CWA with ISE and 5760

Similar Messages

• Cannot Open the URL of CWA with ISE

  Hi Folks,
  I have a problem when doing the CWA with ISE so that I can Provide the access of the network for the guests.
  Everything goes fine except the URL of the CWA: When the guests open the explorer and enter a domain after connecting the SSID, they will be redirected to the URL like "https://hostname.demo.com:8443/guestportal/..................." which starts with the hostname of the ISE and the domain-name of the ISE, but for us, we don't have any AD and LAN DNS for our network so that we cannot translate the hostname.demo.com into the IP of the ISE, so can I just change the URL into IP type like "https://10.10.10.70:8443/guestportal"?

  Screenshot of a screenshot (sorry) attached.
  Basically it's in authorization policy, allows you to use a static DNS or IP address

• WLC 7.5 Sleeping clients with ISE and Central WEB Auth(CWA)

  Hi there,
  Is it possibe to use sleeping clients when using ISE and CWA?
  I was thinking of enabling layer3 auth with web auth on mac auth failure, but will that work with CWA?
  Or is the only solution to use LWA?

  Controller-> General-> User Idle Timeout (seconds) = 50 000 sec.
  And your users will be connected all this time even if they going in sleepmode
  be carefull with CPU loading

• CWA using ISE and mobility anchor

  My team is trying to demo wireless guest access using CWA with an ISE server.  We appear to be hitting an issue when combining this with mobility anchoring.
  When we don't use a mobility anchor the authentication goes off without a hitch seemingly proving that the ISE configuration is sound.  The test laptop associates and gets redirected, auths, moves to the RUN state and access to the network is granted.
  When the mobility anchor is enabled, the test laptop does get redirected, authentication is successful, but the process does not fully complete, as on the foreign controller the user is in RUN state whereas on the anchor the user is still stuck at CWA required.
  Now, I've read the L2 auth occurs between the foreign controller and ISE, and the L3 auth occurs between the anchor controller and ISE, but this does not appear to borne out in packet captures of the process where both parts of the auth seems to go to and from the foreign controller and ISE.
  I'm curious to know if anyone else has come across this issue, or has ideas where I should be looking in the config or debugs to find the root cause.
  When setting up the controllers and ISE this guide (linked below) was used and the controllers are 2504 controllers on 7.5 series software and ISE is on the latest 1.2 patches:
  http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bead09.shtml
  To me it seems to be mobility related, but the authentication flow does seem to be off compared with what the guide says.

