ISE 1.2 Guest Access session expired

Similar Messages

• ISE 1.2 Guest Access for EAP(Dot1x) Authentication

  Hi.
  I want to use encryption for guest access. 
  In order to use the "RADIUS-NAC" in the WLC, you can not use or "Open + MAC" only "WPA + dot1". 
  (Specification of the WLC) 
  When the "Open + MAC", return from the ISE at the time of the "Web Authentication" in the "Session-Timeout Attribute", I was able to forcibly disconnect the radio. 
  (Attribute is the same value as the (ISE TimeProfile) time the guest user can use) 
  If you connect to a wireless terminal to forced disconnect after screen of Web authentication is displayed, you can not login. 
  (Because the account has been revoked) 
  I want to make even dot1x this environment. 
  However, because it becomes the "re-authentication time" If dot1x, as long as the terminal is connected to the radio, it is not cut. 
  In addition, even in the setting of "Attribute Termination-Action = Default", does not return until the Web authentication. 
  (Status of the WLC remains "Auth Yes") 
  (Session of the ISE remains "Started") 
  Use the (EAP) Dot1x, Can I "is allowed to forcibly disconnected," "to match the time of TimeProfile" in the same way as "Open + MAC" thing? 
  Thank you.

  Note：
  Cisco ISE:Version1.2.0.899-8
  Cisco WLC(5508):Version 7.6.120

• ISE 1.2 CWA with Multiple PSNs - SessionID Replication / Session Expired

  Hi all.
  I have a (2) Policy Services Nodes (PSNs) in an ISE 1.2 deployment running patch 1. We are using Wireless MAB and CWA on 5760 Wireless LAN Controllers running v3.3.3.
  We are hitting an issue wherein a client first passes MAB and then gets redirected to a CWA custom portal. The client then receives a Session Expired message. This seems to be related to the fact that CWA is technically a 2-stage authentication (MAB by the WLC and then CWA by the client). Specifically, it seems to happen when the WLC makes its MAB RADIUS access-request to PSN-1 and then the client comes in to PSN-2 to complete the CWA. This issue does not happen when only one PSN is in use and all authentication traffic (both MAB RADIUS and CWA) is directed at a single PSN.
  Clients resolve the FQDN in the redirect URL using public DNS and a public DNS zone file (call it cwa-portal.example.com). cwa-portal.example.com has two A records for the two PSN nodes. DNS is responding to queries using DNS round-robin.
  I have the PSNs configured in a Node Group for session information replication between PSNs, but this doesn't seem to make a difference in behavior.
  So I ask:
  What is the recommended architecture for CWA when using more than one PSN? It seems that you would need to keep the two authentication flows pinned together so that they both hit the same PSN when using more than one PSN in a deployment. A load balancer balancing on the SessionID string comes to mind (both the RADIUS MAB request and the CWA URL contain this unique per-client SessionID), but that seems terribly overbuilt for a seemingly simple problem. On the other hand, it also seems like using a Node Group setup should easily be able to replicate client SessionIDs to all nodes in the deployment so that this isn't an issue. I.e., if the WLC authenticates MAB on PSN-1, then PSN-1 should tell the Node Group about it such that when the client CWA's on PSN-2, PSN-2 doesn't respond with a Session Expired message.
  Is there any Cisco documentation that talks about this?
  Possibly related:
  https://supportforums.cisco.com/discussion/12131531/ise-12-guest-access-session-expired
  Justin

