ISE 1.2 - CWA supplicant provisioning with anchor WLC

Similar Messages

• Not able to form EoIP tunnel with anchor WLC

  Hi all,
  I have a WLC at a remote site that is supposed to form an EoIP tunnel with 2 anchor WLCs located at a data center. From the site WLC and the anchor WLCs, the mobility show UP on both ends. Also I can ping to the mobility peers from each end. However, when I look into the client details on the remote site WLC, there is no Mobility Anchor IP address, which tells me that the EoIP tunnel between the site and anchor controller is not forming for some reason. Any idea what I could be missing?
  (WOHW-WC01) >show client detail 0c:3e:9f:ab:db:ed
  Client MAC Address............................... 0c:3e:9f:ab:db:ed
  Client Username ................................. N/A
  AP MAC Address................................... 0c:68:03:b9:44:70
  AP Name.......................................... WOHW-LAP016
  Client State..................................... Associated
  Client NAC OOB State............................. Access
  Wireless LAN Id.................................. 66
  Hotspot (802.11u)................................ Not Supported
  BSSID............................................ 0c:68:03:b9:44:72
  Connected For ................................... 1469 secs
  Channel.......................................... 6
  IP Address....................................... Unknown
  Gateway Address.................................. Unknown
  Netmask.......................................... Unknown
  IPv6 Address..................................... fe80::1c1a:e07c:dd48:bc7e
  Association Id................................... 3
  Authentication Algorithm......................... Open System
  Reason Code...................................... 1
  Status Code...................................... 0
  Session Timeout.................................. 0
  Client CCX version............................... No CCX support
  QoS Level........................................ Bronze
  802.1P Priority Tag.............................. disabled
  CTS Security Group Tag........................... Not Applicable
  KTS CAC Capability............................... No
  WMM Support...................................... Enabled
    APSD ACs.......................................  BK  BE  VI  VO
  Power Save....................................... ON
  Current Rate..................................... m7
  Supported Rates.................................. 9.0,12.0,18.0,24.0,36.0,48.0,
      ............................................. 54.0
  Mobility State................................... None
  Mobility Move Count.............................. 0
  Security Policy Completed........................ No
  Policy Manager State............................. STATICIP_NOL3SEC
  >>> No Mobility peer IP address <<<<
  (WOHW-WC01) >show mobility anchor wlan 66
  Mobility Anchor Export List
   WLAN ID     IP Address            Status
   66          137.183.242.149       Up                              
   66          137.183.242.150       Up                              
  (WOHW-WC01) >show mobility sum           
  Mobility Architecture ........................... Flat
  Mobility Protocol Port........................... 16666
  Default Mobility Domain.......................... WOHW_ENT1
  Multicast Mode .................................. Disabled
  Mobility Domain ID for 802.11r................... 0x9cbf
  Mobility Keepalive Interval...................... 10
  Mobility Keepalive Count......................... 3
  Mobility Group Members Configured................ 3
  Mobility Control Message DSCP Value.............. 0
  Controllers configured in the Mobility Group
   MAC Address        IP Address       Group Name                        Multicast IP     Status
   bc:16:65:f9:18:60  137.183.242.150  CIN_GUEST1                        0.0.0.0          Up
   e0:2f:6d:7c:42:20  143.27.201.52    WOHW_ENT1                         0.0.0.0          Up
   f8:72:ea:ee:a0:00  137.183.242.149  CIN_GUEST1                        0.0.0.0          Up

  It works now. I changed the NAC state to "Radius-NAC". Now the mobility hand-off is occurring. 
  (WOHW-WC01) >show wlan 66 
  WLAN Identifier.................................. 66
  Profile Name..................................... PGGuest
  Network Name (SSID).............................. PGGuest
  Status........................................... Enabled
  MAC Filtering.................................... Enabled
  Broadcast SSID................................... Enabled
  AAA Policy Override.............................. Enabled
  Network Admission Control
    Client Profiling Status ....................... Disabled
     DHCP ......................................... Disabled
     HTTP ......................................... Disabled
    Radius-NAC State............................... Enabled