  FOREIGN
  *apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Adding mobile on LWAPP AP 0c:d9:96:ba:7d:20(1)
  *apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Association received from mobile on BSSID 0c:d9:96:ba:7d:2f
  *apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Global 200 Clients are allowed to AP radio
  *apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Max Client Trap Threshold: 0  cur: 0
  *apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Rf profile 600 Clients are allowed to AP wlan
  *apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Applying Interface policy on Mobile, role Unassociated. Ms NAC State 0 Quarantine Vlan 0 Access Vlan 0
  *apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Re-applying interface policy for client
  *apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 0.0.0.0 START (0) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2164)
  *apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 0.0.0.0 START (0) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2185)
  *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 apfApplyWlanPolicy: Retaining the ACL recieved in AAA attributes 255 on mobile
  *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 apfApplyWlanPolicy: Apply WLAN Policy over PMIPv6 Client Mobility Type
  *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 In processSsidIE:4565 setting Central switched to TRUE
  *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 In processSsidIE:4568 apVapId = 1 and Split Acl Id = 65535
  *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 Applying site-specific Local Bridging override for station 00:1e:c2:c0:96:05 - vapId 1, site 'AP-Group-CHEC.default', interface 'management'
  *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 Applying Local Bridging Interface Policy for station 00:1e:c2:c0:96:05 - vlan 84, interface id 0, interface 'management'
  *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 processSsidIE  statusCode is 0 and status is 0
  *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 processSsidIE  ssid_done_flag is 0 finish_flag is 0
  *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 STA - rates (8): 140 18 152 36 176 72 96 108 0 0 0 0 0 0 0 0
  *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 suppRates  statusCode is 0 and gotSuppRatesElement is 1
  *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 apfProcessAssocReq (apf_80211.c:7830) Changing state for mobile 00:1e:c2:c0:96:05 on AP 0c:d9:96:ba:7d:20 from Idle to AAA Pending
  *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 Scheduling deletion of Mobile Station:  (callerId: 20) in 10 seconds
  *radiusTransportThread: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Username entry (00-1E-C2-C0-96-05) created for mobile, length = 253
  *radiusTransportThread: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Username entry (00-1E-C2-C0-96-05) created in mscb for mobile, length = 253
  *apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Received SGT for this Client.
  *apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Redirect URL received for client from RADIUS. Client will be moved to WebAuth_Reqd state to facilitate redirection. Skip web-auth Flag = 0
  *apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Resetting web IPv4 acl from 255 to 255
  *apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Resetting web IPv4 Flex acl from 65535 to 65535
  *apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Applying Interface policy on Mobile, role Unassociated. Ms NAC State 2 Quarantine Vlan 0 Access Vlan 84
  *apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Re-applying interface policy for client
  *apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 0.0.0.0 START (0) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2164)
  *apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 0.0.0.0 START (0) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2185)
  *apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 apfApplyWlanPolicy: Retaining the ACL recieved in AAA attributes 0 on mobile
  *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 apfApplyWlanPolicy: Apply WLAN Policy over PMIPv6 Client Mobility Type
  *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 Inserting AAA Override struct for mobile
  MAC: 00:1e:c2:c0:96:05, source 2
  *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 0.0.0.0 START (0) Initializing policy
  *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state START (0)
  *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 0.0.0.0 AUTHCHECK (2) Change state to L2AUTHCOMPLETE (4) last state AUTHCHECK (2)
  *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 Not Using WMM Compliance code qosCap 00
  *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 0.0.0.0 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP 0c:d9:96:ba:7d:20 vapId 1 apVapId 1 flex-acl-name:
  *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 0.0.0.0 L2AUTHCOMPLETE (4) Change state to DHCP_REQD (7) last state L2AUTHCOMPLETE (4)
  *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 apfMsAssoStateInc
  *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 apfPemAddUser2 (apf_policy.c:333) Changing state for mobile 00:1e:c2:c0:96:05 on AP 0c:d9:96:ba:7d:20 from AAA Pending to Associated
  *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 apfPemAddUser2:session timeout forstation 00:1e:c2:c0:96:05 - Session Tout 1800, apfMsTimeOut '1800' and sessionTimerRunning flag is  0
  *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 Scheduling deletion of Mobile Station:  (callerId: 49) in 1800 seconds
  *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 Func: apfPemAddUser2, Ms Timeout = 1800, Session Timeout = 1800
  *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 Sending Assoc Response to station on BSSID 0c:d9:96:ba:7d:2f (status 0) ApVapId 1 Slot 1
  *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 apfProcessRadiusAssocResp (apf_80211.c:3066) Changing state for mobile 00:1e:c2:c0:96:05 on AP 0c:d9:96:ba:7d:20 from Associated to Associated
  *DHCP Socket Task: Jan 28 23:04:59.567: 00:1e:c2:c0:96:05 DHCP received op BOOTREQUEST (1) (len 308,vlan 84, port 13, encap 0xec03)
  *DHCP Socket Task: Jan 28 23:04:59.567: 00:1e:c2:c0:96:05 DHCP (encap type 0xec03) mstype 0ff:ff:ff:ff:ff:ff
  *DHCP Socket Task: Jan 28 23:04:59.567: 00:1e:c2:c0:96:05 DHCP dropping packet due to ongoing mobility handshake exchange, (siaddr 0.0.0.0,  mobility state = 'apfMsMmQueryRequested'
  *DHCP Socket Task: Jan 28 23:05:01.523: 00:1e:c2:c0:96:05 DHCP received op BOOTREQUEST (1) (len 308,vlan 84, port 13, encap 0xec03)
  *DHCP Socket Task: Jan 28 23:05:01.523: 00:1e:c2:c0:96:05 DHCP (encap type 0xec03) mstype 0ff:ff:ff:ff:ff:ff
  *DHCP Socket Task: Jan 28 23:05:01.523: 00:1e:c2:c0:96:05 DHCP dropping packet due to ongoing mobility handshake exchange, (siaddr 0.0.0.0,  mobility state = 'apfMsMmQueryRequested'
  *mmMaListen: Jan 28 23:05:02.362: 00:1e:c2:c0:96:05 0.0.0.0 DHCP_REQD (7) State Update from Mobility-Incomplete to Mobility-Complete, mobility role=ExpForeign, client state=APF_MS_STATE_ASSOCIATED
  *mmMaListen: Jan 28 23:05:02.362: 00:1e:c2:c0:96:05 apfMsRunStateInc
  *mmMaListen: Jan 28 23:05:02.362: 00:1e:c2:c0:96:05 0.0.0.0 DHCP_REQD (7) Change state to RUN (20) last state DHCP_REQD (7)
  *mmMaListen: Jan 28 23:05:02.362: 00:1e:c2:c0:96:05 0.0.0.0 RUN (20) Reached PLUMBFASTPATH: from line 5793
  *mmMaListen: Jan 28 23:05:02.362: 00:1e:c2:c0:96:05 0.0.0.0 RUN (20) Adding Fast Path rule