  Tim,
  Thanks for your reply and confirming my suspicion. Hopefully a future version of ISE will provide automated SessionID synchronization among PSNs so that front-end finagling in a multi-PSN environment won't be necessary.
  For anyone else with this issue who for whatever reason can't implement a load balancer(s), I built an automated EEM applet running on a "watchdog" switch (3750 running 12.2(55)SEE9) using IPSLA tracking that senses when PSN1 is down and then
  modifies an ASA to change its client-facing NAT statement for PSN1 to PSN2
  modifies the primary and HA wireless LAN controllers to change its MAB RADIUS aaa server group to use PSN2
  reverts the ASA and WLCs to using PSN1 when PSN1 is detected up and running again
  The applet ensures the SessionID authentications stay "glued" together so that both WLCs and the client hit the same PSN for both stages of authentication. It's failover only, not a load balancing solution, but it meets our current project's need for an automated HA environment.
  PM me if you want the code. I'm have a little too much going on ATM to sanitize and post it. :)
  Justin

• Wireless guest access with CWA and ISE using mobility anchor

  My team is trying to demo wireless guest access using CWA with an ISE server.  We appear to be hitting an issue when combining this with mobility anchoring.
  When we don't use a mobility anchor the authentication goes off without a hitch seemingly proving that the ISE configuration is sound.  The test laptop associates and gets redirected, auths, moves to the RUN state and access to the network is granted.
  When the mobility anchor is enabled, the test laptop does get redirected, authentication is successful, but the process does not fully complete, as on the foreign controller the user is in RUN state whereas on the anchor the user is still stuck at CWA required.
  Now, I've read the L2 auth occurs between the foreign controller and ISE, and the L3 auth occurs between the anchor controller and ISE, but this does not appear to borne out in packet captures of the process where both parts of the auth seems to go to and from the foreign controller and ISE.
  I'm curious to know if anyone else has come across this issue, or has ideas where I should be looking in the config or debugs to find the root cause.
  When setting up the controllers and ISE this guide (linked below) was used and the controllers are 2504 controllers on 7.5 series software and ISE is on the latest 1.2 patches:
  http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bead09.shtml
  To me it seems to be mobility related, but the authentication flow does seem to be off compared with what the guide says.

