AAA and ISE

Hi All,
Where do I configure primary AAA and secondary AAA at ISE?
According to deployments guide Fig 1-6. Dispersed Deployment
http://www.cisco.com/en/US/docs/security/ise/1.0/install_guide/ise10_deploy.pdf
If we are using AD.. then AAA solution is RODC?
Thanks,
John

Hello,
Yes you can also use Cisco Catalyst 3560 to configure AAA and RADIUS. You can configure MAB, DOt1X and CWA.
Please refer to below link which might help you.
http://www.cisco.com/en/US/docs/switches/lan/catalyst3750x_3560x/software/release/12.2_55_se/configuration/guide/sw8021x.html

Similar Messages

  • Wireless guest access with CWA and ISE using mobility anchor

    My team is trying to demo wireless guest access using CWA with an ISE server.  We appear to be hitting an issue when combining this with mobility anchoring.
    When we don't use a mobility anchor the authentication goes off without a hitch seemingly proving that the ISE configuration is sound.  The test laptop associates and gets redirected, auths, moves to the RUN state and access to the network is granted.
    When the mobility anchor is enabled, the test laptop does get redirected, authentication is successful, but the process does not fully complete, as on the foreign controller the user is in RUN state whereas on the anchor the user is still stuck at CWA required.
    Now, I've read the L2 auth occurs between the foreign controller and ISE, and the L3 auth occurs between the anchor controller and ISE, but this does not appear to borne out in packet captures of the process where both parts of the auth seems to go to and from the foreign controller and ISE.
    I'm curious to know if anyone else has come across this issue, or has ideas where I should be looking in the config or debugs to find the root cause.
    When setting up the controllers and ISE this guide (linked below) was used and the controllers are 2504 controllers on 7.5 series software and ISE is on the latest 1.2 patches:
    http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bead09.shtml
    To me it seems to be mobility related, but the authentication flow does seem to be off compared with what the guide says.