    type = Airespace AP Client
    on AP 0c:d9:96:ba:7d:20, slot 1, interface = 13, QOS = 0
    IPv4 ACL ID = 255, IPv6 ACL ID = 255,
  *mmMaListen: Jan 28 23:05:02.362: 00:1e:c2:c0:96:05 0.0.0.0 RUN (20) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 15206  Local Bridging Vlan = 84, Local Bridging intf id = 0
  *mmMaListen: Jan 28 23:05:02.363: 00:1e:c2:c0:96:05 0.0.0.0 RUN (20) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255, L2 ACL ID 255)
  *pemReceiveTask: Jan 28 23:05:02.364: 00:1e:c2:c0:96:05 Set bi-dir guest tunnel for 00:1e:c2:c0:96:05 as in Export Foreign role
  *pemReceiveTask: Jan 28 23:05:02.364: 00:1e:c2:c0:96:05 0.0.0.0 Added NPU entry of type 1, dtlFlags 0x4
  *pemReceiveTask: Jan 28 23:05:02.364: 00:1e:c2:c0:96:05 Skip Foreign / Export Foreign Client IP 0.0.0.0 plumbing in FP SCB
  *DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP received op BOOTREQUEST (1) (len 308,vlan 84, port 13, encap 0xec03)
  *DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP (encap type 0xec03) mstype 0ff:ff:ff:ff:ff:ff
  *DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP processing DHCP REQUEST (3)
  *DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP   op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 0
  *DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP   xid: 0xafea6bc9 (2951375817), secs: 5, flags: 0
  *DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP   chaddr: 00:1e:c2:c0:96:05
  *DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP   ciaddr: 0.0.0.0,  yiaddr: 0.0.0.0
  *DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP   siaddr: 0.0.0.0,  giaddr: 0.0.0.0
  *DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP   requested ip: 10.130.98.8
  *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP received op BOOTREPLY (2) (len 320,vlan 84, port 13, encap 0xec07)
  *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP processing DHCP ACK (5)
  *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP   op: BOOTREPLY, htype: Ethernet, hlen: 6, hops: 0
  *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP   xid: 0xafea6bc9 (2951375817), secs: 0, flags: 0
  *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP   chaddr: 00:1e:c2:c0:96:05
  *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP   ciaddr: 0.0.0.0,  yiaddr: 10.130.98.8
  *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP   siaddr: 10.30.4.173,  giaddr: 0.0.0.0
  *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP   server id: 1.1.1.2  rcvd server id: 1.1.1.2
  *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) DHCP Address Re-established
  *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Reached PLUMBFASTPATH: from line 6978
  *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Replacing Fast Path rule
    type = Airespace AP Client
    on AP 0c:d9:96:ba:7d:20, slot 1, interface = 13, QOS = 0
    IPv4 ACL ID = 255, IPv6 ACL ID
  *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 15206  Local Bridging Vlan = 84, Local Bridging intf id = 0
  *DHCP Socket Task: Jan 28 23:05:03.888: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255, L2 ACL ID 255)
  *DHCP Socket Task: Jan 28 23:05:03.888: 00:1e:c2:c0:96:05 Assigning Address 10.130.98.8 to mobile
  *DHCP Socket Task: Jan 28 23:05:03.888: 00:1e:c2:c0:96:05 DHCP success event for client. Clearing dhcp failure count for interface management.
  *DHCP Socket Task: Jan 28 23:05:03.888: 00:1e:c2:c0:96:05 DHCP success event for client. Clearing dhcp failure count for interface management.
  *DHCP Socket Task: Jan 28 23:05:03.888: 00:1e:c2:c0:96:05 DHCP successfully bridged packet to STA
  *pemReceiveTask: Jan 28 23:05:03.889: 00:1e:c2:c0:96:05 Set bi-dir guest tunnel for 00:1e:c2:c0:96:05 as in Export Foreign role
  *pemReceiveTask: Jan 28 23:05:03.889: 00:1e:c2:c0:96:05 10.130.98.8 Added NPU entry of type 1, dtlFlags 0x4
  *pemReceiveTask: Jan 28 23:05:03.890: 00:1e:c2:c0:96:05 Skip Foreign / Export Foreign Client IP 10.130.98.8 plumbing in FP SCB
  *apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 Received SGT for this Client.
  *apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 Resetting web IPv4 acl from 0 to 255
  *apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 Resetting web IPv4 Flex acl from 65535 to 65535
  *apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 AAA redirect is NULL. Skipping Web-auth for Radius NAC enabled WLAN.
  *apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 apfApplyWlanPolicy: Retaining the ACL recieved in AAA attributes 255 on mobile
  *apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 apfApplyWlanPolicy: Apply WLAN Policy over PMIPv6 Client Mobility Type
  *apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 Inserting AAA Override struct for mobile
  MAC: 00:1e:c2:c0:96:05, source 2
  *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Setting session timeout 3600 on mobile 00:1e:c2:c0:96:05
  *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Session Timeout is 3600 - starting session timer for the mobile
  *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Applying cached RADIUS Override values for mobile 00:1e:c2:c0:96:05 (caller pem_api.c:2307)
  *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Setting session timeout 3600 on mobile 00:1e:c2:c0:96:05
  *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Session Timeout is 3600 - starting session timer for the mobile
  *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Applied RADIUS override policy
  *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Replacing Fast Path rule
    type = Airespace AP Client
    on AP 0c:d9:96:ba:7d:20, slot 1, interface = 13, QOS = 0
    IPv4 ACL ID = 255, IPv6 ACL ID
  *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 15206  Local Bridging Vlan = 84, Local Bridging intf id = 0
  *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255, L2 ACL ID 255)
  *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Not Using WMM Compliance code qosCap 00
  *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Plumbed mobile LWAPP rule on AP 0c:d9:96:ba:7d:20 vapId 1 apVapId 1 flex-acl-name:
  *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Change state to RUN (20) last state RUN (20)
  *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 apfMsAssoStateInc
  *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 apfPemAddUser2 (apf_policy.c:333) Changing state for mobile 00:1e:c2:c0:96:05 on AP 0c:d9:96:ba:7d:20 from AAA Pending to Associated
  *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 apfPemAddUser2:session timeout forstation 00:1e:c2:c0:96:05 - Session Tout 3600, apfMsTimeOut '1800' and sessionTimerRunning flag is  1
  *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Scheduling deletion of Mobile Station:  (callerId: 49) in 3600 seconds
  *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Func: apfPemAddUser2, Ms Timeout = 1800, Session Timeout = 3600
  *apfReceiveTask: Jan 28 23:05:18.718: 00:1e:c2:c0:96:05 Sending Assoc Response to station on BSSID 0c:d9:96:ba:7d:2f (status 0) ApVapId 1 Slot 1
  *apfReceiveTask: Jan 28 23:05:18.718: 00:1e:c2:c0:96:05 apfProcessRadiusAssocResp (apf_80211.c:3066) Changing state for mobile 00:1e:c2:c0:96:05 on AP 0c:d9:96:ba:7d:20 from Associated to Associated
  *pemReceiveTask: Jan 28 23:05:18.720: 00:1e:c2:c0:96:05 Set bi-dir guest tunnel for 00:1e:c2:c0:96:05 as in Export Foreign role
  *pemReceiveTask: Jan 28 23:05:18.720: 00:1e:c2:c0:96:05 10.130.98.8 Added NPU entry of type 1, dtlFlags 0x4