  FOREIGN
  *apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Adding mobile on LWAPP AP 0c:d9:96:ba:7d:20(1)
  *apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Association received from mobile on BSSID 0c:d9:96:ba:7d:2f
  *apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Global 200 Clients are allowed to AP radio
  *apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Max Client Trap Threshold: 0  cur: 0
  *apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Rf profile 600 Clients are allowed to AP wlan
  *apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Applying Interface policy on Mobile, role Unassociated. Ms NAC State 0 Quarantine Vlan 0 Access Vlan 0
  *apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Re-applying interface policy for client
  *apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 0.0.0.0 START (0) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2164)
  *apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 0.0.0.0 START (0) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2185)
  *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 apfApplyWlanPolicy: Retaining the ACL recieved in AAA attributes 255 on mobile
  *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 apfApplyWlanPolicy: Apply WLAN Policy over PMIPv6 Client Mobility Type
  *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 In processSsidIE:4565 setting Central switched to TRUE
  *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 In processSsidIE:4568 apVapId = 1 and Split Acl Id = 65535
  *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 Applying site-specific Local Bridging override for station 00:1e:c2:c0:96:05 - vapId 1, site 'AP-Group-CHEC.default', interface 'management'
  *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 Applying Local Bridging Interface Policy for station 00:1e:c2:c0:96:05 - vlan 84, interface id 0, interface 'management'
  *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 processSsidIE  statusCode is 0 and status is 0
  *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 processSsidIE  ssid_done_flag is 0 finish_flag is 0
  *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 STA - rates (8): 140 18 152 36 176 72 96 108 0 0 0 0 0 0 0 0
  *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 suppRates  statusCode is 0 and gotSuppRatesElement is 1
  *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 apfProcessAssocReq (apf_80211.c:7830) Changing state for mobile 00:1e:c2:c0:96:05 on AP 0c:d9:96:ba:7d:20 from Idle to AAA Pending
  *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 Scheduling deletion of Mobile Station:  (callerId: 20) in 10 seconds
  *radiusTransportThread: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Username entry (00-1E-C2-C0-96-05) created for mobile, length = 253
  *radiusTransportThread: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Username entry (00-1E-C2-C0-96-05) created in mscb for mobile, length = 253
  *apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Received SGT for this Client.
  *apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Redirect URL received for client from RADIUS. Client will be moved to WebAuth_Reqd state to facilitate redirection. Skip web-auth Flag = 0
  *apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Resetting web IPv4 acl from 255 to 255
  *apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Resetting web IPv4 Flex acl from 65535 to 65535
  *apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Applying Interface policy on Mobile, role Unassociated. Ms NAC State 2 Quarantine Vlan 0 Access Vlan 84
  *apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Re-applying interface policy for client
  *apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 0.0.0.0 START (0) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2164)
  *apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 0.0.0.0 START (0) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2185)
  *apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 apfApplyWlanPolicy: Retaining the ACL recieved in AAA attributes 0 on mobile
  *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 apfApplyWlanPolicy: Apply WLAN Policy over PMIPv6 Client Mobility Type
  *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 Inserting AAA Override struct for mobile
  MAC: 00:1e:c2:c0:96:05, source 2
  *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 0.0.0.0 START (0) Initializing policy
  *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state START (0)
  *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 0.0.0.0 AUTHCHECK (2) Change state to L2AUTHCOMPLETE (4) last state AUTHCHECK (2)
  *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 Not Using WMM Compliance code qosCap 00
  *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 0.0.0.0 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP 0c:d9:96:ba:7d:20 vapId 1 apVapId 1 flex-acl-name:
  *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 0.0.0.0 L2AUTHCOMPLETE (4) Change state to DHCP_REQD (7) last state L2AUTHCOMPLETE (4)
