ISE and WLC code to support CWA . because as of now , the wireless clients are not redirecting to the ISE login page.
    Kindly suggest.
    Thanks,
    Regards,
    Vijay

    The doc is for wireless guest using CWA. For wired guest, I don't know since you can do wired guest from a WLC that supports it or from a switch.
    Sent from Cisco Technical Support iPhone App

  • WLC with ISE as radius and also external web server

    Hi friends,
    I am biulding a wireless network with 5508 WLC and trying to use ISE as radius server and also to redirect the web-login to it.
    I was trying to understand that to achieve the external web-login, do i need to use the raduius-nac option under advanced on the guest wireless where i am trying this out. and if not, where do i actually use it?
    So far what i have understood that i do need to have preauth ACL on the Layer 3 security, but the issue is there is no hit reaching the ISE.
    any suggestions would be higly appreciated guys!
    Regards,
    Mohit

    Hi mohit,
    Please make sure the below steps for guest auth thru ISE,
    1)Add the WLC in your ISE as netork devices.
    2)In Guest SSID you need to choose the pre authentication acl.That acl should allow the below traffic
        a. any to ISE
        b.ISE to any
        c.any to dns server
        d.dns to any
    3)The external redirect url will be 
    https://ip address:8443/guestportal/Login.action
    4)AAA server for that SSId would be your ISE ip with port number 1812.
    5)In advanced tab please choose the AAA override. No need of radius nac.
    6)Create appropriate authorization profile in ISE for guest.Example is below ,

  • LWA Guest Access with ISE and WLC

    Hi guys,
    Our Company try to implement Guest Access with ISE dan WLC with Local Web Auth Method. But there is problem that comes up with the certificate. This is the scenario :
    1. Guests try to connect wifi with SSID Guest
    2. Once it connect, guests open the browser and try to open a webpage (example: cisco.com)
    3. Because, guests didn't login, so it redirect to "ISE Guest Login Page" (url became :
    https://ise-hostname:8443/guestportal/Login.action?switch_url=https://1.1.1.1/login.html&wlan=Guest&redirect=www.cisco.com/
    4. If there is no ISE Guest Login Page installed, message Untrusted Connection message will appear, but it will be fine if they "Add Exception and install the certificate"
    5. After that the Guest Login Page will appear, and guests input their username and password.
    6. Login success and they will be redirected to www.cisco.com and there is pop up from 1.1.1.1 (WLC Virtual Interface IP) with logout button.
    The problem happen in scenario 6, after login success, the webpage with ISE IP address and message certificate error for 1.1.1.1 is appear.
    I know it happened when guests didn't have the WLC Login Page Certificate...
    My Question is, is there a way to tunneling WLC Certificate on ISE ? Or what can we do to make ISE validate WLC Certificate, so guests doesn't need to install WLC Certificate/ Root Certificate before connect to Wifi ?
    Thx 4 your answer and sorry for my bad English....

    Thx for your reply Peter, your solution is right,
    i don't choose CWA, because their DNS is not stable...
    i've found the problem...
    the third-party CA is revoked, so there is no way it will success until it fixed...
    and there is no guarantee, they will fix it soon..
    so solution that we choose is by disable "HTTPS" on WLC...
    "config network web-auth secureweb disable".
    "config network web-auth secureweb disable".
    "config network web-auth secureweb disable".
    "config network web-auth secureweb disable".
    "config network web-auth secureweb disable"
    thank you all...

  • Cisco ISE and WLC Timeout Best Practices

    I am fairly new to ISE. Our Cisco WLC is using 802.1x and ISE is configured for PEAP with all inner methods enabled.
    I am looking for some guidance around where I should be configuring timeouts. There is a PEAP Session timeout in ISE, a session timeout on the WLC and a RADIUS reauthentication timeout that can be set in the Authorization profile results object in ISE.
    Currently I have the WLC configured for its default 1800 second timeout and ISE PEAP timeout at the default 7,200 value.

    I ended up answering my own question. The authorization session timeouts should be set in ISE if at all.
    Once I removed the session timeout value from the WLC and used the re-auth value in the ISE policy I had less complaints about disconnects.
    The session timeout on the PEAP settings has not caused any ill affects at it's default. The session resume has taken a huge load off of AAA though. Its worth turning on.