• LWA Guest Access with ISE and WLC

  Hi guys,
  Our Company try to implement Guest Access with ISE dan WLC with Local Web Auth Method. But there is problem that comes up with the certificate. This is the scenario :
  1. Guests try to connect wifi with SSID Guest
  2. Once it connect, guests open the browser and try to open a webpage (example: cisco.com)
  3. Because, guests didn't login, so it redirect to "ISE Guest Login Page" (url became :
  https://ise-hostname:8443/guestportal/Login.action?switch_url=https://1.1.1.1/login.html&wlan=Guest&redirect=www.cisco.com/
  4. If there is no ISE Guest Login Page installed, message Untrusted Connection message will appear, but it will be fine if they "Add Exception and install the certificate"
  5. After that the Guest Login Page will appear, and guests input their username and password.
  6. Login success and they will be redirected to www.cisco.com and there is pop up from 1.1.1.1 (WLC Virtual Interface IP) with logout button.
  The problem happen in scenario 6, after login success, the webpage with ISE IP address and message certificate error for 1.1.1.1 is appear.
  I know it happened when guests didn't have the WLC Login Page Certificate...
  My Question is, is there a way to tunneling WLC Certificate on ISE ? Or what can we do to make ISE validate WLC Certificate, so guests doesn't need to install WLC Certificate/ Root Certificate before connect to Wifi ?
  Thx 4 your answer and sorry for my bad English....

  Thx for your reply Peter, your solution is right,
  i don't choose CWA, because their DNS is not stable...
  i've found the problem...
  the third-party CA is revoked, so there is no way it will success until it fixed...
  and there is no guarantee, they will fix it soon..
  so solution that we choose is by disable "HTTPS" on WLC...
  "config network web-auth secureweb disable".
  "config network web-auth secureweb disable".
  "config network web-auth secureweb disable".
  "config network web-auth secureweb disable".
  "config network web-auth secureweb disable"
  thank you all...