  *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 apfMsAssoStateInc
  *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 apfPemAddUser2 (apf_policy.c:333) Changing state for mobile 00:1e:c2:c0:96:05 on AP 0c:d9:96:ba:7d:20 from AAA Pending to Associated
  *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 apfPemAddUser2:session timeout forstation 00:1e:c2:c0:96:05 - Session Tout 1800, apfMsTimeOut '1800' and sessionTimerRunning flag is  0
  *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 Scheduling deletion of Mobile Station:  (callerId: 49) in 1800 seconds
  *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 Func: apfPemAddUser2, Ms Timeout = 1800, Session Timeout = 1800
  *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 Sending Assoc Response to station on BSSID 0c:d9:96:ba:7d:2f (status 0) ApVapId 1 Slot 1
  *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 apfProcessRadiusAssocResp (apf_80211.c:3066) Changing state for mobile 00:1e:c2:c0:96:05 on AP 0c:d9:96:ba:7d:20 from Associated to Associated
  *DHCP Socket Task: Jan 28 23:04:59.567: 00:1e:c2:c0:96:05 DHCP received op BOOTREQUEST (1) (len 308,vlan 84, port 13, encap 0xec03)
  *DHCP Socket Task: Jan 28 23:04:59.567: 00:1e:c2:c0:96:05 DHCP (encap type 0xec03) mstype 0ff:ff:ff:ff:ff:ff
  *DHCP Socket Task: Jan 28 23:04:59.567: 00:1e:c2:c0:96:05 DHCP dropping packet due to ongoing mobility handshake exchange, (siaddr 0.0.0.0,  mobility state = 'apfMsMmQueryRequested'
  *DHCP Socket Task: Jan 28 23:05:01.523: 00:1e:c2:c0:96:05 DHCP received op BOOTREQUEST (1) (len 308,vlan 84, port 13, encap 0xec03)
  *DHCP Socket Task: Jan 28 23:05:01.523: 00:1e:c2:c0:96:05 DHCP (encap type 0xec03) mstype 0ff:ff:ff:ff:ff:ff
  *DHCP Socket Task: Jan 28 23:05:01.523: 00:1e:c2:c0:96:05 DHCP dropping packet due to ongoing mobility handshake exchange, (siaddr 0.0.0.0,  mobility state = 'apfMsMmQueryRequested'
  *mmMaListen: Jan 28 23:05:02.362: 00:1e:c2:c0:96:05 0.0.0.0 DHCP_REQD (7) State Update from Mobility-Incomplete to Mobility-Complete, mobility role=ExpForeign, client state=APF_MS_STATE_ASSOCIATED
  *mmMaListen: Jan 28 23:05:02.362: 00:1e:c2:c0:96:05 apfMsRunStateInc
  *mmMaListen: Jan 28 23:05:02.362: 00:1e:c2:c0:96:05 0.0.0.0 DHCP_REQD (7) Change state to RUN (20) last state DHCP_REQD (7)
  *mmMaListen: Jan 28 23:05:02.362: 00:1e:c2:c0:96:05 0.0.0.0 RUN (20) Reached PLUMBFASTPATH: from line 5793
  *mmMaListen: Jan 28 23:05:02.362: 00:1e:c2:c0:96:05 0.0.0.0 RUN (20) Adding Fast Path rule
    type = Airespace AP Client
    on AP 0c:d9:96:ba:7d:20, slot 1, interface = 13, QOS = 0
    IPv4 ACL ID = 255, IPv6 ACL ID = 255,
  *mmMaListen: Jan 28 23:05:02.362: 00:1e:c2:c0:96:05 0.0.0.0 RUN (20) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 15206  Local Bridging Vlan = 84, Local Bridging intf id = 0
  *mmMaListen: Jan 28 23:05:02.363: 00:1e:c2:c0:96:05 0.0.0.0 RUN (20) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255, L2 ACL ID 255)
  *pemReceiveTask: Jan 28 23:05:02.364: 00:1e:c2:c0:96:05 Set bi-dir guest tunnel for 00:1e:c2:c0:96:05 as in Export Foreign role
  *pemReceiveTask: Jan 28 23:05:02.364: 00:1e:c2:c0:96:05 0.0.0.0 Added NPU entry of type 1, dtlFlags 0x4
  *pemReceiveTask: Jan 28 23:05:02.364: 00:1e:c2:c0:96:05 Skip Foreign / Export Foreign Client IP 0.0.0.0 plumbing in FP SCB
  *DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP received op BOOTREQUEST (1) (len 308,vlan 84, port 13, encap 0xec03)
  *DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP (encap type 0xec03) mstype 0ff:ff:ff:ff:ff:ff
  *DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP processing DHCP REQUEST (3)
  *DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP   op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 0
  *DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP   xid: 0xafea6bc9 (2951375817), secs: 5, flags: 0
  *DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP   chaddr: 00:1e:c2:c0:96:05
  *DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP   ciaddr: 0.0.0.0,  yiaddr: 0.0.0.0
  *DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP   siaddr: 0.0.0.0,  giaddr: 0.0.0.0
  *DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP   requested ip: 10.130.98.8
  *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP received op BOOTREPLY (2) (len 320,vlan 84, port 13, encap 0xec07)
  *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP processing DHCP ACK (5)
  *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP   op: BOOTREPLY, htype: Ethernet, hlen: 6, hops: 0
  *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP   xid: 0xafea6bc9 (2951375817), secs: 0, flags: 0
  *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP   chaddr: 00:1e:c2:c0:96:05
  *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP   ciaddr: 0.0.0.0,  yiaddr: 10.130.98.8
  *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP   siaddr: 10.30.4.173,  giaddr: 0.0.0.0
  *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP   server id: 1.1.1.2  rcvd server id: 1.1.1.2