• GUest WLAN with Anchor WLC - roaming problems

  Hello,
  my wireless network consists in 3 WLC 4402 which manage 40 APs.
  I have a fourth WLC which I installed on my DMZ for guest vlan anchoring and web autentication.
  Everiting works fine but I have a problem:
  If my client associates with an AP and then I authenticate I'm ready to make traffic. As soon as my client roams to an AP managed by a differnt WLC I need to authenticate again. If I roam back to the first AP i need to reauthenticate.
  In my guest WLAN I use WEB authentication provided by the internal web server of the Anchor WLC.
  Thnks everybody

  Here are the output of show mobility summary.
  The last WLC is the anchor.
  WLC1
  Symmetric Mobility Tunneling (current) .......... Disabled
  Symmetric Mobility Tunneling (after reboot) ..... Disabled
  Mobility Protocol Port........................... 16666
  Mobility Security Mode........................... Disabled
  Default Mobility Domain.......................... mob1
  Multicast Mode .................................. Disabled
  Mobility Domain ID for 802.11r................... 0x392f
  Mobility Keepalive Interval...................... 10
  Mobility Keepalive Count......................... 3
  Mobility Group Members Configured................ 2
  Mobility Control Message DSCP Value.............. 0
  Controllers configured in the Mobility Group
  MAC Address IP Address Group Name Multicast IP Sta
  tus
  00:23:04:7d:3e:e0 10.25.1.21 mob1 0.0.0.0 Up
  00:23:04:7d:73:20 10.20.1.21 mob1 0.0.0.0 Up
  WLC2
  Symmetric Mobility Tunneling (current) .......... Disabled
  Symmetric Mobility Tunneling (after reboot) ..... Disabled
  Mobility Protocol Port........................... 16666
  Mobility Security Mode........................... Disabled
  Default Mobility Domain.......................... mob1
  Multicast Mode .................................. Disabled
  Mobility Domain ID for 802.11r................... 0x392f
  Mobility Keepalive Interval...................... 10
  Mobility Keepalive Count......................... 3
  Mobility Group Members Configured................ 2
  Mobility Control Message DSCP Value.............. 0
  Controllers configured in the Mobility Group
  MAC Address IP Address Group Name Multicast IP Sta
  tus
  00:23:04:7d:3e:e0 10.25.1.21 mob1 0.0.0.0 Up
  00:23:04:7d:62:a0 10.20.1.22 mob1 0.0.0.0 Up
  WLC3
  Symmetric Mobility Tunneling (current) .......... Disabled
  Symmetric Mobility Tunneling (after reboot) ..... Disabled
  Mobility Protocol Port........................... 16666
  Mobility Security Mode........................... Disabled
  Default Mobility Domain.......................... mob1
  Multicast Mode .................................. Disabled
  Mobility Domain ID for 802.11r................... 0x392f
  Mobility Keepalive Interval...................... 10
  Mobility Keepalive Count......................... 3
  Mobility Group Members Configured................ 2
  Mobility Control Message DSCP Value.............. 0
  Controllers configured in the Mobility Group
  MAC Address IP Address Group Name Multicast IP Sta
  tus
  00:23:04:7d:3e:e0 10.25.1.21 mob1 0.0.0.0 Up
  00:23:04:7d:79:80 10.20.2.21 mob1 0.0.0.0 Up
  WLCAnchor
  (Cisco Controller) >show mobility summary
  Symmetric Mobility Tunneling (current) .......... Disabled
  Symmetric Mobility Tunneling (after reboot) ..... Disabled
  Mobility Protocol Port........................... 16666
  Mobility Security Mode........................... Disabled
  Default Mobility Domain.......................... mob1
  Multicast Mode .................................. Disabled
  Mobility Domain ID for 802.11r................... 0x392f
  Mobility Keepalive Interval...................... 10
  Mobility Keepalive Count......................... 3
  Mobility Group Members Configured................ 4
  Mobility Control Message DSCP Value.............. 0
  Controllers configured in the Mobility Group
  MAC Address IP Address Group Name Multicast IP Sta
  tus
  00:23:04:7d:3e:e0 10.25.1.21 mob1 0.0.0.0 Up
  00:23:04:7d:62:a0 10.20.1.22 mob1 0.0.0.0 Up
  00:23:04:7d:73:20 10.20.1.21 mob1 0.0.0.0 Up
  00:23:04:7d:79:80 10.20.2.21 mob1 0.0.0.0 Up