• Is ASA integration with ISE and RSA for 2 factor authentication a valid/tested design

  Hi,
  Customer currently uses ASA to directly integrate with RSA kind of solution to provide 2 factor authentication mechanism for VPN user access.  We're considering to introduce ISE to this picture, and to offload posture analysis from ASA to ISE.  And the flow we're thinking is to have ASA interface to ISE and ISE interface to RSA and AD backend infrastructure.  And we still need the 2 factor authentication to work, i.e., customer gets a SMS code in addition to its login username and password.  I'm wondering if ASA/ISE/RSA/AD integrated solution (and with 2 factor authentication to work) is a tested solution or Cisco validate design?  Any potential issue may break the flow?
  Thanks in advance for any input!
  Tina

  Hi,
  I have an update for this quite broad question.
  I have now came a bit further on the path.
  Now the needed Radius Access Attribute are available in ISE after adding them in
  "Policy Elements" -> "Dictionaris" -> "System" -> "Radius" -> "Cisco-VPN3000".
  I added both the attribute 146 Tunnel-Group-Name which I realy need to achive what I want(select diffrent OTP-backends depending on Tunnel Group in ASA) and the other new attribute 150 Client-Type which could be intresting to look at as well.
  Here the "Diagnostics Tools" -> "Generel tools" -> "TCP Dump" and Wireshare helped me understand how this worked.
  With that I could really see the attributes in the radius access requests going in to the ASA.
  Now looking at a request in "Radius Authentication details" I have
  Other Attributes:
  ConfigVersionId=29,Device Port=1025,DestinationPort=1812,RadiusPacketType=AccessRequest,Protocol=Radius,CVPN3000/ASA/PIX7.x-Tunnel-Group-Name=SMHI-TG-RA-ISESMS,CVPN3000/ASA/PIX7.x-Client-Type=,CPMSessionID=ac100865000006294FD60A7F,.....
  Ok, the tunnel group name attribute seems to be understood correct, but Client-Type just say =, no value for that.
  That is strange, I must have defined that wrong(?), but lets leave that for now, I do not really need it for the moment being.
  So now when I have this Tunnel-Group-Name attribute available I want to use it in my Rule-Based Authentication Policy.
  Problem now is that as soon as I in an expression add a criteria containing Cisco-VPN3000:CVPN3000/ASA/PIX7.x-Tunnel-Group-Name matches .* (just anything), then that row does not match any more. It still work matching against NAS-IP and other attributes.
  What could it be I have missed?
  Best regards
  /Mattias

• CWA on ISE and switches

  I was able to configure the CWA on the switch and Cisco ISE. It is working as expected. I followed the guide on the link bellow.
  http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080ba6514.shtml
  I only have one question. I try to understand why ACL must be configured on the port on the switch. Guide uses ACL with name webauth which permit all traffic. If port is authorized it receives dACL from ISE, otherwise port is in unauthorize state and denies all traffic.
  interface GigabitEthernet1/0/12
  description ISE1 - dot1x clients - UCS Eth0
  switchport access vlan 100
  switchport mode access
  ip access-group webauth in
  authentication order mab
  authentication priority mab
  authentication port-control auto
  mab
  spanning-tree portfast
  end
  ip access-list extended webauth
  permit ip any any

  Why ACL must be configured on the port on the switch
  Question:
  I only have one question. I try to understand why ACL must be configured on the port on the switch. Guide uses ACL with name webauth which permit all traffic. If port is authorized it receives dACL from ISE, otherwise port is in unauthorize state and denies all traffic.
  What is Web Authentication?
  Web authentication is opposed to local web authentication, which is the usual web authentication on the switch itself. In that system, upon dot1x/mab failure, the switch wills failover to the webauth profile and will redirect client traffic to a web page on the switch.
  Role of ACL:
  The redirectACL sent back with the central webauth profile determines which traffic (HTT or HTTPS) is redirected to the ISE. The downloadable ACL allows you to define what traffic is allowed. You should typically allow for DNS, HTTP(S), and 8443 and deny the rest. Otherwise, the switch redirects HTTP traffic but allows other protocols.
  Port ACLs
  Port ACLs are ACLs that are applied to Layer 2 interfaces on a switch. Port ACLs are supported only on physical interfaces and not on EtherChannel interfaces and can be applied only on interfaces in the inbound direction. These access lists are supported:
  •Standard IP access lists using source addresses
  •Extended IP access lists using source and destination addresses and optional protocol type information
  •MAC extended access lists using source and destination MAC addresses and optional protocol type information
  The switch examines ACLs associated with all inbound features configured on a given interface and permits or denies packet forwarding based on how the packet matches the entries in the ACL. In this way, ACLs control access to a network or to part of a network.  Figure is an example of using port ACLs to control access to a network when all workstations are in the same VLAN. ACLs applied at the Layer 2 input would allow Host A to access the Human Resources network, but prevent Host B from accessing the same network. Port ACLs can only be applied to Layer 2 interfaces in the inbound direction.
  Figure 31-1 Using ACLs to Control Traffic to a Network
  When you apply a port ACL to a trunk port, the ACL filters traffic on all VLANs present on the trunk port. When you apply a port ACL to a port with voice VLAN, the ACL filters traffic on both data and voice VLANs.
  With port ACLs, you can filter IP traffic by using IP access lists and non-IP traffic by using MAC addresses. You can filter both IP and non-IP traffic on the same Layer 2 interface by applying both an IP access list and a MAC access list to the interface.
  For More information, please check
  http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_55_se/configuration/guide/swacl.html#wp1715468