  *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) DHCP Address Re-established
  *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Reached PLUMBFASTPATH: from line 6978
  *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Replacing Fast Path rule
    type = Airespace AP Client
    on AP 0c:d9:96:ba:7d:20, slot 1, interface = 13, QOS = 0
    IPv4 ACL ID = 255, IPv6 ACL ID
  *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 15206  Local Bridging Vlan = 84, Local Bridging intf id = 0
  *DHCP Socket Task: Jan 28 23:05:03.888: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255, L2 ACL ID 255)
  *DHCP Socket Task: Jan 28 23:05:03.888: 00:1e:c2:c0:96:05 Assigning Address 10.130.98.8 to mobile
  *DHCP Socket Task: Jan 28 23:05:03.888: 00:1e:c2:c0:96:05 DHCP success event for client. Clearing dhcp failure count for interface management.
  *DHCP Socket Task: Jan 28 23:05:03.888: 00:1e:c2:c0:96:05 DHCP success event for client. Clearing dhcp failure count for interface management.
  *DHCP Socket Task: Jan 28 23:05:03.888: 00:1e:c2:c0:96:05 DHCP successfully bridged packet to STA
  *pemReceiveTask: Jan 28 23:05:03.889: 00:1e:c2:c0:96:05 Set bi-dir guest tunnel for 00:1e:c2:c0:96:05 as in Export Foreign role
  *pemReceiveTask: Jan 28 23:05:03.889: 00:1e:c2:c0:96:05 10.130.98.8 Added NPU entry of type 1, dtlFlags 0x4
  *pemReceiveTask: Jan 28 23:05:03.890: 00:1e:c2:c0:96:05 Skip Foreign / Export Foreign Client IP 10.130.98.8 plumbing in FP SCB
  *apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 Received SGT for this Client.
  *apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 Resetting web IPv4 acl from 0 to 255
  *apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 Resetting web IPv4 Flex acl from 65535 to 65535
  *apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 AAA redirect is NULL. Skipping Web-auth for Radius NAC enabled WLAN.
  *apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 apfApplyWlanPolicy: Retaining the ACL recieved in AAA attributes 255 on mobile
  *apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 apfApplyWlanPolicy: Apply WLAN Policy over PMIPv6 Client Mobility Type
  *apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 Inserting AAA Override struct for mobile
  MAC: 00:1e:c2:c0:96:05, source 2
  *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Setting session timeout 3600 on mobile 00:1e:c2:c0:96:05
  *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Session Timeout is 3600 - starting session timer for the mobile
  *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Applying cached RADIUS Override values for mobile 00:1e:c2:c0:96:05 (caller pem_api.c:2307)
  *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Setting session timeout 3600 on mobile 00:1e:c2:c0:96:05
  *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Session Timeout is 3600 - starting session timer for the mobile
  *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Applied RADIUS override policy
  *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Replacing Fast Path rule
    type = Airespace AP Client
    on AP 0c:d9:96:ba:7d:20, slot 1, interface = 13, QOS = 0
    IPv4 ACL ID = 255, IPv6 ACL ID
  *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 15206  Local Bridging Vlan = 84, Local Bridging intf id = 0
  *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255, L2 ACL ID 255)
  *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Not Using WMM Compliance code qosCap 00
  *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Plumbed mobile LWAPP rule on AP 0c:d9:96:ba:7d:20 vapId 1 apVapId 1 flex-acl-name:
  *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Change state to RUN (20) last state RUN (20)
  *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 apfMsAssoStateInc
  *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 apfPemAddUser2 (apf_policy.c:333) Changing state for mobile 00:1e:c2:c0:96:05 on AP 0c:d9:96:ba:7d:20 from AAA Pending to Associated
  *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 apfPemAddUser2:session timeout forstation 00:1e:c2:c0:96:05 - Session Tout 3600, apfMsTimeOut '1800' and sessionTimerRunning flag is  1
  *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Scheduling deletion of Mobile Station:  (callerId: 49) in 3600 seconds
  *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Func: apfPemAddUser2, Ms Timeout = 1800, Session Timeout = 3600
  *apfReceiveTask: Jan 28 23:05:18.718: 00:1e:c2:c0:96:05 Sending Assoc Response to station on BSSID 0c:d9:96:ba:7d:2f (status 0) ApVapId 1 Slot 1
  *apfReceiveTask: Jan 28 23:05:18.718: 00:1e:c2:c0:96:05 apfProcessRadiusAssocResp (apf_80211.c:3066) Changing state for mobile 00:1e:c2:c0:96:05 on AP 0c:d9:96:ba:7d:20 from Associated to Associated
  *pemReceiveTask: Jan 28 23:05:18.720: 00:1e:c2:c0:96:05 Set bi-dir guest tunnel for 00:1e:c2:c0:96:05 as in Export Foreign role
  *pemReceiveTask: Jan 28 23:05:18.720: 00:1e:c2:c0:96:05 10.130.98.8 Added NPU entry of type 1, dtlFlags 0x4