• ISE problem with EAP-TLS Supplicant Provisioning

  Hi All,
  I have a demo built using ISE v1.1.3 patch 1 and a WLC using v7.4.100.0 software.  The aim of the demo is to provision a device's supplicant with an EAP-TLS Certificate...  'device on-boarding'
  The entire CWA / Device Registration process is all fine and works well.  I'm using a publically signed Cert on ISE that is built from [Root CA + Intermediate CA + Host Cert] which is used for both HTTPS and EAP and I also have SCEP operating against my Win 2k8 Enterprise Edition CA that is part of my Active Directory.  All of this works fine.
  The problem is that when ISE pushes the WLAN config down to the device, it instructs the Client to check for the Root CA, but the RADIUS processes within ISE are bound to the Intermediate CA.  This leads to a problem where the Client doesn't trust the Certificate presented to it from ISE.  There doesn't seem to be any way to configure this behaviour within ISE.
  Has anybody else encountered this? Know a solution? Have suggestions for a workaround?
  Cheers,
  Richard
  PS - Also using WinSPWizard 1.0.0.28

  Hi Richard,
  This is a misbehavior that ISE is provisioning the intermediate CA certificate during the BYOD registration process in similar (hierarchical certificate authority) scenarios. It is going to be fixed soon. Engineering is almost ready with the fix.
  Istvan Segyik
  Systems Engineer
  Global Virtual Engineering
  WW Partner Organization
  Cisco Systems, Inc
  Email: [email protected]
  Work: +36 1 2254604
  Monday - Friday, 8:30 am-17:30 pm - UTC+1 (CET)

• ISE 1.2 WEBAUTH (CWA) + SELF PROVISIONING (NSP)

  I'm trying to achieve the following for our employees, contractors and guest.
  Guests and Contractors should be allowed to access the internet after successful auth on the ISE guest portal login page.
  contractors (ldap contractor group) -> webauth -> internet
  guest (internal ise db via sponsorportal) - webauth -> internet
  Employees should be allowed to register their devices after successful auth on the ISE portal login page and they should be allowed to access the internet once their device is registered. So they don't have to re-enter the credentials every 2 hours. 
  employee (ldap employee group) -> webauth -> nsp -> internet
  In ISE i've created a custom portal with mobile device portal and self-provisioning flow enabled. At the moment I don't have any client provisioning Policy configured and I've set the Native Supplicant Provisioning Policy Unavailable: to Allow network acces. 
  I'm currently experiencing problems with clients and they describe their problem as portal loop. when they enter their credentials they are redirected to the portal once again. I did move around some of the rules and it currently looks like this. At the moment i'm working remote and not able to replicate the problem myself. Any advice would be welcome and much appreciated. 
  Is there any available documention about the builtin attributes in ISE. I'm especially interested in network use EQUALS guest flow.

  Hi Patrick,
  I'm facing similar problem as yours , but on wired . My contractor (I name it vendor) is redirect to guest portal , and when they login they were redirected to the portal again.
  for the devices registration , I have set  the Native Supplicant Provisioning Policy Unavailable: to Allow network acces. 
  my authorization rules as follows :
  1- rules name : Vendor-wired  :  identity : registerddevices AND identitygroup: VENDOR  authorization profile: VENDOR-ACCESS
  2-  rules name : WIRED-CWA  :  identity : any  condition: device-type:SWITCH  authorization profile: CWA-PORTAL
  It looks like , when vendor is login , they are not hitting the first rule , although the device shows up in the registered devices , and the vendor account is in VENDOR identity group (local in ISE) , so they come back again to rules 2 , which redirect them to the CWA-PORTAL again .
  did you find any hint for this problem ?

• ISE 1.2 - MAB Guest and MAB Supplicant Provisioning

  In short trying to provide a configuration whereby a Guest utilises MAB and a set of sponsor created credentials to gain access to Internet via the portal. In addition to this I am also trying to provide MAB for "Corporate BYOD" utilising AD credentials resulting in supplicant provisioning. I am aware of other ways of doing this in terms of utilising PEAP and a NSP redirect but in this instancemy only real option is MAB. Could anyone provide me with an example of how they have approached this situation.
  I tried to to do CWA redirect for both use cases but provided a separate "2nd auth" for each of them. My BYOD 2nd auth was the actual NSP redirect - which worked except the MAC address could not be populated into the field (See flow below for BYOD redirect).
  MAB > CWA Redirect (AD credentials) > "2nd Auth"  = NSP Redirect

