AAA local authentication

Hi all,
I have configured my remote switch with the following AAA local authentication configuration.
no enable secret
no username hotel
no aaa new-model
username s1umb3r password p3ac3fully
enable secret tryt0h@ckth!S!s1umb3r
aaa new-model
exit
wr
After I have saved the configuration, I am not able to login to switch remotely. Please advice me ASAP.
Now how would I get into router is there any possibility to get into router remotely?
IOS version 12.0(5)WC8
Your early response will be highly appreciated.
Regards,
Khan

What does the VTY line have for config?

Similar Messages

Cisco 871W as Radius Local Authenticator

We are tring to configure an Cisco 871w as an access point and also as an local authenticator.The NAS would be the same server. The sample config is as below
aaa group server radius rad_eap
server 10.10.200.1 auth-port 1645 acct-port 1646
aaa group server radius rad_mac
aaa group server radius rad_acct
aaa group server radius rad_admin
aaa group server tacacs+ tac_admin
aaa group server radius rad_pmip
aaa group server radius dummy
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization ipmobile default group rad_pmip
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
ip dhcp excluded-address 10.10.200.1
ip dhcp excluded-address 10.10.200.31 10.10.200.254
ip dhcp pool <pool_name>
import all
network 10.10.200.0 255.255.255.0
dns-server 141.x.x.6 141.198.136.12
default-router 10.10.200.1
lease 0 2
interface Dot11Radio0
ip address 10.10.200.1 255.255.255.0
ssid <SSID Name>
authentication network-eap eap_methods
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
ip classless
ip http server
ip http secure-server
radius-server local
nas 10.10.200.1 key 0 <key>
user test nthash xxx
radius-server attribute 32 include-in-access-req format %h
radius-server host 10.10.200.1 auth-port 1645 acct-port 1646 key <key>
radius-server vsa send accounting
By the above config, we are trying to make the clients to authenticate with username created in the RADIUS which is this router and get an ip address through DHCP pool configured for the same. Will the above config does the same. Kindly let me know.
Thanking You
Regards
Anantha Subramanian Natarajan

Hi,
Thanks .
Worked with cipher mode tkip and used WPA for key management.
Once again,Thanks for the repsonse
Regards
Anantha Subramanian Natarajan

AAA Radius Authentication Queries

Have quite a few questions for Implementing Radius for my network devices :
Q.1.) How to safely implement aaa Radius authentication to make sure users have login using LOCAL database incase the Radius fails.
Q.2.) How to provide only read access for few users and full access to Adminstrators.
Q 3.) Incase if I save the config ..will it be possible to login to devices through any other alternative way ( assuming both the radius and Local credentials are not working).
Q 4.) How to recover the password for devices especially firewalls.
GReat it would be if someone can help me on these queries.. Thanks in advance.
Regards,
gHP.

VSAs are collected by the RADIUS server during the accounting process when AAA is configured with the Debit Card feature. Data items are collected for each call leg created on the gateway. A call leg is the internal representation of a connection on the gateway. Each call made through the gateway consists of two call legs: incoming and outgoing. The call leg information emitted by the gateways can be correlated by the connection ID, which is the same for all call legs of a connection.
Use the H.323 VSA method of accounting when configuring the AAA application.
There are two modes:
â¢Overloaded Session-ID
Use the gw-accounting h323 syslog command to configure this mode.
â¢VSA
Use the gw-accounting h323 vsa command to configure this mode.

AAA login authentication methods

Hello guys,
I've noticed a strange behaviour with AAA authentication login.
My AAA configuration for login authentication is: aaa authentication login default group tacacs+ local
No tacacs server exists, but username and password in local database does. Indeed everything works fine when I log in: aaa authentication login default group tacacs+ local line none
The problem comes up when I add to the method list line and none authentication methods.
In this case, when I log into the switch (via console for example), and I'm asked for username, there is no validation of the username, I mean to say, I can put whatever username and been granted access.
Conclusion: According to my aaa authentication list, method line or none should not be used unless tacacs and local are not available. In this case, local method is available and should fail so login should be rejected, but it jumps to the next method, finally giving access.
Is this a bug in AAA? or am I misunderstanding something.
Thanks a lot.