    FOREIGN
    *apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Adding mobile on LWAPP AP 0c:d9:96:ba:7d:20(1)
    *apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Association received from mobile on BSSID 0c:d9:96:ba:7d:2f
    *apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Global 200 Clients are allowed to AP radio
    *apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Max Client Trap Threshold: 0  cur: 0
    *apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Rf profile 600 Clients are allowed to AP wlan
    *apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Applying Interface policy on Mobile, role Unassociated. Ms NAC State 0 Quarantine Vlan 0 Access Vlan 0
    *apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Re-applying interface policy for client
    *apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 0.0.0.0 START (0) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2164)
    *apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 0.0.0.0 START (0) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2185)
    *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 apfApplyWlanPolicy: Retaining the ACL recieved in AAA attributes 255 on mobile
    *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 apfApplyWlanPolicy: Apply WLAN Policy over PMIPv6 Client Mobility Type
    *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 In processSsidIE:4565 setting Central switched to TRUE
    *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 In processSsidIE:4568 apVapId = 1 and Split Acl Id = 65535
    *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 Applying site-specific Local Bridging override for station 00:1e:c2:c0:96:05 - vapId 1, site 'AP-Group-CHEC.default', interface 'management'
    *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 Applying Local Bridging Interface Policy for station 00:1e:c2:c0:96:05 - vlan 84, interface id 0, interface 'management'
    *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 processSsidIE  statusCode is 0 and status is 0
    *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 processSsidIE  ssid_done_flag is 0 finish_flag is 0
    *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 STA - rates (8): 140 18 152 36 176 72 96 108 0 0 0 0 0 0 0 0
    *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 suppRates  statusCode is 0 and gotSuppRatesElement is 1
    *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 apfProcessAssocReq (apf_80211.c:7830) Changing state for mobile 00:1e:c2:c0:96:05 on AP 0c:d9:96:ba:7d:20 from Idle to AAA Pending
    *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 Scheduling deletion of Mobile Station:  (callerId: 20) in 10 seconds
    *radiusTransportThread: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Username entry (00-1E-C2-C0-96-05) created for mobile, length = 253
    *radiusTransportThread: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Username entry (00-1E-C2-C0-96-05) created in mscb for mobile, length = 253
    *apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Received SGT for this Client.
    *apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Redirect URL received for client from RADIUS. Client will be moved to WebAuth_Reqd state to facilitate redirection. Skip web-auth Flag = 0
    *apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Resetting web IPv4 acl from 255 to 255
    *apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Resetting web IPv4 Flex acl from 65535 to 65535
    *apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Applying Interface policy on Mobile, role Unassociated. Ms NAC State 2 Quarantine Vlan 0 Access Vlan 84
    *apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Re-applying interface policy for client
    *apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 0.0.0.0 START (0) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2164)
    *apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 0.0.0.0 START (0) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2185)
    *apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 apfApplyWlanPolicy: Retaining the ACL recieved in AAA attributes 0 on mobile
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 apfApplyWlanPolicy: Apply WLAN Policy over PMIPv6 Client Mobility Type
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 Inserting AAA Override struct for mobile
    MAC: 00:1e:c2:c0:96:05, source 2
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 0.0.0.0 START (0) Initializing policy
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state START (0)
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 0.0.0.0 AUTHCHECK (2) Change state to L2AUTHCOMPLETE (4) last state AUTHCHECK (2)
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 Not Using WMM Compliance code qosCap 00
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 0.0.0.0 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP 0c:d9:96:ba:7d:20 vapId 1 apVapId 1 flex-acl-name:
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 0.0.0.0 L2AUTHCOMPLETE (4) Change state to DHCP_REQD (7) last state L2AUTHCOMPLETE (4)
