AP WLC ISE AD

Hi,
We have the following issues on a wireless network running PEAP, authenticating on Active Directory through ISE 1.1.2:
Windows 7 laptops: (using native MS wifi drivers) Inconsistent connection attempts. Issue appears to be with certificate on ISE. If local validation is selected on the laptops, connection is mostly ok (security risk however), but if no validation selected, connection fails (Error is cert ' is not configured as a valid trust anchor') - could the 'Certificate Configuration' in this page be the right course of action:
http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080bba10d.shtml#topic28
Nokia: The WLC does not appear to receive a valid username (&pass through to ISE) from the handsets and no amount of configuration changes on handset seems to resolve this
Apple devices: Connect OK, but when Domain password changed on a laptop on Domain Controllers/AD, the iPhone/Pad wireless authentication continues using old credentials, until a reboot or extended period of time (Email however seems to prompt for new password on Apple devices immediately upon change on DC/AD).
Windows XP (using Intel v12 drivers), Blackberry's and Android devices work well without issues.
Any suggestions appreciated.

On your first question. Are you vaildating the certifciate on the client ? If you are, the cert needs to be in the root store of the client to vaildate.
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

Similar Messages

  • How to Sync clock on WLC ISE and AD

    Hi there,
    I am stuck in NTP, deployed WLC CWA using ISE that is integrated with AD. I tried using AD as NTP source but no luck(universal fact that Cisco uses NTP where as Microsoft uses SNTP).
    The issue is, if time is not synced between WLC, ISE and AD; web redirection stopped working and no authentication takes place.
    I tried installting Meinbergglobal NTP software to distribute time to my Cisco devices. It does work with Cisco devices but it acts as master and do not sync its own time with AD.
    I am trying to figure out a way to sync Cisco with Microsoft, is there any way in this world to do so???
    Please help..
    Thanks in advance           

    You mean I should sync AD and all my cisco devices with global NTP server?
    Yes and no.  If you know your network well, doing this is a pain in the proverbial backside because you have to open firewall rules to everyone going out to the global NTP server.
    The smart thing to do is what George has described.  You select a few (between two to four) to go out to the internet to synchronize.  Normally I would nominate our core routers do this.  Next, all our distribution switches and core switches synchronize to our core routers.  All our servers, PCs, printers, WLC, switches  sychronize to our distro switches. 

  • WLC, ISE certificate authentication issue

    Hi Folks,
    This is the setup:
    Redundant pair of WLC 5508 (version 7.5.102.0)
    Redundant Pair of ISE (Version 1.2.0.899)
         The ISE servers are connected to the corporate Active Directory (the AD servers are configured as external identity sources)
         There is a rule based authentication profile which queries the AD identity source when it receives wireless 802.1x authentication requests.
    A corporate WLAN is configured on the WLC:
    L2 security WPA+WPA2 (AES Encryption), ISE server 1 and 2 configured as the AAA Authentication servers.
    This is all working correctly - I associate to the Corp WLAN (Authentication WPA2 enterprise, encryption AES CCMP, 802.1x auth MS-CHAPv2 using AD credentials) ... I can see the authentication request being processed correctly by the ISE, and I get access to the network.
    The client I am working for wants to restrict access to the WLAN to users who have been allocated a certificate from the corporate CA, and this is where I am having issues.
    I took a test laptop, and requested a new certificate (mmc, add snapin, certificates, current user, personal, request new cert).   
    The cert that was issued was signed only by a Corporate AD server with CA services (there is nothing in the certification path above the cert I was issued, apart from the issuing server itself).   I changed the security settings of my connection to the corp wlan (using TLS instead of mschapv2, and pointing to the certificate I requested)
    Initally authentication failed because the ISE did not trust the CA that provided my certificate (the ISE radius authentication troubleshooting tool had this entry: '12514 EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client certificates chain').
    I exported the issuing CA's root certificate (followed this process http://support.microsoft.com/kb/555252), and imported the cert into ISE (administration, system, certificates, certificate store, import) - status of the cert is enabled, and it is trusted for client auth.
    After I did this, I could no longer associate to the Corp WLAN.  
    My laptop's wireless management software logs were filled with messages saying that the authentication server did not respond.   
    The ISE troubleshooting tool reported no new failed or successful authentication attempts.   
    Strangely though, the WLC log had a lot of entries like this: 'AAA Authentication Failure for UserName:host/laptop_asset_tag.corp.com User Type: WLAN USER'.
    It looks like the WLC is trying to locally authenticate my session when I use TLS, rather than hand off the authentication request to the ISE.    Other users who authenticate using their AD credentials only (as I described above) can still authenticate ok.
    Anyone able to shed some light on where I have gone wrong or what additional troubleshooting I can do?
    Thanks in advance,
    Darragh