Only exec-timeout command, so it applies the default list defined by aaa.
When I remove the none, authentication fails. I've debugged AAA authentication and shows:
User Access Verification
Username:
Jul 5 18:16:48.329 METDST: AAA/BIND(00000035): Bind i/f
Jul 5 18:16:49.493 METDST: AAA/AUTHEN/LOGIN (00000035): Pick method list 'default' adsf
Jul 5 18:16:56.382 METDST: AAA/AUTHEN/LINE(00000035): FAIL - Line password not found
% Authentication failed
Username:
Local authentication method is being bypassed.
If I configure a password under line con 0, I've access regardless of the username, so no local authentication is being enforced as well.
Thanks.

Help with configuring AP-1240AG as local authenticator for EAP-FAST client

Hi,
I am trying to configure an AP-1240AG as a local authenticator for a Windows XP client with no success. Here is a part of the AP configuration:
dot11 lab_test
   authentication open eap eap_methods
   authentication network-eap eap_methods
   guest-mode
   infrastructure-ssid
radius-server local
eapfast authority id 0102030405060708090A0B0C0D0E0F10
eapfast authority info lab
eapfast server-key primary 7 211C7F85F2A6056FB6DC70BE66090DE351
user georges nthash 7 115C41544E4A535E2072797D096466723124425253707D0901755A5B3A370F7A05
Here is the Windows XP client configuration:
Authentication: Open
Encrpytion WEP
Disable Cisco ccxV4 improvements
username: georges
password: georges
Results: The show radius local-server statistics does not show any activity for the user georges and the debug messages are showing the following:
*Mar 4 01:15:58.887: %DOT11-7-AUTH_FAILED: Station 0016.6f68.b13b Authentication failed
*Mar 4 01:16:28.914: %DOT11-7-AUTH_FAILED: Station 0016.6f68.b13b Authentication failed
*Mar 4 01:16:56.700: RADIUS/ENCODE(00001F5C):Orig. component type = DOT11
*Mar 4 01:16:56.701: RADIUS: AAA Unsupported Attr: ssid              [263] 19
*Mar 4 01:16:56.701: RADIUS:    [lab_test]
*Mar 4 01:16:56.701: RADIUS:   65                                               [e]
*Mar 4 01:16:56.701: RADIUS: AAA Unsupported Attr: interface         [156] 4
*Mar 4 01:16:56.701: RADIUS:   38 32                                            [82]
*Mar 4 01:16:56.701: RADIUS(00001F5C): Storing nasport 8275 in rad_db
*Mar 4 01:16:56.702: RADIUS(00001F5C): Config NAS IP: 10.5.104.22
*Mar 4 01:16:56.702: RADIUS/ENCODE(00001F5C): acct_session_id: 8026
*Mar 4 01:16:56.702: RADIUS(00001F5C): sending
*Mar 4 01:16:56.702: RADIUS/DECODE: parse response no app start; FAIL
*Mar 4 01:16:56.702: RADIUS/DECODE: parse response; FAIL
It seems that the radius packet that the AP receive is not what is expected. Do not know if the problem is with the client or with the AP configuration. Try many things but running out of ideas. Any suggestions would be welcome
Thanks

Hi Stephen,
I do not want to create a workgroup bridge, just want to have the wireless radio bridge with the Ethernet port. I will remove the infrastructure command.
Thanks for your help
Stephane
Here is the complete configuration:
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname Lab
ip subnet-zero
aaa new-model
aaa group server radius rad_eap
aaa group server radius rad_mac
aaa group server radius rad_admin
aaa group server tacacs+ tac_admin
aaa group server radius rad_pmip
aaa group server radius dummy
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
dot11 lab_test
   authentication open eap eap_methods
   authentication network-eap eap_methods
   guest-mode
   infrastructure-ssid
power inline negotiation prestandard source
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
ssid lab_test
traffic-metrics aggregate-report
speed basic-54.0
no power client local
channel 2462
station-role root
antenna receive right
antenna transmit right
no dot11 extension aironet
bridge-group 1
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface Dot11Radio1
no ip address
no ip route-cache
shutdown
dfs band 3 block
speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
channel dfs
station-role root
no dot11 extension aironet
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
hold-queue 160 in
interface BVI1
ip address 10.5.104.22 255.255.255.0
ip default-gateway 10.5.104.254
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
radius-server local
eapfast authority id 000102030405060708090A0B0C0D0E0F
eapfast authority info LAB
eapfast server-key primary 7 C7AC67E296DF3437EB018F73BE00D822B8
user georges nthash 7 14424A5A555C72790070616C03445446212202080A75705F513942017A76057007
control-plane
bridge 1 route ip
line con 0
line vty 0 4
end