  Please disregard I have it fixed. Long story short I was over engineering it. I was unaware that ISE was able to differentiate between Guest users and other users with regards to the "Enable Self Provisioning flow".
  Thanks

• Using ISE for guest access together with anchor controller WLC in DMZ

  Hi there,
  I setup a guest WLAN in our LAB environment. I have one internal WLC connection to an anchor controller in our DMZ. I'm using the WLC integrated web-auth portal which works fine.
  To gain more flexibility regarding guest account provisioning and reporting my idea is to use Cisco Identity Services Engine (ISE) for web-authentication. So the anchor controller in the DMZ would redirect the guest clients to the ISE portal.
  As the ISE is located on the internal network while the guest clients end up in the DMZ network this would mean that I have to open the web-auth portal port of ISE for all guest client IPs in order to be able to authenticate.
  Does anyone know of a better solution for this ? Where to place the ISE for this scenario, etc ?
  Thx
  Frank

  So i ran into a similar scenario on a recent deployment:
  We had the following:
  WLC-A on private network (Inside)
  ISE Servers ISE01 and ISE02 (Inside)
  WLC-B Anchor in DMZ for Guest traffic (DMZ)
  ISE Server 3 (DMZ)
  ISE01 and ISE02 are used for 802.1X for the private network WLAN.
  Customer does not allow guest traffic to move from a less secure network to a more secure network (Compliance reasons).
  The foreign controller (WLC-A) must handle all L2 authentication and it must use the same policy node that the clients will hit for web auth.  Since we want to do CWA, we use Mac Filtering with ISE as the radius server.  If you send this traffic RADIUS authentication for Mac Filtering to ISE01/ISE02, it will use https://ise01.mydomain.com/... to redirect the client to.  Since we don't allow traffic to traverse from the DMZ with the anchor in it back inside to the network where ISE01 and ISE02 are, client redirection fails.  (This was a limitation of ISE 1.1.  Not sure if this persists in 1.2 or not.
  So what now?  In our deployment we decided to use a 3rd ISE policy node (ISE03 in the DMZ) for guest authentiction from the Foreign controller so that the client will use a DNS of https://ise03.mydomain.com/... to redirect the client to.  Once the session is authenticated, ISE03 will send a CoA back to the foreign which will remove the redirect for the session.  Note, you do have to allow ISE03 to send a CoA.
  In summary, if you can't allow guest traffic to head back inside the network to hit the CWA portal, you must add a policy node in a DMZ to use for the CWA portal so they have a resolvable and reachable policy node.

• IOS 8.x Apple users and CISCO ISE native supplicant provisioning not working

  Hi there guys ,
  I was wondering if anybody else have the following problem:
  Apple iOS 8.x users are not able to register their devices on the ISE portal (native supplicant provisioning).
  After they receive the redirection from the WLC, they freeze. Apple 7.x users have no problem.
  ISE is version 1.2.1.198 patch 2.  WLC is running 8.0.102.14.
  Anybody experienced the same?
  MB

  I am also running ISE 1.2.1.198 patch 2 with 8.0.100.  I am testing with an iPad running IOS 8.1.  The device will register in the registration portal, but is not being classified as an IOS device within client provisioning, I believe.  It is getting profiled as a workstation even though all apple device profiles are enabled.  I have an authorization policy for registered devices, and ipad, iphone, ios devices to gain access to the network without going through posture assessment.  I then have my posture assessment authorization rules with apple IOS devices set for a ssid native supplicant profile.  I keep getting an error page on the iPad when connecting to the ISE SSID saying "Client Provisioning Portal     ISE is not able to apply an access policy to your log-in session at this time.  Please close this browser, wait approximately one minute, and try to connect again".  It gives this message over and over.  If I turn off the posture checking authorization profiles, the IOS device is selected as a rule further down which tells me that ISE does not recognize it as an IOS device in the profiling or client provisioning.