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 apfMsAssoStateInc
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 apfPemAddUser2 (apf_policy.c:333) Changing state for mobile 00:1e:c2:c0:96:05 on AP 0c:d9:96:ba:7d:20 from AAA Pending to Associated
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 apfPemAddUser2:session timeout forstation 00:1e:c2:c0:96:05 - Session Tout 1800, apfMsTimeOut '1800' and sessionTimerRunning flag is  0
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 Scheduling deletion of Mobile Station:  (callerId: 49) in 1800 seconds
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 Func: apfPemAddUser2, Ms Timeout = 1800, Session Timeout = 1800
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 Sending Assoc Response to station on BSSID 0c:d9:96:ba:7d:2f (status 0) ApVapId 1 Slot 1
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 apfProcessRadiusAssocResp (apf_80211.c:3066) Changing state for mobile 00:1e:c2:c0:96:05 on AP 0c:d9:96:ba:7d:20 from Associated to Associated
    *DHCP Socket Task: Jan 28 23:04:59.567: 00:1e:c2:c0:96:05 DHCP received op BOOTREQUEST (1) (len 308,vlan 84, port 13, encap 0xec03)
    *DHCP Socket Task: Jan 28 23:04:59.567: 00:1e:c2:c0:96:05 DHCP (encap type 0xec03) mstype 0ff:ff:ff:ff:ff:ff
    *DHCP Socket Task: Jan 28 23:04:59.567: 00:1e:c2:c0:96:05 DHCP dropping packet due to ongoing mobility handshake exchange, (siaddr 0.0.0.0,  mobility state = 'apfMsMmQueryRequested'
    *DHCP Socket Task: Jan 28 23:05:01.523: 00:1e:c2:c0:96:05 DHCP received op BOOTREQUEST (1) (len 308,vlan 84, port 13, encap 0xec03)
    *DHCP Socket Task: Jan 28 23:05:01.523: 00:1e:c2:c0:96:05 DHCP (encap type 0xec03) mstype 0ff:ff:ff:ff:ff:ff
    *DHCP Socket Task: Jan 28 23:05:01.523: 00:1e:c2:c0:96:05 DHCP dropping packet due to ongoing mobility handshake exchange, (siaddr 0.0.0.0,  mobility state = 'apfMsMmQueryRequested'
    *mmMaListen: Jan 28 23:05:02.362: 00:1e:c2:c0:96:05 0.0.0.0 DHCP_REQD (7) State Update from Mobility-Incomplete to Mobility-Complete, mobility role=ExpForeign, client state=APF_MS_STATE_ASSOCIATED
    *mmMaListen: Jan 28 23:05:02.362: 00:1e:c2:c0:96:05 apfMsRunStateInc
    *mmMaListen: Jan 28 23:05:02.362: 00:1e:c2:c0:96:05 0.0.0.0 DHCP_REQD (7) Change state to RUN (20) last state DHCP_REQD (7)
    *mmMaListen: Jan 28 23:05:02.362: 00:1e:c2:c0:96:05 0.0.0.0 RUN (20) Reached PLUMBFASTPATH: from line 5793
    *mmMaListen: Jan 28 23:05:02.362: 00:1e:c2:c0:96:05 0.0.0.0 RUN (20) Adding Fast Path rule
      type = Airespace AP Client
      on AP 0c:d9:96:ba:7d:20, slot 1, interface = 13, QOS = 0
      IPv4 ACL ID = 255, IPv6 ACL ID = 255,
    *mmMaListen: Jan 28 23:05:02.362: 00:1e:c2:c0:96:05 0.0.0.0 RUN (20) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 15206  Local Bridging Vlan = 84, Local Bridging intf id = 0
    *mmMaListen: Jan 28 23:05:02.363: 00:1e:c2:c0:96:05 0.0.0.0 RUN (20) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255, L2 ACL ID 255)
    *pemReceiveTask: Jan 28 23:05:02.364: 00:1e:c2:c0:96:05 Set bi-dir guest tunnel for 00:1e:c2:c0:96:05 as in Export Foreign role
    *pemReceiveTask: Jan 28 23:05:02.364: 00:1e:c2:c0:96:05 0.0.0.0 Added NPU entry of type 1, dtlFlags 0x4
    *pemReceiveTask: Jan 28 23:05:02.364: 00:1e:c2:c0:96:05 Skip Foreign / Export Foreign Client IP 0.0.0.0 plumbing in FP SCB
    *DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP received op BOOTREQUEST (1) (len 308,vlan 84, port 13, encap 0xec03)
    *DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP (encap type 0xec03) mstype 0ff:ff:ff:ff:ff:ff
    *DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP processing DHCP REQUEST (3)
    *DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP   op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 0
    *DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP   xid: 0xafea6bc9 (2951375817), secs: 5, flags: 0
    *DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP   chaddr: 00:1e:c2:c0:96:05
    *DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP   ciaddr: 0.0.0.0,  yiaddr: 0.0.0.0
    *DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP   siaddr: 0.0.0.0,  giaddr: 0.0.0.0
    *DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP   requested ip: 10.130.98.8
    *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP received op BOOTREPLY (2) (len 320,vlan 84, port 13, encap 0xec07)
    *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP processing DHCP ACK (5)
    *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP   op: BOOTREPLY, htype: Ethernet, hlen: 6, hops: 0
    *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP   xid: 0xafea6bc9 (2951375817), secs: 0, flags: 0
    *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP   chaddr: 00:1e:c2:c0:96:05
    *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP   ciaddr: 0.0.0.0,  yiaddr: 10.130.98.8
    *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP   siaddr: 10.30.4.173,  giaddr: 0.0.0.0