    Hi,
    I had the same issue with microsoft CA and running ISE 1.1.4. The CA file was "corrupted", but you didn't see it at first glance. You can verify if the client CA matches the root CA via openssl.
    Try to export the root CA and the issuing CA in a different format (Base64), import both root and issuing into ise and check if that works. Also check if "Trust for client authentication or Secure Syslog services" in the Certificate Store -> CA -> Edit, is set.
    If this does not work, try to import the CA into another system and export it, then import into ISE.
    Regards,

  • 5760 WLC & ISE 1.2 PEAP Issues

    I have the following setup:
    WLC 5508 (7.4.100)
    WLC 5760 (03.03.02)   (I'm replacing the 5508 with the 5760)
    ISE 1.2
    Im currently running 802.1x PEAP with external AD authentication, on the 5508 and everything is working 100%.
    As soon as I switch the users over to the 5760 I get the following errors on the ISE:
    Event
    5440 Endpoint abandoned EAP session and started new
    Failure Reason
    5440 Endpoint abandoned EAP session and started new
    Resolution
    Verify known NAD or supplicant issues and published bugs. Verify NAD and supplicant configuration.
    Root cause
    Endpoint started new authentication while previous is still in progress. Most probable that supplicant on that endpoint stopped conducting the previous authentication and started the new one. Closing the previous authentication.
    I took the config of a working 5760, why would this one give the above errors ?
    Jaco

    Hello!
    Turn on debugs on your 5760 to track authentication activities. Most probably you'll spot the issue from them. If not - post them here, so we'll have a look as well.
    Thanks, Irina

  • Cisco WLC ISE integration issue

    Dear all,
    We have wlc 5508 and ISE integration, out wireless clients can connect to Guest or Corporate SSID
    When connecting to Corporate SSID, they can obtain IP address and successfully associate, to use internal service like (email, corporate service and etc) user need to download Airwatch agent and etc, but initially he can use ONLY internet connection, so the issue is client randomly reassociate, downtime of client less than a second, for example Android phone shows that periodically it disconnecting and reasociating again to SSID, i dont know if it is bug or some timers need to be configured, any ideas ?

    There is no problem with non-802.1x SSID
    The problem is on ISE timers ?

  • Off-Hours Alerting on WLC/ISE

    Dear Community,
    On a corporate enviroment, we are using a WLC Model 5508 along with a Standalone ISE for Wirelless authentication.
    I was wondering if it is possible to set time-based alerting (via the WLC ??), in order to receive e-mail notification from ISE (or WLC) when there is a mobile device connected on AP off-hours (for example after 7pm).
    Any comment is more than welcome.
    Thanks

    Hello Rasika,
    Thanks for your prompt response.
    Yes we have Prime Infrastructure 2. Actually my point is not to monitor a specific client, rather than activate an alert when the WLC has connections on "off-hours"
    Do you have any suggestion on this?
    Thanks