• Central Web Auth with Anchor Controller and ISE

  Hi All
  I have a 5508 WLC on the corporate LAN and another 5508 sat in a DMZ as an anchor controller.
  I also have an ISE sat on the corporate LAN.
  Authenticate is working fine to the ISE and the client tries to re-direct to the ISE Portal but doesn't get there.
  DNS is working fine and the client can resolve the URL of the ISE to the correct IP address.
  I have a redirect ACL configured on the foreign controller which permits DNS, DHCP and traffic to and from the ISE.
  My questions are:
  1. Do I need to re-direct ACL to be present on both the foreign and anchor controllers?
  2. Since the Radius requests originate from the foreign controller do I need to configure the ISE server address on the WLAN on the anchor?
  3. Does the re-direct ACL need to be enabled on the advanced page of the WLAN on the foreign to over-ride the interface ACL - I don't believe it does.
  4. Is ICMP still blocked by the WLC until the web authentication is complete?
  Thanks.
  Regards
  Roger

  Hi Roger,
  Thanks for your brief explanation here are the answers for your queries.
  1. Do I need to re-direct ACL to be present on both the foreign and anchor controllers?
  The only catch is that since this web authentication method is Layer 2, you have to be aware that it will be the foreign WLC that does all of the RADIUS work. Only the foreign WLC contacts the ISE, and the redirection ACL must be present also on the foreign WLC.
  2. Since the Radius requests originate from the foreign controller do I need to configure the ISE server address on the WLAN on the anchor?
  Yes, you have to configure the ISE server address on the anchor WLC.
  3. Does the re-direct ACL need to be enabled on the advanced page of the WLAN on the foreign to over-ride the interface ACL
  Yes, you should override AAA under advanced tab of WLAN as ACL will be present on the foreign WLC.
  4. Yes, ICMP will work only after the sucessful web auth is complete.
  Please do go through the link below to understand the Anchor-Foreigh Scenario.
  http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html#anc11
  Regards
  Salma

• Ask the Expert: ISE 1.2: Configuration and Deployment with Cisco expert Craig Hyps

  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about how to deploy and configure Cisco Identity Services Engine (ISE) Version 1.2 and to understand the features and enhanced troubleshooting options available in this version, with Cisco expert Craig Hyps.
  October 27, 2014 through November 7, 2014.
  The Cisco Identity Services Engine (ISE) helps IT professionals meet enterprise mobility challenges and secure the evolving network across the entire attack continuum. Cisco ISE is a security policy management platform that identifies users and devices using RADIUS, 802.1X, MAB, and Web Authentication methods and automates secure access controls such as ACLs, VLAN assignment, and Security Group Tags (SGTs) to enforce role-based access to networks and network resources. Cisco ISE delivers superior user and device visibility through profiling, posture and mobile device management (MDM) compliance validation, and it shares vital contextual data with integrated ecosystem partner solutions using Cisco Platform Exchange Grid (pxGrid) technology to accelerate the identification, mitigation, and remediation of threats.
  Craig Hyps is a senior Technical Marketing Engineer for Cisco's Security Business Group with over 25 years networking and security experience. Craig is defining Cisco's next generation Identity Services Engine, ISE, and concurrently serves as the Product Owner for ISE Performance and Scale focused on the requirements of the largest ISE deployments.
  Previously Craig has held senior positions as a customer Consulting Engineer, Systems Engineer and product trainer.   He joined Cisco in 1997 and has extensive experience with Cisco's security portfolio.  Craig holds a Bachelor's degree from Dartmouth College and certifications that include CISSP, CCSP, and CCSI.
  Remember to use the rating system to let Craig know if you have received an adequate response.
  Because of the volume expected during this event, Ali might not be able to answer each question. Remember that you can continue the conversation on the Security community, sub-community shortly after the event. This event lasts through November 7, 2014. Visit this forum often to view responses to your questions and the questions of other community members.
  (Comments are now closed)