    *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP   server id: 1.1.1.2  rcvd server id: 1.1.1.2
    *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) DHCP Address Re-established
    *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Reached PLUMBFASTPATH: from line 6978
    *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Replacing Fast Path rule
      type = Airespace AP Client
      on AP 0c:d9:96:ba:7d:20, slot 1, interface = 13, QOS = 0
      IPv4 ACL ID = 255, IPv6 ACL ID
    *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 15206  Local Bridging Vlan = 84, Local Bridging intf id = 0
    *DHCP Socket Task: Jan 28 23:05:03.888: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255, L2 ACL ID 255)
    *DHCP Socket Task: Jan 28 23:05:03.888: 00:1e:c2:c0:96:05 Assigning Address 10.130.98.8 to mobile
    *DHCP Socket Task: Jan 28 23:05:03.888: 00:1e:c2:c0:96:05 DHCP success event for client. Clearing dhcp failure count for interface management.
    *DHCP Socket Task: Jan 28 23:05:03.888: 00:1e:c2:c0:96:05 DHCP success event for client. Clearing dhcp failure count for interface management.
    *DHCP Socket Task: Jan 28 23:05:03.888: 00:1e:c2:c0:96:05 DHCP successfully bridged packet to STA
    *pemReceiveTask: Jan 28 23:05:03.889: 00:1e:c2:c0:96:05 Set bi-dir guest tunnel for 00:1e:c2:c0:96:05 as in Export Foreign role
    *pemReceiveTask: Jan 28 23:05:03.889: 00:1e:c2:c0:96:05 10.130.98.8 Added NPU entry of type 1, dtlFlags 0x4
    *pemReceiveTask: Jan 28 23:05:03.890: 00:1e:c2:c0:96:05 Skip Foreign / Export Foreign Client IP 10.130.98.8 plumbing in FP SCB
    *apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 Received SGT for this Client.
    *apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 Resetting web IPv4 acl from 0 to 255
    *apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 Resetting web IPv4 Flex acl from 65535 to 65535
    *apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 AAA redirect is NULL. Skipping Web-auth for Radius NAC enabled WLAN.
    *apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 apfApplyWlanPolicy: Retaining the ACL recieved in AAA attributes 255 on mobile
    *apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 apfApplyWlanPolicy: Apply WLAN Policy over PMIPv6 Client Mobility Type
    *apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 Inserting AAA Override struct for mobile
    MAC: 00:1e:c2:c0:96:05, source 2
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Setting session timeout 3600 on mobile 00:1e:c2:c0:96:05
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Session Timeout is 3600 - starting session timer for the mobile
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Applying cached RADIUS Override values for mobile 00:1e:c2:c0:96:05 (caller pem_api.c:2307)
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Setting session timeout 3600 on mobile 00:1e:c2:c0:96:05
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Session Timeout is 3600 - starting session timer for the mobile
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Applied RADIUS override policy
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Replacing Fast Path rule
      type = Airespace AP Client
      on AP 0c:d9:96:ba:7d:20, slot 1, interface = 13, QOS = 0
      IPv4 ACL ID = 255, IPv6 ACL ID
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 15206  Local Bridging Vlan = 84, Local Bridging intf id = 0
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255, L2 ACL ID 255)
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Not Using WMM Compliance code qosCap 00
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Plumbed mobile LWAPP rule on AP 0c:d9:96:ba:7d:20 vapId 1 apVapId 1 flex-acl-name:
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Change state to RUN (20) last state RUN (20)
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 apfMsAssoStateInc
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 apfPemAddUser2 (apf_policy.c:333) Changing state for mobile 00:1e:c2:c0:96:05 on AP 0c:d9:96:ba:7d:20 from AAA Pending to Associated
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 apfPemAddUser2:session timeout forstation 00:1e:c2:c0:96:05 - Session Tout 3600, apfMsTimeOut '1800' and sessionTimerRunning flag is  1
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Scheduling deletion of Mobile Station:  (callerId: 49) in 3600 seconds
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Func: apfPemAddUser2, Ms Timeout = 1800, Session Timeout = 3600
    *apfReceiveTask: Jan 28 23:05:18.718: 00:1e:c2:c0:96:05 Sending Assoc Response to station on BSSID 0c:d9:96:ba:7d:2f (status 0) ApVapId 1 Slot 1
    *apfReceiveTask: Jan 28 23:05:18.718: 00:1e:c2:c0:96:05 apfProcessRadiusAssocResp (apf_80211.c:3066) Changing state for mobile 00:1e:c2:c0:96:05 on AP 0c:d9:96:ba:7d:20 from Associated to Associated
    *pemReceiveTask: Jan 28 23:05:18.720: 00:1e:c2:c0:96:05 Set bi-dir guest tunnel for 00:1e:c2:c0:96:05 as in Export Foreign role
    *pemReceiveTask: Jan 28 23:05:18.720: 00:1e:c2:c0:96:05 10.130.98.8 Added NPU entry of type 1, dtlFlags 0x4