  • Web Redirection Problem on Cisco ISE 1.2 and WLC 7.5

    Hello,
    We are at initial phase of deploying ISE 1.2 in our environment for Wireless Guest Users.
    I have configured ISE and WLC to talk to each other which is working fine. An SSID with MAC-Filtering is also configured on WLC and ACL only allowing ISE and DNS traffice.
    I have configured proper authentication and authorization policies on ISE. Now, when I try to connect my device (laptop and android mobile), I see my device gets associated with the SSID (Demo) and gets the right IP Address from DHCP and right VLAN from WLC. The log process on ISE is as follows.
    11001
    Received RADIUS Access-Request
    11017
    RADIUS created a new session
    11027
    Detected Host Lookup UseCase (Service-Type = Call Check (10))
    15049
    Evaluating Policy Group
    15008
    Evaluating Service Selection Policy
    15048
    Queried PIP
    15048
    Queried PIP
    15004
    Matched rule
    15041
    Evaluating Identity Policy
    15006
    Matched Default Rule
    15013
    Selected Identity Source - Internal Endpoints
    24210
    Looking up User in Internal Users IDStore - B8:B4:2E:A6:7D:75
    24216
    The user is not found in the internal users identity store
    24209
    Looking up Endpoint in Internal Endpoints IDStore - B8:B4:2E:A6:7D:75
    24211
    Found Endpoint in Internal Endpoints IDStore
    22037
    Authentication Passed
    15036
    Evaluating Authorization Policy
    15048
    Queried PIP
    15048
    Queried PIP
    15048
    Queried PIP
    15004
    Matched rule - Guest Redirection
    15016
    Selected Authorization Profile - Test_Profile
    11002
    Returned RADIUS Access-Accept
    I also see a redirect url in the detailed authentication logs. But the problem is that when I open my browser on my device, it doesn't get redirected to the guest portal url. Now since I can't get there, I can't continue with the rest of the process of authentication, COA and final ACL for internet access.
    Can some one please either guide me the correct steps that I need to follow, if I have mis configured something or advise if this is a bug.
    Thanks in advance.
    Jay

    The ACL is definitely used to define what traffic is re-directed to ISE and what traffic is not redirected. Having the permit-all statement at the end will break redirection. If you are using flex-connect then you will need to use flex-connect ACLs and apply those to the flex-connect APs. The links below should give you an idea of what needs to be done:
    http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-000.html
    http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116087-configure-cwa-wlc-ise-00.html
    Thank you for rating helpful posts! 

  • [WLC - CWA] [ISE] Wlan Portal with Local Switiching

    Description: Guest Portal ISE (WLAN) in a Flexconnect local switching enviorment.
    Problem: The communication stops everytime we turn on the feature Radius NAC on the WLC.
    We are trying to use Central WebAuth in a Flexconnect environment and with so the procedure that we are using it´s the one that´s available in the cisco DOCS ( http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116087-configure-cwa-wlc-ise-00.html ) but there´s something occuring in my setup. I´ve configured step by step the WLC and ISE in accordance with previous DOC but I can´t establish communication everytime I turn on the feature RADIUS NAC in the WLC.
    All the ACL´s were configured, I can see the ISE policy beeing sent to the client but when the PC tries to establish the connection to him nothing leaves the PC ( a simple ping was done ). I´ve tried a bunch of setups to see if it was a misconfiguration or something else but at the end , everytime I trun on the NAC feature the final client looses all the comms to anywere.
    You can see in the following attachment the setup of WLC, and AP with flexconnect groups (I´ve also tried without a group but the final result was the same)
    We are using a WLC 5500 with 7.6.120.0 ( http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-6/configuration-guide/b_cg76.html ) and the only thing I can foun is a simple note stating,
    "Flex local switching with Radius NAC support is added in Release 7.2.110.0. It is not supported in 7.0 Releases and 7.2 Releases. Downgrading 7.2.110.0 and later releases to either 7.2 or 7.0 releases will require you to reconfigure the WLAN for Radius NAC feature to work."
    In the Flexconnect Feature Matrix the RADIUS NAC is supported in a local switching enviorment ( http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/112042-technote-product-00.html?referring_site=RE&pos=3&page=http://www.cisco.com/c/en/us/support/docs/wireless/flex-7500-series-wireless-controllers/113605-ewa-flex-guide-00.html) but what  we´ve found out so far it´s  the other way around.
    Another thing that we´ve found is that in the version 7.4 configuration guide ( http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-4/configuration/guides/consolidated/b_cg74_CONSOLIDATED/b_cg74_CONSOLIDATED_chapter_0110100.html#ID2372 ) cisco says that the "FlexConnect local switching is not supported."
    So, after seeing several docs my question is: Does Cisco support Radius NAC in a local switching environment ?