Question on H-REAP local authentication

Hi Guys,
I am having some trouble understanding local authenticaiton for H-REAP APs with 802.1x authentication and wonder if this is a supported feature, when the AP enters into local auth/local switching mode when the WAN link is down or controller is not reachable.
in the configuration guide, it says:
==================================
When a hybrid-REAP access point enters standalone mode, WLANs that are configured for open, shared, WPA-PSK, or WPA2-PSK authentication enter the "local authentication, local switching" state and continue new client authentications. In controller software release 4.2 or later releases, this configuration is also correct for WLANs that are configured for 802.1X, WPA-802.1X, WPA2-802.1X, or CCKM, but these authentication types require that an external RADIUS server be configured. You can also configure a local RADIUS server on a HREAP access point to support 802.1X in a standalone mode or with local authentication.
=====================================
also from the diagram provided in the configuration guide, there is a RADIUS server on the remote site, which might indicate 802.1x authentication is supported when the link between H-REAP AP and controller fails.
however from the "enterprise mobility design guide 4.1". it seems 802.1x auth is not supported for H-REAP APs in local auth / local switching mode.
can you please clarify if this is a supported feature or not?
also with the latest WLC image 7.0.116.0, there is one more check box called "local auth" under "advanced" WLAN option, is this button introduing some new features compared with previous 7.0.98.0 release? what would be the difference compared with only "local switching" configured as in previous release?
when we use local authentication, under local switching / local auth mode, with H-REAP group configured, if 802.1x is supported under this mode, do I just add the local radius server information on the WLC and select it as primary radius server in the H-REAP group for local 802.1x authentication? and the authentication process would be local RADIUS --> local database?
thanks in advance for your help.

so if we need a local RADIUS server to do the authentication, we only
need to check the "enable AP local authentication" box under H-REAP
group configuration, and configure H-REAP APs as AAA clients in the
RADIUS server, and we add all H-REAP APs in RADIUS server? Right..also
I noticed there is one more button "H-REAP Local Auth" under WLAN
advanced tab, this button is not availabel in previous releases, so what
extra function does this option introduce compare with previous
releases? Unfortunately, I cant remember that one and I dont have a WLC at hand right now.Usually all new features are reported on the release notes for each version.Thanks in advance for your time and help.
Sorry fot my delay I forgot to answer you before :-s

Policy agent 2.2 amfilter local authentication with session binding failed

Hi All,
I have policy agent 2.2 for weblogic 8.1 sp4 installed on redhat linux. All are working fine in my development box. But I was running all the process under user root, so today I decided to change it to a regular user, joe. I changed all the files' owner for weblogic server and policy agent from root to joe, and restart server as user Joe. After the change, I can not access the application on Weblogic server. I changed file ownership back to root and restart weblogic server as root, still same error.
Here is the error I got:
10.4.4 403 Forbidden
The server understood the request, but is refusing to fulfill it. Authorization will not help and the request SHOULD NOT be repeated. If the request method was not HEAD and the server wishes to make public why the request has not been fulfilled, it SHOULD describe the reason for the refusal in the entity. This status code is commonly used when the server does not wish to reveal exactly why the request has been refused, or when no other response is applicable.
Here is the error I found from agent log file, amFilter:
AmFilter: now processing: SSO Task Handler
05/24/2006 06:27:08:127 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
SSOTaskHandler: caching SSO Token for user uid=amAdmin,ou=People,dc=etouch,dc=net
05/24/2006 06:27:08:127 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
AmBaseSSOCache: cached the sso token for user principal : uid=amadmin,ou=people,dc=etouch,dc=net sso token: AQIC5wM2LY4Sfcx4XY/x/M7G1Y3ScVjFj8E3oT0BV45mh0Q=@AAJTSQACMDE=#, cache size = 1
05/24/2006 06:27:08:127 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
SSOTaskHandler: SSO Validation successful for uid=amAdmin,ou=People,dc=etouch,dc=net
05/24/2006 06:27:08:128 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
AmFilter: now processing: J2EE Local Logout Task Handler
05/24/2006 06:27:08:128 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
AmFilter: local logout skipped SSO User => amAdmin, principal =>null
05/24/2006 06:27:08:128 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
AmFilter: now processing: J2EE Local Auth Task Handler
05/24/2006 06:27:08:128 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
LocalAuthTaskHandler: No principal found. Initiating local authentication for amAdmin
05/24/2006 06:27:08:128 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
LocalAuthTaskHandler: doing local authentication with session binding
05/24/2006 06:27:08:129 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
LocalAuthTaskHandler: Local authentication failed, invalidating session.05/24/2006 06:27:08:129 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
WARNING: LocalAuthTaskHandler: Local authentication failed for : /portal/index.jsp, SSO Token: AQIC5wM2LY4Sfcx4XY/x/M7G1Y3ScVjFj8E3oT0BV45mh0Q=@AAJTSQACMDE=#
05/24/2006 06:27:08:129 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
AmFilter: result =>
FilterResult:
     Status      : FORBIDDEN
     RedirectURL     : null
     RequestHelper:
          null
     Data:
          null
-----------------------------------------------------------