  • WLC and ISE

    Hello,
    I need to know what are the features I will lose for the wireless users, if I did not use a WLC deployment (Using autonomous AP), knowing that I'm using last code of ISE1.1.1.
    Also in case of no WLC, can I use Inline posture node or I have to use WLC in this case ?
    Thanks.

    So I understand from that COA is supported on the Cisco Switch and it provides this to the wired client, while this is not supported on the AP (although it is connected after that to a switch) and we will need WLC or inline posture, but I believe that the inline posture will be added after the switch so setup will be AP-----Switch---Inline posture---Core and ISE, so why the Inline posture can provide the CoA to the wireless clients while the switch can't do that ?
    Note : I assumed a lot of facts in the above statement so please correct me if any is wrong
    Fact 1: COA is supported on the Cisco Switch and it provides this to the wired client.
    Fact 2: but I believe that the inline posture will be added after the switch so setup will be AP-----Switch---Inline posture---Core and ISE.
    Also assuming that CoA is not supported and as I know it is important for the Posture and profiling, but can we use normal AAA authentication and Guest life mangamnet with ISE and without WLC or inline posture ?
    Thanks 

  • WLC Flexconnect with AAA and MAC authentication

    hi,
    i am having cisco WLC with 7.4.121 version and i am having remote side access points to be connected to this controller and remote access point will have different vlan on the remote side itself.
    my question is i am having  Radius authentication for the clients who are all connecting from all the access points and MAC filtering also.
    My radius server is placed in the HQ where we have WLC. which method of flexconnect switchign will give be both AAA and MAc filter options to be working.
    one more question,
    is it possible to make each AP seperate MAC filters On the WLC.
    thanks
    cyril

    If you are planning on doing machine authentication i.e authentication of machine with username password by the AAA server at then this is possible using flexconnect local switching enabled provided you have your AAA server accessible via the local VLAN at the remote site.
    In case you are planning on doing mac-filtering using WLC and username/password authentication using AAA server then this cannot be achieved when you enable Flexconnect local switching as you do not get an option to configure the mac-filtering on Flex-connect groups.Hence you would need to use central authentication.
    Actually the best option for you is that you either deploy a local site AAA server and do both the authentications via your radius server or use Central authentication with Flexconnect APs incase this is not feasible.
    Hope this clears you doubts!!!
    Note: Please do not forget to rate and accept as solution incase the post is valid.

  • Wireless Guest Access with 802.1X (PEAP/MSCHAPv2) and ISE?

    Hi,
    I have a setup based on WLC 5508, Catalyst 3750-X and AP3600i.
    The WLCs are running 7.3 and ISE is 1.1.1
    I'm trying to setup wireless guest access, where the guests connect to a SSID with 802.1X using PEAP/MSCHAPv2.
    They should receive their username/password either from a sponsor directly (corporate AD user which prints the credentials) or through a SMS.
    The credentials will be created by the sponsor, using the sponsor portal on the ISE.
    Now to the questions:
    Is it correct that the foreign WLC (i.e. the WLC within the internal corporate network), should be set to no L2 and L3 security on the guest WLAN, to avoid having the foreign WLC contact the ISE and all traffic be forwarded directly to the anchor WLC?
    Is it correct that the anchor WLC (i.e. the WLC in the DMZ), should be configured with 802.1X/WPA2 L2 security and the ISE servers as the RADIUS servers on the guest WLAN, to ensure that the client is correctly authenticated/authorized by the ISE?
    When a guest logs on, how can I ensure that only one device (MAC address) is allowed per user?
    As it is now, a guest is able to log on with (I assume) an unlimited number of devices, using the credentials they have received.
    Thankyou very much :-)
    Best Regards,
    Niels J. Larsen