• CWA with ISE 1.2 on WLC 7.6

  Hi,
  I referred to the below document from Cisco but still struggling to get the CWA working. The mab status is sucessfull, but the wireless user isnt getting an IP address. 
  the SSID prompts up with "unable to join network" while in the background the MAB authentication is successful.
  redirection acl's are set on the WLC but i don't see any hits on them.
  http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html
  any suggestions or expert advise is much appreciated.

  Hello,
  Can you publish here screenshot your policy sets authorization, and results profiles
  And, i try help you

• Open mode (monitor mode) with ise and catalyst switches

  Hi There,
  Anyone know if the following observation is correct ?
  From the TrustSec 2.1 "Monitor Mode" guide i get the idea that Open mode, is not really as zero impact in a data gathering part of an ISE deployment is a was expecting. The guide describes using Profiling to authorize Cisco IP phones for the Voice VLAN.
  - Does this mean that regular methods like using CDP won't work to for this once i enable dot1x on an access switch port interface ?
  - And that i will need to figure out which ports should be set for multi-domain (phone+pc), and which should be set for multi-auth(possibly multiple devices on one port) during the open mode period ?
  Regards
  Jan

  Hello Jan-
  Below is my input to your questions:
  From the TrustSec 2.1 "Monitor Mode" guide i get the idea that Open mode, is not really as zero impact in a data gathering part of an ISE deployment is a was expecting.
  Yes, a device is still allowed on the network even if it fails all authentication methods (MAB, 802.1x, etc). Basically you use monitor mode to perform discovery and see what would have been blocked had ISE been deployed in production.
  The guide describes using Profiling to authorize Cisco IP phones for the Voice VLAN.
  Yes, you can use profiling to do this. Keep in mind that you will need advanced licensing for this. Otherwise, you can either use MAB with static MACs imported/entered in the local database or EAP-TLS with phone certificates
  - Does this mean that regular methods like using CDP won't work to for this once i enable dot1x on an access switch port interface ?
  CDP will still work, in fact some of the profiling happens thanks to CDP, however, the device will simply not going to be allowed to get on the network and the Voice VLAN unless it passes authentication/authorization.
  - And that i will need to figure out which ports should be set for multi-domain (phone+pc), and which should be set for multi-auth(possibly multiple devices on one port) during the open mode period ?
  This really depends on how secure you want your network to be
  Hope this helps!
  Thank you for rating!

• Wired Guest CWA with ISE

  Having a heck of a time getting this to work.
  First option is for the device to try and authenticate using Dot1X/EAP-TLS - for domain-connected devices only.
  If that fails, they want the option to pop a CWA portal where they can enter either AD creds, or internal Guest user creds.
  My challenge is the Policies and where to insert.
  I'm using Policy Sets in ISE 1.2
  Currently, I have these statements in the Default Policy Set:
  Rule Name
  Conditions
  Permissions
  Wired Guest Portal Auth
  if Net Access:UseCase EQUALS Guest Flow
  Permit Access
  Wired Guest Redirect
  if Wired_MAB
  Wired CWA
  What i figured is if they fail the .1X, they'll drop down here to Wired MAB, and that will initiate a redirect and Guest Flow.
  Couple problems:
  First, it does seem to try; a show auth sess shows the proper redirect URL getting sent to the switchport.
  Unfortunately, my browser pop gives me a certificate not recognized error, and if i try to continue anyways, it doesn't do anything. Wireless Guest, which I copied works fine.
  Second challenge is that it forces the redirect whether i have the switch (NAD) in Monitor Mode or Low Impact Mode.  This is a problem because there are multiple sites, and we're cutting each over to Low Impact progressively.
  Does anyone have any insight, or a document laying out in step by step terms implementing this?
  thanks in advance.

  Hi Andrew! Yes, good job on fixing the portal issue!
  And yes, the authorization rules are considered even in an open mode! And you are also correct that you will need to create different rules to account for NADs that are in production and for NADs that are in monitor mode. I have always liked using a separate Policy Set for Monitor Mode and a separate Policy Set for Production Mode. Then I used device location to match against these conditions. For each location I have two sub-groups: One for Monitor and one for Production. That way I can move a NAD from monitor mode to full production by simply changing its group.
  Lastly, yes, your CWA rules should be at the bottom of your production authorization rules. 
  Thank you for rating helpful posts!