  1. Without more specifics it is hard to determine actual issue. It may be possible that if configured in same subnet that asymmetric traffic caused connections to fail. A key enhancement in ISE 1.3 is to make sure traffic received on a given interface is sent out same interface.
  2. Common use cases for using different interfaces include separation of management traffic from user traffic such as web portal access or to support dedicated profiling interfaces. For example, you may want employees to use a different interface for sponsor portal access. For profiling, you may want to use a specific interface for HTTP SPAN traffic or possibly configure IP Anycast to simplify reception and redundancy of DHCP IP Helper traffic. Another use case is simple NIC redundancy.
  a. Management traffic is restricted to eth0, but standalone node will also have PSN persona so above use cases can apply for interfaces eth1-eth3.
  b. For dedicated PAN / MnT nodes it usually does not make sense to configure multiple interfaces although ISE 1.3 does add support for SNMP on multiple interfaces if needed to separate out. It may also be possible to support NIC redundancy but I need to do some more testing to verify. 
  For PSNs, NIC redundancy for RADIUS as well as the other use cases for separate profiling and portal services apply.
  Regarding Supplicant Provisioning issue, the flows are the same whether wireless or wired. The same identity stores are supported as well. The key difference is that wireless users are directed to a specific auth method based on WLAN configuration and Cisco wired switches allow multiple auth methods to be supported on same port. 
  If RADIUS Proxy is required to forward requests to a foreign RADIUS server, then decision must be made based on basic RADIUS attributes or things like NDG. ISE does not terminate the authentication requests and that is handled by foreign server. ISE does support advanced relay functions such as attribute manipulation, but recommend review with requirements with local Cisco or partner security SE if trying to implement provisioning for users authenticated via proxy. Proxy is handled at Authentication Policy level. CWA and Guest Flow is handled in Authorization Policy.  If need to authenticate a CWA user via external RADIUS, then need to use RADIUS Token Server, not RADIUS Proxy.
  A typical flow for a wired user without 802.1X configured would be to hit default policy for CWA.  Based on successful CWA auth, CoA is triggered and user can then match a policy rule based on guest flow and CWA user identity (AD or non-AD) and returned an authorization for NSP.
  Regarding AD multi-domain support...
  Under ISE 1.2, if need to authenticate users across different forests or domains, then mutual trusts must exist, or you can use multiple LDAP server definitions if the EAP protocol supports LDAP. RADIUS Proxy is another option  to have some users authenticated to different AD domains via foreign RADIUS server.
  Under ISE 1.3, we have completely re-architected our AD connector and support multiple AD Forests and Domains with or without mutual trusts.
  When you mention the use of RADIUS proxy, it is not clear whether you are referring to ISE as the proxy or another RADIUS server proxying to ISE.  If you had multiple ISE deployments, then a separate RADIUS Server like ACS could proxy requests to different ISE 1.2 deployments, each with their own separate AD domain connection.  If ISE is the proxy, then you could have some requests being authenticated against locally joined AD domain while others are sent to a foreign RADIUS server which may have one or more AD domain connections.
  In summary, if the key requirement is ability to join multiple AD domains without mutual trust, then very likely ISE 1.3 is the solution.  Your configuration seems to be a bit involved and I do not want to provide design guidance on a paper napkin, so recommend consult with local ATP Security SE to review overall requirements, topology, AD structure, and RADIUS servers that require integration.
  Regards,
  Craig

• Guest Cert problems ISE and Anchor WLC

  I'm setting up new Guest Wireless, I have 2 internal foreign 5508 WLC's talking to 2 DMZ anchor WLC's. The guest connects to Guest SSID and the anchor controllers acts as a DHCP server, the Guest interface configured on the WLC is the in the range of the DHCP scope I've setup. The DHCP scope is using the anchor WLC Mgmt interface as the DHCP server.
  Guest SSID - is setup for Webauth and Guest is redirected to the ISE server https://wlc.company.com/login...., when the page is presented to the Guest they get cert problem because the cert is not trusted (its an Internal Cert), Guest logins in ok and the AUP says "cert not trusted" 1.1.1.1 name of the WLC wlc.company.com.
  In the browser Guest has https://wlc.company.com/loginredirecthttps://1.1.1.1........
  1.1.1.1 is the Virtual interface of the Anchor WLC.
  How can I get the client to stop using the Virtual Interface for cert. Why is the WLC doing this? I gather something to do with DHCP?
  My plan is to apply a External Cert on the ISE for Guests, that way they will automatically trust a cert from Geotrust for example. But I'm going to still run into this Cert "not trusted" problem where the Guest is not trusting the WLC anchor  Virtual Interface 1.1.1 . Why is the guest using the Virtual interface error 1.1.1.1. I've even added the ISE name of the cert to the Virtual interface, same problem, instead its just says  wlc.company.com not trusted. I have also imported the cert onto the WebAuth cert on anchor WLC, still doesn't work.
  Hopefully I've explained this ok.....any ideas? but if the Guest page keeps getting presented with
  https://wlc.company.com/loginredirecthttps://1.1.1.1........ it will never work.