    Hi,
    I have a setup based on WLC 5508, Catalyst 3750-X and AP3600i.
    The WLCs are running 7.3 and ISE is 1.1.1
    I'm trying to setup wireless guest access, where the guests connect to a SSID with 802.1X using PEAP/MSCHAPv2.
    They should receive their username/password either from a sponsor directly (corporate AD user which prints the credentials) or through a SMS.
    The credentials will be created by the sponsor, using the sponsor portal on the ISE.
    Now to the questions:
    Is it correct that the foreign WLC (i.e. the WLC within the internal corporate network), should be set to no L2 and L3 security on the guest WLAN, to avoid having the foreign WLC contact the ISE and all traffic be forwarded directly to the anchor WLC?
    Is it correct that the anchor WLC (i.e. the WLC in the DMZ), should be configured with 802.1X/WPA2 L2 security and the ISE servers as the RADIUS servers on the guest WLAN, to ensure that the client is correctly authenticated/authorized by the ISE?
    When a guest logs on, how can I ensure that only one device (MAC address) is allowed per user?
    As it is now, a guest is able to log on with (I assume) an unlimited number of devices, using the credentials they have received.
    Thankyou very much :-)
    Best Regards,
    Niels J. Larsen

  • Can i configure a network with ACS and ISE?

    I have both acs and ise, how do i integrate these appliance to work togheter?
    Thanks

    ISE does not interoperate with Cisco Secure ACS deployments. The Cisco Identity Services  Engine can work in tandem with Cisco NAC Manager to provide the same  profiling service as the NAC Profiler, which has reached end-of-sale  status.
    Existing Cisco Secure ACS customers using network  access can easily migrate to the Cisco Identity Services Engine platform  using migration part numbers and tools. However, existing Cisco Secure  ACS customers using TACACS functions will not be able to migrate to the  current version of ISE for network device identity management which is  often acceptable for customers who prefer to keep user and network  identity on separate systems.

  • AAA and MD5 Configuration on SIP Calls

    Olease can anyone help in AAA and MD5 configuration on Cisco 3640 running SIP. My carrier told me that the only way that my calls can be Authenticated is thru AAAor MD5, eg -
    Host:
    Authentication ID:
    Secret:
    Please I need your help thank you in advance.
    Knmezi

    MD5 authentication works similarly to plain text authentication, except that the key is never sent over the wire. Instead, the router uses the MD5 algorithm to produce a "message digest" of the key (also called a "hash"). The message digest is then sent instead of the key itself. This ensures that nobody can eavesdrop on the line and learn keys during transmission.
    These protocols use MD5 authentication:
    OSPF
    RIP version 2
    BGP
    IP Enhanced IGRP
    For AAA configuration refer to following url;
    http://www.cisco.com/en/US/products/sw/secursw/ps2138/products_configuration_example09186a008017ee15.shtml

  • AAA and PIN

    Good day
    Is it possible to configure, the router 2800 as server aaa and apply pin for authentication ?
    Any suggest will be appreciate.

    Stephane
    I am not sure what you are asking. It is certainly possible to configure 2800 routers to use aaa to request authentication. Your question sounds like it is asking if the 2800 can be configured to provide authentication services for other devices in the network. I believe the answer to this is no the 2800 does not provide autheentication services to other devices.
    And I am not clear what you mean when you say pin. If you just mean a password then yes the authentication can be based on a statically defined password. If you mean a one time use password (such as the RSA tokenID) the authentication server can be configured to process and authenticate with the one time passwords.
    HTH
    Rick

  • AAA and TACACS servers

    Hello All,
    I want to download a free, yet reliable AAA and TACACS servers, can you guide me? Also, I need help with configuring them for study purpose.