  • ISE 1.3 and NAC

    I have a customer running 5508 WLCs across the estate, and I'm retrofitting IEEE802.1x authentication for the corporate WLAN, and WebAuth for the Guest WLAN...they have PSK at the moment :(
    They have AD and are showing great interest in ISE and NAC, so my immediate thoughts are to integrate ISE with AD, and use ISE as the RADIUS server for .1x on the WLC. Then use the WLC and ISE to do WebAuth for Guest...This is all standard stuff, but it gives the background.
    Now we get to the interesting bit...they want to run BYOD. They are involved in financial markets, so the BYOD needs to be tightly controlled. They are asking about ISE coupled with NAC, but I'm not convinced I need NAC since the arrival of ISE1.3. Obviously, I will be looking at three (min) SSIDs, namely corporate, guest and BYOD, all logically separate. I don't need anything that ISE 1.2 can't support on corporate and guest, but BYOD needs full profiling and either barring or device remediation before access to the net.
    Has anyone got any comments or suggestions? Is ISE 1.3 sufficiently NAC-like that I don't need it any more, or if that's not the case, what additional benefits does it bring that ISE can't support
    Thanks for any advice/comments/experiences
    Jim

    Hi Jim-
    Version 1.3 offers a built-in PKI and vastly improved guest services experience. The internal PKI is nice if the customer doesn't have an PKI solution in place. Keep in mind though that the internal ISE PKI can only issue certificates to BYOD devices that were on-boarded via the ISE BYOD "flow" So you cannot use the ISE PKI to issue certs to domain computers.
    With regards to NAC: You will have to clarify exactly what is needed here. If you needed to perform "posture assessment" then ISE can do it for Windows and OSX based machines. You can check for things like: A/V, A/S, Firewall Status, Windows Patches, etc. If you want to perform posture on mobile devices then you will need to integrate ISE with an MDM (Mobile Device Management) solution such as: Airwatch, Mobile Iron, Maas360, etc. ISE can query the MDM for things like: Is the device protected with a PIN, is the device rooted, is the device encrypted, etc.
    I hope this helps!
    Thank you for rating helpful posts!

  • ISE CWA WebAuth with WLC

    Hi all,
    I have a few questions regarding WebAuth or Guest access with ISE. I have setup a guest portal to do CWA and use ISE guest portal
    as the redirect page.
    I'm using ISE 1.1.2 and WLC version 7.3.101
    1- I have an issue authenticating with Chrome on W7 and android. I receive the splash page, i can authenticate but i always receive this error message. With IE and firefox i can accept and add an exception and authenticate successfully.

    Hi,
    Your best bet is to run true CWA and not use the redirect feature on the controller. Just allow dns and access to port 8443 in the ACL that is referenced by ISE when it sends the CWA redirect. You can use mac filtering as your L2 authentication.
    This will help in your redundant scenario so that when one ise goes down the second ise can send the CWA over to it.
    As far as certs if you are using mobile devices you may want to consider 3rd party certs.
    Let me know if that helps.
    Tarik Admani
    *Please rate helpful posts*

  • ISE distributed : router and switch update

    I have 2 ISE 1.2
    I configured ISE1 as primary for PAN, MNT and PSN and it work fine
    Now I am configuring ISE2 as secondary PAN, MNT and PSN
    Found below the actual configuration of the router, switch and WLC where ISE1_IP is configured
    1. Router (sub-interface and DHCP are configured on the router)
    interface FastEthernet1.10
    encapsulation dot1Q 10
    ip address 192.168.1.1 255.255.255.0
    ip helper-address ISE1_IP
    2. Switch configuration
    snmp-server host ISE1_IP version 2c ROpass
    radius-server host ISE1_IP auth-port 1812 acct-port 1813
    aaa server radius dynamic-author
    client ISE1_IP server-key John23
    On site_1, ISE1 is PAN, MNT and PSN primary then ISE2 is PAN, MNT and PSN secondary
    On site_2, ISE1 is PAN, MNT primary and PSN secondary  then ISE2 is PAN, MNT secondary and PSN primary
    See below the configuration that I made after installed ISE2 secondary for PAN, MNT and PSN
    1. Router site_1
    interface FastEthernet1.10
    encapsulation dot1Q 10
    ip address 192.168.1.1 255.255.255.0
    ip helper-address ISE1_IP
    ip helper-address ISE2_IP
    2. Switch site_1
    snmp-server host ISE1_IP version 2c ROpass
    snmp-server host ISE2_IP version 2c ROpass
    radius-server host ISE1_IP auth-port 1812 acct-port 1813
    radius-server host ISE2_IP auth-port 1812 acct-port 1813
    aaa server radius dynamic-author
    client ISE1_IP server-key John23
    client ISE2_IP server-key John23
    3. Router site_2
    interface FastEthernet1.10
    encapsulation dot1Q 10
    ip address 192.168.1.1 255.255.255.0
    ip helper-address ISE2_IP
    ip helper-address ISE1_IP
    4. Switch site_2 (I changed radius order only)
    snmp-server host ISE1_IP version 2c ROpass
    snmp-server host ISE2_IP version 2c ROpass
    radius-server host ISE2_IP auth-port 1812 acct-port 1813
    radius-server host ISE1_IP auth-port 1812 acct-port 1813
    aaa server radius dynamic-author
    client ISE1_IP server-key John23
    client ISE2_IP server-key John23
    Kindly have a look on my configuration after instelled ISE2 and tell me if it is OK
    Please advise
    Thanks in advance