  I followed Richard's advice and started from scratch, removing LWA and implementing CWA -MAB. It didn't take too long to setup CWA and get authentication working, I appled a Preauth ACL on WLC's and on ISE under Authorization pofile (CWA)
  This is when the problems started happening, I was using the default ISE Authorization profile
  cisco-av-pair = url-redirect=https://ip:8443/guestportal/gateway?sessionid=SessionValueIdValue&action=cwa.which is not what I want, again the certificate is the server cert which is not an external Cert that the guest wants to see. The user can login fine, unlike LWA, with Firefox or IE it would accept the cert and login so at least I had a working Guest wifi solution. Though there was a cert error symbol at the end of the browser url.
  The next step I tried was to change the Authorization Profile to
  (wireless.company.com which is a C-NAME for ISE box and has this Alias in the cert, this was a test before I apply the external cert)
  cisco-av-pair = url-redirect=https://wireless.company.com:8443/guestportal/gateway?sessionid=SessionValueIdValue&action=cwa
  I applied the change and the new page appeared on the users laptop, great, but this time users were declined access via live Authentications, reason "Cannot login due to session id expiry, please login a again", I created a new user a/c, same problem. Not good. Ok so I thought well if I want clear all these stale session id's that appartenly exist I'll stop/start the application which I did from the command line, still the same error "Cannot login due to session id expiry". hmmm, whats going on here.
  I then rebooted the ISE (this must clear all the sessions!), reboot I performed from home and now for some reason I cannot login to the ISE front end GUI with the admin account or my account. Tried resetting the GUI password for admin and other admin users, the message "Error: cannot reset password this can only be performed on Standalone or Primary node" Well what have I done, just rebooted ISE nothing else apart from changing authorization profile. This box is a Standalone node. Without seeing if the clients connect due t no GUI access, I have referred this issue to TAC!
  Also I don't like the fact that your have to install a external cert against the internal node name, epsecially when its external. But again I haven't reached this part yet.

• ISE and Anchor WLCs?

  Hi All,
  I'm trying to put together a Guest WLAN setup and want to know the best approach.
  If I use ISE for Guest portal/access control do I still have the standard setup of Anchor WLCs in DMZ for the guest WLANs?
  Or does the ISE tell the internal WLC's to place the allowed guest users onto a guest VLAN accessible to the internal WLCs?
  Do I lose anything with ISE compared to the old WCS/WLC guest portal methods?
  Any thoughts would be appreciated.
  Thanks,
  Brendan

  Brendan,
  From my experience you still should use a dmz guest anchor controller. The only difference is the ports you will need to open on the FW between the guest anchor and ISE. Now you can still do this without a guest anchor if there isn't an existing one or one not planned for.
  Thanks,
  Scott Fella
  Sent from my iPhone