    You may download the eval version ACS 4.2.0.124, if you've access to cisco.com
    ACS v4.2.0.124 90-Days Evaluation Software
    eval-ACS-4.2.0.124-SW.zip
    http://tools.cisco.com/squish/9B37e
    Path:
    Cisco.com > Downloads Home > Products > Cloud and Systems Management > Security and Identity Management
    > Cisco Secure Access Control Server Products > Cisco Secure Access Control Server for Windows > Cisco Secure ACS 4.2 for Windows > Secure Access Control Server (ACS) for Windows-4.2.0.124
    ~BR
    Jatin Katyal
    **Do rate helpful posts**

  • Wireless LWA and ISE - unable to get past AUP

    I have a very strange issue with wireless WebAuth where the users get redirected successfully to the WebAuth page and can enter their credentials, but once they accept the AUP they get redirected right back to the login page.  ISE 1.1 and WLC 7.0.235.0. 
    On my WLAN, I have L3 web policy Authentication enabled, an ACL-WEBAUTH-REDIRECT preauth ACL, AAA override and external URL redirect to my local policy service node with the following syntax - https://<server FQDN>:8443/guestportal/Login.action
    On ISE, my default authorization policy is WebAuth and I have another policy above that to identify my Guest identity group to be given InternetOnly permissions. 
    Same results occur for internal guest user identity and sponsor guest identities.  From Operations>Authentications, I see the successful authentication of the guest account, but it is not applying the authorization profile.  When I view the client in the WLC, I see the state is WEBAUTH_REQD.  It appears the redirect is maybe not attaching a session ID to the end users.  Tried from several different devices and getting the same results.  Also tried to build a wired CWA and also having the same results.  User always gets redirected to the webauth page and can login, but acceptance of the AUP just brings the user back to the login page in an endless loop.
    I feel like I am missing something simple here.  Anyone have any ideas?
    Thanks,
    Brian

    I have found that specifying the AAA server under the WLAN appears to fix the issue, although this configuration is not listed as a requirement in the Trustsec DIG 2.0.  The WLC had other AAA servers configured globally and the session was likely defaulting the authentication request to one of those servers.  By statically defining the AAA server under the WLAN, we can ensure the authentication goes to the proper server.

  • Central Web Auth with Anchor Controller and ISE

    Hi All
    I have a 5508 WLC on the corporate LAN and another 5508 sat in a DMZ as an anchor controller.
    I also have an ISE sat on the corporate LAN.
    Authenticate is working fine to the ISE and the client tries to re-direct to the ISE Portal but doesn't get there.
    DNS is working fine and the client can resolve the URL of the ISE to the correct IP address.
    I have a redirect ACL configured on the foreign controller which permits DNS, DHCP and traffic to and from the ISE.
    My questions are:
    1. Do I need to re-direct ACL to be present on both the foreign and anchor controllers?
    2. Since the Radius requests originate from the foreign controller do I need to configure the ISE server address on the WLAN on the anchor?
    3. Does the re-direct ACL need to be enabled on the advanced page of the WLAN on the foreign to over-ride the interface ACL - I don't believe it does.
    4. Is ICMP still blocked by the WLC until the web authentication is complete?
    Thanks.
    Regards
    Roger

    Hi Roger,
    Thanks for your brief explanation here are the answers for your queries.
    1. Do I need to re-direct ACL to be present on both the foreign and anchor controllers?
    The only catch is that since this web authentication method is Layer 2, you have to be aware that it will be the foreign WLC that does all of the RADIUS work. Only the foreign WLC contacts the ISE, and the redirection ACL must be present also on the foreign WLC.
    2. Since the Radius requests originate from the foreign controller do I need to configure the ISE server address on the WLAN on the anchor?
    Yes, you have to configure the ISE server address on the anchor WLC.
    3. Does the re-direct ACL need to be enabled on the advanced page of the WLAN on the foreign to over-ride the interface ACL
    Yes, you should override AAA under advanced tab of WLAN as ACL will be present on the foreign WLC.
    4. Yes, ICMP will work only after the sucessful web auth is complete.
    Please do go through the link below to understand the Anchor-Foreigh Scenario.
    http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html#anc11
    Regards
    Salma

  • Web auth with , intenal web page of WLC and ISE as radius server

    Hi All ,
    We have created a SSID as web auth with internal web page for login . In advanced tab we configured AAA server.  AD is integrated with ISE .
    When the user tries to get connect , he is getting redirect URL . But during the authentication , we are getting error in ISE as
    "ise has problems communicating with active directory  using its machine credentials "  and authentication getting failed .
    When we have L2 security mechanism enabled with PEAP , ISE is able to read the AD and providing authentication .
    Only for L3 web auth it is not happening..
    Any clue on this ..???
    Thanks,
    Regards,
    Vijay.