Hi,
I'm having the exact same problem in the Prod environment, but on a Sun App Server. In development all is fine, in prod we now have:
ERROR: AmFilter: Error while delegating to inbound handler: J2EE Local Auth Task Handler, access will be denied
java.lang.IllegalStateException: invalidate: Session already invalidated
at org.apache.catalina.session.StandardSession.invalidate(StandardSession.java:1258)
at org.apache.catalina.session.StandardSessionFacade.invalidate(StandardSessionFacade.java:164)
at com.sun.identity.agents.filter.LocalAuthTaskHandler.doLocalAuthWithSessionBinding(LocalAuthTaskHandler.java:289)
at com.sun.identity.agents.filter.LocalAuthTaskHandler.authenticate(LocalAuthTaskHandler.java:159)
at com.sun.identity.agents.filter.LocalAuthTaskHandler.process(LocalAuthTaskHandler.java:106)
at com.sun.identity.agents.filter.AmFilter.processTaskHandlers(AmFilter.java:185)
at com.sun.identity.agents.filter.AmFilter.isAccessAllowed(AmFilter.java:152)
at com.sun.identity.agents.filter.AmAgentBaseFilter.doFilter(AmAgentBaseFilter.java:38)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55)
at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:161)
at java.security.AccessController.doPrivileged(Native Method)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:157)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:263)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:551)
at org.apache.catalina.core.StandardContextValve.invokeInternal(StandardContextValve.java:225)
FilterResult:
Status : FORBIDDEN
RedirectURL : null
RequestHelper:
null
Data:
null
Also, we I debug I see:
LocalAuthTaskHandler: No principal found. Initiating local authentication for ...
Did you receive any solution for this?
Many, many thanks,
Philip

EAP-FAST, local Authentication and PAC provisioning

Hi everybody,
I have a litte understanding problem with the deployment of EAP-FAST.
So here's the deal:
I want to the deploy EAP-FAST with autonomous APs with an ACS as Authentication server. So far so good.
When the ACS is not reachable, the autonomous AP should act as local Authenticator for the clients as backup. Is this possible when doing manual PAC provisioning? I guess not, because the PAC master key is not synced between ACS and the AP local Authenticator.
Would automatic PAC provisioning resolve that issue? If the ACS server fails, the local Authenticator AP will create new PACs for the clients, right?
But - I have doubts regarding automatic provisioning of PACs. From my understanding the Phase-0 is just performed in MS-CHAPv2, which is dictionary attackable. Furthermore a MITM attack could be possible during phase-0.
Would server sided certificates resolve my concerns here?
I would prefer PEAP, but the autonomous APs don't support this EAP type as local authenticator method, right?
Btw. .... is there any good document regarding FAST on CCO? I couldn't find anything. The Q&A page is just scratching the surface. The best document I could find so far is the ACS user configuration page. But I'm not 100% happy with this. Is there some kind of EAP-FAST deployment guide out there? I need best practices regarding PAC provisioning and so on :-)
Thanks in advance!

From what I understand a Internet proxy PAC and a eap-fast PAC are two different purposes.
Is that what you are trying to get clarification on.
Basically eap fast PAC provisioning is a PAC that s provisioned when a client authenticates successfully. The client provides this PAC for network authentication and not proxy authentication.
Sent from Cisco Technical Support iPad App

What do IPSEC mean under Security - AAA - Radius - Authentication

I can't find exact information regarding the IPSec checkbox in Security -> AAA -> Radius -> Authentication.
On the Cisco Wireless LAN Controller Configuration Guide 5.1, it says "Check the IPSec check box to enable the IP security mechanism, or uncheck it to disable this feature.
The default value is unchecked."
What is exactly mean by IP security mechanism?
Does this mean that I can terminate VPN client over my WLC?
Take note that this options appeared even though no crypto card installed in my controller.