• [OIM] Error in Direct Provisioning (with auto save form) - GTC DB App Table

  Hi,
  I am getting an error when setting up direct provision of a GTC DB App Conn using OIM access policy (and group membership) or through manual provisioning with prepopulate and auto save form.
  Manual provisioning with prepopulate ONLY (not with auto save form) WORKS!!!
  Some information about my OIM config:
  - Prepopulate adapters are set up on both forms (parent and child)
  - "Auto prepopulate" and "Auto save form" are set up at Process Definition
  - For direct provisioning, I have created an access policy with an associated group which has a membership rule
  What it is working:
  - Provisioning manually, using prepopulate adapters only, not auto save form. Both tables are updated properly
  - All *3 tasks are called and finished with status=Completed*: "System Validation", "Create User" and "Child Table UD_<connector child table name>_US row Inserted"
  Testing direct provisioning:
  - I have tested adding the resource manually with prepopulate and autosave form configured, and also through access policy/group membership. The error is the same on both tests
  - The resource is displayed as provisioned and it is created an entry in the parent table of the resource, but not on child table
  - I also observed that only: "System Validation" and "Create User" tasks were executed (status=Completed). But it is missing the task "Child Table UD_<connector child table name>_US row Inserted"
  - The error log info displays only an error regarding to UGP table (Groups info) but I am not sure if that is the cause of entry creation on child table.
  It seems the SQL stmt tries to get ugp_name (group name) using ugp_key but that has null value.
  "SELECT ugp_name FROM ugp WHERE ugp_key=java.sql.SQLSyntaxErrorException: ORA-00936: missing expression"
  Note: When testing manually (without auto save form), I got "SELECT ugp_name FROM ugp WHERE ugp_key=1" which it is the same SQL stmt but the value is provided.
  My guess:
  - It seems that error is aborting the whole execution process so "Child Table UD_<connector child table name>_US row Inserted" task does not run, even though previous tasks are finished with the status=Completed. Consequently, the entry is not created on child table.
  Please, any guess or help would be very helpful. In case nothing works, I guess I will have to create and customize a "Update child Form" task as an workaround which would be called after "Create User" task.
  Regards,
  Hugo
  My environment:
  - Windows 2003, WebLogic 10.3.0.0, OIM 9.1.0.2 BL4, Oracle 10g, Java 1.6, DB App Table Connector 9.1.0.2 (from October 2009)
  - Target Resource: Parent and Child Table (Oracle 10g - the same OIM DB)

  An update:
  I solved that error about "ORA-00936: missing expression" applying OIM 9.1.0.2 BP05. That was not impacting my issue regarding direct provisioning with auto save form and child form.
  So please if anyone can confirm:
  - Can I set up prepopulate adapters on child forms AND also use "auto save form" on GTC DB App Table connector?
  If not, any suggestion?
  Regards
  Hugo

• Irregularity with anchor behaviour - inserting anchors in anchored frames

  I am experiencing irregular behaviours with anchors and I'm not sure if it's a glitch or something I am overlooking. Sometimes it works, sometimes it dosen't, and I can't tell what is causing the difference.
  What I want is an anchored text fram to a main body text - which is an imag caption - and from this text frame I create a new anchored image frame, in which I put the image I am referring to in the caption. Sometimes this process works smoothly, while other times, when I go to insert the anchor in the anchored text frame it re-routes me back to the main body text from where I came. I have tried different insertion points within the anchored text frame, but nothing seems to solve the problem in this scenario....
  any ideas?
  thanks!

  Kat,
  I hope I understand your problem correctly.
  The paragraph containing the figure title is positioned in the side head with alignment set to Top Edge. Then that paragraph is followed by another paragraph, which of course is in the main text column, empty, and aligned at the top with the side head.
  With the insertion point in the second paragraph, import the image file. This puts the image below the line. Select the image, not the anchored frame, and scale it if necessary. If not created at the correct size, you probably want to scale it down to fit the width of the text column. Now press the key sequence Esc, m, p (note m and p are lowercase). The anchored frame shrinks to fit tightly around the image and changes it position to At Insertion Point. If you turn on Text Symbols, you will see the end-of-paragraph symbol at the lower right edge of the image, and the top of the anchored frame will align with the TOP of the side head text.
  You also have to be sure the line spacing of the paragraph holding the image is NOT fixed or Frame will move the image up.
  Hope this is what you need,
  Van

• Active state not working in scrolling site (with anchor links)

  I'm design a scrolling site with anchor links and an horizontal menu on the top.
  when i publish the site and click on the menu buttons the site scrolling to the place of the anchor but the active state in the menu is not working.
  now... when i leave the main page (were the scrolling site is) and then return back to it all active states are working perfectly
  anyone have this bug? or any one know how to fix it ?

  Hmmm...I've just been playing around, and I think I got the Active State to work correctly.  I think my problem was not understand what Active State means.
  To answer your question, I was changing the Font Color and Box Fill Color of the Active State.
  I did not understand that Active State means the look of the Menu Item when the PAGE is active.  I thought it meant the look of the Menu item when the cursor is scrolling down the Menu (i.e. when the MENU is Active, not the page).
  Look at this page for an example of what I'm trying to achieve...
  http://www.pgavdestinations.com
  When you hover over the "Work" menu item, and move the cursor down the menu, the state of "Work" remains changed until you move the cursor off of that menu column. It does NOT return back to it's Normal state until you are off of that menu column.
  Is there a way to achieve this with the menu states in Muse?
  Thanks for the replies!
  Dave.