• Guest WebAuth with ISE and WLC

  I have a couple of issues with this solution:
  a) Each time a user logs in, the untrusted certificate message appears twice. The first one with the WLC IP address, the second one with the ISE IP address. Is this a bug or some kind of mistake configuration?
  b) In the Guest Accounting report every guest session is reported twice. One with the correct log in and log out times, the second indicates the user is still on network even after several days he/she had been disconnected.
  I think the second issue is in some way related with the first one.
  Thanks in advance
  Daniel Escalante

  I am trying to figure out the protocol sequence:
  1) The PC client gets IP address from the DHCP (anchor WLC in this case)
  2) When the browser is open and a HTML request is send, the WLC intercepts it and redirect to ISE
  3) Before the Guest Authentication Portal is displayed in the browser PC, an untrusted certicate message coming from the ISE should be displayed.
  4) Once the untrusted certificate message is accepted (continue), the guest authentication portal is displayed
  5) The user type in its credentials
  6) the Successful Login message is received with the WLC IP address
  7) the user is able to browse the internet
  The problem appears in steps 3 and 4. The untrusted certificate message is first showed with the WLC Virtual IP address and then with the ISE IP address.
  I think the message with the WLC address should not be sent, only the ISE message.
  In Step 6 the successful login message should indicate the ISE IP address, no the WLC IP Virtual address.
  I will appreciate your assistance to clarify the event sequence and proper functionality
  Thanks in advance.
  Daniel Escalante.

• CWA with WLC Firmware 7.0.228 and ISE 1.1.1

  Hi,
  Does Cisco ISE central web authentication supports on WLC version 7.0.228 ?
  My customer has many access points which are support only for firmware code 7.0.228.
  Cisco ISE version 1.1.1
  WLC 5500 Series but the existing access point is cannot support to 7.3
  Thanks,
  Pongsatorn Maneesud

  Tarik is correct, you need 7.2.x and later to use CWA with ISE. Here is a general summary of features supported on ISE on 7.0 and 7.2 versions of code:
  Scenarios                                                          WLC 7.0                                             7.2 
  802.1X Auth                                                     Yes                                                      Yes
  802.1X + Posture                                            Yes                                                      Yes
  802.1X + Profiling                                           Yes                                                      Yes
  Web Auth + Posture                                       No *                                                   Yes
  Web Auth + Profiling                                      Inventory only *                         Yes
  Central Web Auth(CWA)                               No *                                                   Yes
  Local Web Auth(LWA)                                   Yes                                                      Yes

• ISE 1.2 With WLC and AD

  Hi everyone,
  What is the steps and Procedure implement Wired and wireless authentication with ISE, WLC and AD for a LAB environment. currently the following are done.
  The wireless network is configured with 2 SSID (Staff and Guest) 
  Active Directory, DNS, DHCP, and  NTP configured & synced.
  ISE and AD running on C220 VMs, and WLC is 5760 Appliance.
  Please provide your thoughts and assistance.
  Regards

  You have to implement dot1x and radius between your NAD and ISE device.
  Using the switch 3850, that are the steps: 
  username RADIUS-HEALTH password radiusKey1 privilege 15
  aaa new-model
  aaa authentication login default local
  aaa authentication dot1x default group radius
  aaa authorization network default group radius
  aaa authorization auth-proxy default group radius
  aaa accounting update periodic 5
  aaa accounting auth-proxy default start-stop group radius
  aaa accounting dot1x default start-stop group radius
  !this password will be used to communicate with ISE and to verify reachability
  !between ISE and Switch
  aaa server radius dynamic-author
   client 172.16.1.18 server-key 7 radiuskey
   client 172.16.1.20 server-key 7 radiuskey
  ip domain-name lab.local
  ip name-server 172.16.1.1
  dot1x system-auth-control
  interface GigabitEthernet1/0/3
   switchport mode access
   switchport voice vlan 50
   switchport access vlan 10
   ip access-group ACL-ALLOW in
   authentication event fail action next-method
   authentication event server dead action authorize voice
   authentication event server alive action reinitialize
   authentication host-mode multi-auth
   authentication open
   authentication order dot1x mab
   authentication priority dot1x mab
   authentication port-control auto
   authentication periodic
   authentication timer reauthenticate server
   authentication violation restrict
   mab
   dot1x pae authenticator
   dot1x timeout tx-period 10
   spanning-tree portfast
  ip access-list extended ACL-ALLOW
   permit ip any any
  !the comm between radius and ise will occur on these Port
  ip radius source-interface Vlan100
  logging origin-id ip
  logging source-interface Vlan100
  logging host 172.16.1.20 transport udp port 20514
  logging host 172.16.1.18 transport udp port 20514
  ip radius source-interface Vlan100
  logging origin-id ip
  logging source-interface Vlan100
  logging host 172.16.1.20 transport udp port 20514
  logging host 172.16.1.18 transport udp port 20514
  snmp-server community ciscoro RO
  snmp-server community public RO
  snmp-server trap-source Vlan100
  snmp-server source-interface informs Vlan100
  radius-server attribute 6 on-for-login-auth
  radius-server attribute 8 include-in-access-req
  radius-server attribute 25 access-request include
  radius-server dead-criteria time 10 tries 3
  radius-server vsa send accounting
  radius-server vsa send authentication
  !defining ISE servers
  radius server ISE-RADIUS-1
   address ipv4 172.16.1.20 auth-port 1812 acct-port 1813
   automate-tester username RADIUS-HEALTH idle-time 15
   key radiusKey
  Please be sure that NTP servers and time are synchronized. 
  enable dot1X on windows machine, or using cisco NAM. 
  you can enable debugging on aaa authentication to see the events. 
  you have to create this user on ISE (RADIUS-HEALTH). 
  3850#test aaa group radius username password new-code 
  and observe the result. You are supposed to have user authenticated successfully. 
  You Must also have define these device in ISE on the radius interface.
  ip radius source-interface ..... use this interface ip address to define Ip address of the NAD device in ISE. 
  administration-->network resources -->Network Devices-->Add
  input the name
  input the Ip address for radius communication
  select the authentication settings and field the corresponding shared secret radius key
  select snmp settings and select version 2c. 
  snmp community : ciscoro
  you can customize the polling interval if you want and that all. 
  you are supposed to received message communication between your NAD and ISE. 
  After you can do the procedure for WLC device. 
  I will fill it after you have passed the first steps (3850 authentication). 