    Viten,
    tnx for the quick reply but,
    a) what do you mean by webauth ( http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116087-configure-cwa-wlc-ise-00.html) ?
    b) When I say comms stop is that I´m simple using ping as a test to see what happens in the client.Whenever I activate the radius feature the final client (laptop) ceases all comms in a local switching environment.
    BR,
    DS

  • Client Exclusion Policies on WLC not working with ISE as RADIUS Server

    Hi,
    for our Guest WLAN (Security Setting for this SSID:Layer2: MAC filtering, Layer3:none) we use ISE as RADIUS Server. On WLC I enabled client exclusion polices and checked all options (Excessive 802.11 Auth. Failures etc..).. But even if a client fails 20times at authentication, it is not excluded on the wlc. It works with other SSIDs, where security settings are set to 802.1x.
    Am I missing any settings here or do you have some tipps on how to troubleshoot this?
    Thanks very much!

    Hi Renata,
    If those guest failures are not associated with valid guest users (i.e. people who have forgotten their account or entering the wrong password) there isn't anything that can be done. The main point of Guest WLAN is to make it as easy as possible for Guests - individuals with device configurations you don't want to deal with or know about, to connect your network for internet access. From a WiFi/802.11 perspective, the standard Guest WLAN setup means its easy for any device to connect.
    If your Guest WLAN has the following:
    SSID is broadcast enabled, Security = OPEN, Encryption = none, then any 802.11 device can find the WLAN via passive scanning and connect. And any device that connects will get the ISE portal. Once recieveing that portal they can guess away at valid username/password.
    I would suspect that unless your Guest WiFi is adjacent to a Mall, school, hotel or other hi-density area of individuals  with time and electronics on their hands, other than alerts in your ops window and logs, resources associated with this (WLC & ISE) are very low.
    You can try and dull the noise a few ways.
    Option 1. create and ISE log filter on those alerts so they don't cluter the console.
    Option 2. Stop broadcasting the SSID.  This is not a security measure, but will cut volume of people connecting to the SSID significantly. You will have to tell your guests what SSID or include it in their credential communication.
    Option 3. Put a very simple PSK on the SSID. The PSK will become a public secret - shared with valid guests, doesn't have change as it's purpose is not security.  You will have to include this information on their credential communication.
    Option 4 - both 2 and 3
    The most effective option would be 3.
    Good Luck!

  • Cisco WLC Client MAC address backup to new Controller & ISE

    Hi All,
    We have an existing 4400 controller with MAC filtering for clients configured. Right Now, we are migrating to 5500 WLC and ISE setup.
    We want to use MAC filtering due to company policies on the new Controller as well as ISE.
    Is there a way (from GUI/CLI) that we can export the client MAC Addresses into an Excel file from existing WLC to new WLC & ISE?
    Thanks,
    CJ

    On the CLI issue a show macfilter summary and then import that into excel or a text editor.
    Sent from Cisco Technical Support iPhone App

  • ISE 1.2 - Dynamic Authorization Failed

    Hello!
    In my design network I use the ISE for CWA with a WLC, but when a client entrer his credentials, the CoA failed with this error : "11213 No response received from Network Access Device after sending a Dynamic Authorization request"
    This error is really strange because I can contact the ISE from the WLC. My ISE, and my broadcasted network are in the same VLAN, is it possible that this error come from this network architecture?
    My is is patched with the cumulative patch 7 and for information, I can do a "manual CoA" by disconnect/reconnect the client manually and after that the client has a network access.
    Used configuration for ISE and WLC : http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116087-configure-cwa-wlc-ise-00.html
    Thanks in advance if you have the least clue to resolve this issue.
    Kévin

    I will perform some additional testing and let you know my results.  I have this setup in the lab now with ISE 1.2 Patch 7 as well.... Since I only have a couple of PC's in the lab, I've noticed that I am unable to terminate the users session manually.  So I usually end up stopping and restarting the services. This is how i clear my live sessions.
    Is your setup in a Lab or Production?  If its in a lab can you restart ISE and your WLC.   I know when I first did my "debug client <mac>" My airespace ACL was showing the incorrect ACL ID.  After a reboot of ISE and recreating my WLC ACL it went away.   I haven't noticed my service IP ever showing up in ISE.  I usually see the users MAC address then a [email protected] "User Authentication" with his IP.  Next its the WLC MNGT Interface and finally the User Authorization again show Authz Internet-Only.
    My lab does not always function 100% so I am hoping after we go Live this weekend,  these flaky issues go away.  One of my problems is I don't have internet access.  Just a web server hosting a web page. I'll keep notes on anything I find that hopefully assist you.