This is old code from the Airespace days. There used to be a VPN module that would ride in the WLC. No longer supported, well can't buy it new, but if you had one already...you get the idea.
HTH,
Steve

Create users in OID or update FND_USER to do the local authentication

Hi,
We have changed the OID sever for an 11i instance
Hence I think some users who were in the old OID server are not present in the new one
And the FND users of 11i are not able to get authenticated
Shall I
- Create the user in new OID server - Configuration tab of http://server/oiddas doesnt allow me to do that
How ?
Any API ?
- Export / import from the old OID server to new one ?
If yes, which tables
- Can I update FND_USER to do the local authentication and not go thru OID/ SSO ?
Thanks
- Pooja
I have posted the question in Application Server - General forum also

Metalink note 233436.1 and 186981.1 should be of some help.
You can change to local authentication by setting two profile options
Applications SSO Login Types set to Local
and Applications SSO Type to SSWA
You may have to reset the users password if it has been set to EXTERNAL

WLC 5508 Local Authentication- need guidance

Hi formers'
i have the combo of WLC 5508 (ver 7.0) and AP1041n, just want to ask how i can do local authentication.
The environment don't have ACS, no directory services ( AD or LDAP).
Requirement:
say, i have one WLAN name "admin". Where-ever if user want to connect to this SSID, they need to prompt username/password,
user's entry is store at WLC.
i create the user at local net user, and map it to appropirate WLAN.
at the WLAN, i enable local EAP and select the profile that i create.
PROBLEM STATEMENT:
The moment i test, it always prompt to input EAP-TTLS domain\usename. password (token)
Question
a. any goes wrong with my setting? how really local authentication work with no ACS and directory services running at the back?
b. can please post any useful document URL or any supportive info, it will be very helpful
Thanks
Noel

Surendra's document may refer to local authentication with ldap database but you could follow it without doing the LDAP part and the users will be stored in the local net users of the WLC.
You could also follow the WLC config guide in the "Local eap" chapter.
The concerning part in your description is that your laptop prompts for EAP-TTLS. That means that you configured your laptop for that method. The WLC is only with peap/eap-fast

H-REAP Local Authentication eap-fast not working

Hi, I'm using a central Radius Server and have leap and eap-fast working fine, but when the wan link fail(local authentication) the new user that try to conect via leap get authenticated but eap-fast fail.
any ideas?. Im using wlc 5.01

If your radius is centrally located and your WAN links goes down, any authentication thats need to go back centrally will fail, unless you have local authentication. Don't know why LEAP would still work if authentication to the radius server has stopped.
Howerver, if you are using local EAP configured on the WLC, then you still will fail authentication because your wlc is centrally located.

AP1240AG Local authenticator

Hi, I am facing some problems configuring an AP1240AG as local authenticator with microsoft win200\xp clients. Is it possible to use this that type of authentication also with non-cisco clients? Thanks a lot for ant response.

I think you need to filter these clients by mac-address.

Local Authenticator

I'd like to know the exactly configuration of local authenticator on a AP1100.
I try the configuration found on cisco documents, but it dosen't work.
In particulary i use a AP like a RADIUS SERVER.
Thanks
NP

I tried it on a 1200 and it worked. Also, you can use the help from the web page related to configuring the local RADIUS server.
ME

Wlc flexconnect wlan local authentication and central web authentication maximum rtt

Hi
From the below link below it mentioned that "Round-trip latency must not exceed 300 milliseconds (ms) between the AP and the controller. If the 300 milliseconds round-trip latency cannot be achieved, configure the AP to perform local authentication."
http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Mobility/emob73dg/emob73/ch7_HREA.html#wp1094148.
Is this limitation refer to web authentication also?
Thanks
Anyone???

Central Web Auth (CWA) works different on controllers/APs running in FlexConnect mode. Please check this guide and confirm that you have similar setup.
http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116087-configure-cwa-wlc-ise-00.html
If so, please post screen shots with your configs (Redirect ACLs, policies in ISE and the WLC SSD settings).
Also, the version of code that you are running in ISE and your controller.
Thank you for rating helpful posts!

AAA local authentication

Similar Messages

Maybe you are looking for