• ISE and Citrix Netscaler for LB

  I'm working on a solution where we have NetScaler load balancers distributing radius requests from the NADs to respectvie PSNs. Authentication works and redirect URLs work etc.. The challenge we're having is with EAP-TLS sessions. The user get's a provisioned certificate and chain that checks out on the endpoint fine. When the user tries to connect with the device we see EAP timeouts from the ISE session to the supplicant. Each PSN has the internal identity cert configured for EAP authentication that has been configured from the same internal CA within the customers PKI.
  Has anyone configured a NetScaler for use with ISE and besides the general guidlines below are there more specific things that need to be done to make this work with Citrix NetScalers?
  Load Balancing guidelines.
  No NAT.
  Each PSN must be reachable by the PAN / MNT directly, without having to go through NAT (Routed mode LB, not NAT).
  Each PSN must also be reachable directly from the client network for redirections (CWA, Posture, etc…)
  Perform sticky (aka: persistence) based on Calling-Station-ID and Framed-IP-address
  Session-ID is recommended if load balancer is capable (ACE is not).
  VIP for PSNs gets listed as the RADIUS server on each NAD for all RADIUS AAA.
  Each PSN gets listed individually in the NAD CoA list by real IP address (not VIP).
  If ”Server NAT" the PSN-initiated CoA traffic, then can list single VIP in NAD CoA list.
  Load Balancers get listed as NADs in ISE so their test authentications may be answered.
  ISE uses the Layer 3 address to identify the NAD, not the NAS-IP-Address in the RADIUS packet. This is a primary reason to avoid Source NAT (SNAT) for traffic sent to VIP.

  Does anyone have a working configuration for this?  I'm getting successful authentications from the supplicant, but CoA fails. When I perform a CoA I get two of each of the following messages:
  1) Event & Failure reason "5436 RADIUS packet already in the process"
  then
  2) Event "5417 Dynamic Authorization failed" / Failure reason "11215 No response has been received from Dynamic Authorization Client in ISE"
  The policy nodes are not physically located behind the NetScaler, so I have them pointing to the NetScaler as the default GW.  I'm not sure if we have the policy on the NS configured correctly though, because I had to add the NetScaler as a Network Device and I was under the impression that the switch and PSN should continue to talk directly to each other.
  Any help would be greatly appreciated!
  Cheers!
  Ken

• ISE and UC

  hello all,
  We're currently implementing Cisco Unified Communications side to side with ISE.
  there is a profile set on ISE for the phones.
  however we're experiencing a few issues with ISE and phone registration
  I'm not the expert on ISE. I'd like to know what is the best practice for ISE when you have cisco UC as well.
  any help will be greatly appreciated
  thanks
  Cris

  Please check below which will be defiantly helpful for you in  configuration of Cisco IP Phone between the Test-PC and port 5 on  Sw1 and its MAC address to the ISE
  http://www.ecdos.com/sharzi/INE%20CCIE%20Security%20V4%20Technology%20Lab%20Online%20Workbook/Section%204%20Identity%20Management/ISE%20and%20MAB.pdf