  • ISE 1.2: Airspace ACL vs DACL

    Can someone please shed some light here:
    I have a 5508 WLC & ISE 1.2.   I configured Guest Access through the use of a Sponsor Portal, and got it working.
    I now want to restrict my Guest users to access the internet only and not the rest of my network.
    Do I do that using a Airspace ACL & an Access List on my WLC or a DACL on my ISE box.
    I'm not sure how to block the users from accessing my internal network, since I have tried both, but neither work.
    Any advice please.

    In ISE, dACLs are only applicable to switches.  They are ineffective with wireless connections.
    An Airespace ACL is the way to go and it looks like you got it working.
    The ACL should be:
    permit Inbound for any to the ISE IPs and permit outbound from ISE to any.
    deny any to 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 inbound (or just to your internal IP space)
    permit any to any  in any direction

  • ISE Guest Portal only redirect HTTPS traffic.

    I have a wireless deployment consisting of the following:
    5760 WLC & ISE 1.2
    Am I missing something here
    I have 4 similar deployments, and never had these issues:
    On Android / Apple devices, the guest portal does not pop up automatically &
    On a Windows Laptop only https traffic directs to the guest portal.
    Thanx

    i think you need to recheck the configuration also check the link for step by step config
    http://www.cisco.com/c/en/us/solutions/enterprise/design-zone-security/landing_DesignZone_TrustSec.html

  • ISE CWA FLEXCONNECT - No url redirect

    Hi,
    I'm setting up a LAB environment for CWA with ISE(1.2.1), vWLC(8.0.100), ASA5505(9.1.X) and a 2602 AP in flexconnect mode.
    Unfortunately I'm running into problems.
    The AP, WLC and ISE is all running in vlan 1 which terminates in the 5505 as a inside interface. 
    Vlan 2 is a guest network terminating on a separate interface in the ASA.
    The problem that I'm facing is that the url-redirect from the ISE dosent' work. If i check the client summery on the vWLC I can see that the client get applyes the redirect flexconnect ACL and that the URL is present. I've verified that it's not a DNS issue and I'm able to manually connect to ISE so there is no ACL blocking me. The client just dosen't get the redirect. I've tired with multiple devices (windows,ios,android) and it's all the same.
    I've followed the following guides:
    http://www.drchaos.com/flexconnect-local-switching-guestbyod/
    http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116087-configure-cwa-wlc-ise-00.html#anc11
    Currently I'm at work but I can provide some debug output later. 
    Have anyone seen this behavior before?

    It is possible that you are hitting the following bug:
    https://tools.cisco.com/bugsearch/bug/CSCue68065
    One thing this bug does not mention is that there is another resolution outside of disabling local switching. The alternative is:
    1. Create a standar ACL on the controller that is named exactly as the FlexConnect ACLs
    2. The standard ACL does not have to have any ACE in it
    I have ran into this issue before and the above workaround has worked for me. The issue was supposed be addressed in version 8.x of the WLC but I think it is still worth giving it a try. 
    Thank you for rating helpful posts!

  • CWA using Cisco ISE issue

    Good morning everyone,
    I have some trouble to use my Cisco ISE to do Central Web Authentication. I followed this following configuration example : http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116087-configure-cwa-wlc-ise-00.html
    But for the moment, clients can't seee the web portal. My WLC and my Cisco ISE are well configured as presented in the document, when clients connect to the AP, they are listed into the Cisco ISE with the good authorization profile but, the URL redirection doesn't work as well as I want, clients have to enter manually the IP address in the web browser to log-in trough the Cisco ISE.
    If anyone already had this problem, maybe could tell me more about that.
    Thanks in advance!

    Good news!
    I have resolved my problem 15 minutes ago. For people who have the same problem, I have just changed my static route in my WLC. The issue was that I broadcast the same VLAN used for the management interface and in adding the network allowing admin to reach service-port, all traffic of my broadcasted VLAN was sent to the service-port. A simple netmask modification resolved the problem.
    I have still a problem with CoA which doesn't work properly and I have to disconnect/reconnect to the SSID to have a complete access but I'm going to continue my research for that.
    Thanks all for your help !!!!

Maybe you are looking for