    I have 2 ISE 1.2
    I configured ISE1 as primary for PAN, MNT and PSN and it work fine
    Now I am configuring ISE2 as secondary PAN, MNT and PSN
    Found below the actual configuration of the router, switch and WLC where ISE1_IP is configured
    1. Router (sub-interface and DHCP are configured on the router)
    interface FastEthernet1.10
    encapsulation dot1Q 10
    ip address 192.168.1.1 255.255.255.0
    ip helper-address ISE1_IP
    2. Switch configuration
    snmp-server host ISE1_IP version 2c ROpass
    radius-server host ISE1_IP auth-port 1812 acct-port 1813
    aaa server radius dynamic-author
    client ISE1_IP server-key John23
    On site_1, ISE1 is PAN, MNT and PSN primary then ISE2 is PAN, MNT and PSN secondary
    On site_2, ISE1 is PAN, MNT primary and PSN secondary  then ISE2 is PAN, MNT secondary and PSN primary
    See below the configuration that I made after installed ISE2 secondary for PAN, MNT and PSN
    1. Router site_1
    interface FastEthernet1.10
    encapsulation dot1Q 10
    ip address 192.168.1.1 255.255.255.0
    ip helper-address ISE1_IP
    ip helper-address ISE2_IP
    2. Switch site_1
    snmp-server host ISE1_IP version 2c ROpass
    snmp-server host ISE2_IP version 2c ROpass
    radius-server host ISE1_IP auth-port 1812 acct-port 1813
    radius-server host ISE2_IP auth-port 1812 acct-port 1813
    aaa server radius dynamic-author
    client ISE1_IP server-key John23
    client ISE2_IP server-key John23
    3. Router site_2
    interface FastEthernet1.10
    encapsulation dot1Q 10
    ip address 192.168.1.1 255.255.255.0
    ip helper-address ISE2_IP
    ip helper-address ISE1_IP
    4. Switch site_2 (I changed radius order only)
    snmp-server host ISE1_IP version 2c ROpass
    snmp-server host ISE2_IP version 2c ROpass
    radius-server host ISE2_IP auth-port 1812 acct-port 1813
    radius-server host ISE1_IP auth-port 1812 acct-port 1813
    aaa server radius dynamic-author
    client ISE1_IP server-key John23
    client ISE2_IP server-key John23
    Kindly have a look on my configuration after instelled ISE2 and tell me if it is OK
    Please advise
    Thanks in advance

  • ISE Guest Portal and one more SSID using internal accounts

    Hi Guys,
    I have two SSIDs on WLC, the first is related with ISE Guest Portal and the second is related with employee but i realize that the
    Guest user can access the employee SSID and employee accounts can access the Guest portal page.
    I guess this is happen because i cannot split these databases under "Internal Users" on Authentication Policy.
    How can i restrict the access even if i am using the internal databse?
    thanks a lot

    using the Authorization policy is the right way.  Match the corp ID store to the corp WLAN SSID ID in the AuthZ policy, for example (where Employee is your corp ID store and yyyy is the name of your corp SSID):

Maybe you are looking for

  • Need help for desktop issue

    Hi all, i need help urgently. my desktop has nothing on it but when i get info it shows that desktop is using over 10GB of disk space and counting. does anyone knows what is going on as my available disk space getting lesser as the day goes by.

  • HT4528 I need to connect my iphone 5 to my bluetoot but never find the divice what do I need to do?

    my iphone 5 is not pairing with my bluetoot!

  • Report generation failed

    when i try to generate the report using the Oracle BIP 11g services from Jdeveloper it is failing. I have set the DynamicDatasource in the report request, following are the error log [2012-03-20T11:05:12.720+05:30] [bi_server1] [WARNING] [] [oracle.x

  • Lost my HD from Finder

    I have a Hitachi 1T external HD that connects to my MB Pro via USB.  Until the other day accessing the HD was as simple as plugging in the USB cable and opening the drive in Finder.  The other day, my HD no longer appears in Finder, though I can see

  • Oracle10g on linux

    Hi, I am having dual boot on my PC for xp and linux. I have installed oracle 10g on xp. Now My question is : 1.Can I access oracle from Linux operating system with sql commands and throughshell. 2.Is it required me ti install separate oracle10 db on