    Machine credentials requires a lookup on the computer OU and that has to be defined on the client side.
    Thanks,
    Scott
    Help out other by using the rating system and marking answered questions as "Answered"

  • ISE 1.3 Rollback and ISE 1.2 Backup

    Hi All,
    I am curious to know about following related to ISE
    1) ISE 1.3
        Once we installed ise 1.3, can we rollback to ise 1.2.0 or do we need to re-image it
    2) ISE 1.2
        If I take backup of ise 1.2.0, will it include backup of certificates also ?
    Please do share your views..
    Thanks,
    Aditya

    Hi cciesec2011,
    thanks for reply.
    I am curious about backup of ise 1.2 and certificates. can you share any link/document related to this.
    Thanks,
    Aditya

  • WLC 5508 (ver 7.2) and ISE 1.1.2

    Ciao,
    I found this interesting article:
    Dynamic VLAN Assignment with RADIUS Server and Wireless LAN Controller Configuration Example
    http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml
    And I'm wondering if the same configuration will work with ISE 1.1.2.
    My needs are:
    - one SSID
    - according to authentication (for guest: user\pwd in ISE database; for employees certificate or user\pwd M$ AD) moved to a VLAN or another
    Ciao e grazie!
    Luciano

    Philip,
    My bad, I apologize for the confusion, they put so many numbers on the back
    here this might help.
    http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080bcb905.shtml

  • Login scripts not running with AnyConnect NAM and ISE 1.2

    I am using AnyConnect 3.1 NAM as my 802.1x supplicant for ISE 1.2.  When users log in with EAP Chaining (User and Machine Auth), the login script seems hit or miss on if it runs to map their drives.  If I uninstall the NAM client, they map drives every time.  I would think that running a login script to map drives is a common scenario and I was wondering if anyone else using AnyConnect NAM was having similar issues or how they were dealing with it.

    I have the same issue and I solve the issue with change these parameters.
    1.- You must change on configuration profile "before user logon". I have 5 seconds
    2.- You must change on configuration profile  "port authentication Exception policy" and you must enable checkbox "enable port exceptions" and select "allow data traffic before authentication"
    3.- You must enable in the option of interface Ethernet Intel on PC "Wait for link" this option It's in "configured advanced of Intel. You must select "on" in this option.
    4.- (this recommendation it was by Cisco) 
    Active Direct GPO has a setting "Computer Configuration\Administrative
    Templates\System\Logon\ Always wait for the network at computer startup and logon" that
    can be enabled to make the logon scripts wait till 802.1x authentication is completed.
    With those changes the logon script run fine.
    Regards
    David.

Maybe you are looking for

  • When I hit video app on my ipad I get a black screen

    I've purchased some children's 'TV series' cartoons for my iPad 2 which were fine to begin with, but now I just get a black screen when I press the 'video' app and cannot play anything. The videos will play if I go into them through the Itunes Store

  • How do I get the music from itunes on my computer on my ipod touch

    I have music on my playlist in Itunes on my computer but it isn't transferring to my Ipod Touch.  How do I do this?

  • TS1702 Refund on Apps.

    Has the refund on apps changed.  I ask this as I have got a far as report a problem via iTunes.  Following iTunes>Store>View Account>Purchase History>View All>Report A Problem> This now takes you to Apple Support where you have even more options that

  • Variable Form Data - PDF Merge Issue

    I created a VB program, using Acrobat 5 and the FDFToolkit, that took variable data and populated a form and saved it.  It then populated another form and then saved it. Each form is a set of cards 9-Up double sided. When this process completed it me

  • Need help in Installing SAPUI5

    hello all, new to UI5/HTML5. i am working on a proposal and trying to show something to customer. but i am unable to install SAPUI5 in my system. problem is there are many steps and links from here in SCN and other tech forums about installations. so