• WLC and ISE guest access COA

  We are migrating to ISE for guest access and are having problems with the COA being delivered after a successful authentication.  ISE attempts to send it but nothing changes on the WLC.  The message in ISE is Dynamic Authorization failed and a message that ISE didn't receive a response from the NAD, verify communication.  What is odd is the original guest request comes in from the IP address of the service port on the WLC but anything doing with the COA is seen from the management.  I have both IP's defined for the device in ISE.  I am about to do a session reauthentication within ISE and the WLC applies the changes.  I have verified that RFC 3576 is enabled, but the show radius rfc3576 stats shows no values.  The WLC is running 7.6.130.  I have attempted to debug on the WLC side to see if the message is even being delivered but non the debugs i have attempted seem to offer any good information.
  Anyone have any suggestions?  
  Thanks,
  Joe

  Hi Joe,
  I dont really know what you are trying to do with the COA , as it is used in the CWA solution and BYOD solution as well. But even before trying that , I would advise you to go step by step and solve the n/w issue first. You are able to see the request from service port which should not happen because then the incoming/outgoing traffic takes different path. You must be facing this situation as you might have some network routes matching ISE subnet/Ip address in the GUI>Controller>Network routes as there is no need of those routes. If the service port needs to be used during controller down scenario then use a laptop in the same subnet of Service port ip and connect to the service port.
  Regards
  Dhiresh
  **Please rate helpful posts**

• ISE with CWA and wired guest access via WLC Anchor

  Can an Anchor WLC (WLCa) provide a wired guest LAN service if the wlan guest access is using CWA?
  We are deploying a WLAN only ISE solution (it is a full license ISE though) but they just want a few wired guest ports.  I was hoping to add L2 switch to the DMZ where the WLCa is and that the L2 switch wouldnt need any other config as the WLCa just bridges the wired to the wlan vlan.  This Im sure i have done before.
  So now I have set wiredguest the same as i have done before ISE and my wired clients get an IP address, but when they redirect, the URL they get is different, and the redirect just doesnt work.
  It comes out as:
  https://my_ise_ip:8443/guestportal/Login.action?switch_url=https://my_ise_host/login.html&wlan=my_wired_guest_lan&redirect=www.google.co.uk
  So does my simple L2 only switch need an ISE config on it or should the WLCa be handling or the redirection just as it would for a wlan device.

  The ISE never receives an auth entry, so i dont believe the redirect is working for the wired client.  So even though the clients browser gets a redirect url which fails connection, the client info in the WLCa doesnt have a redirect ACL listed like a wlan client would

• ISE - Guest Access (without portal)

  Hi Guys,
  I have a customer who current is using the cwa portal for guest access. Corporate use will be added in the future sometime next year.
  Kit involved:
  5508 - Internal (Inside Net)
  5508 - Anchor (DMZ Net)
  ISE - Inside Net
  3600 APs
  Presently, guest user connects, anchored to DMZ 5508, issued IP address from server in DMZ and DNS redirect to the web portal from same server. guest logs in and internet access through ASA and then content filtering box.
  They want a solution whereby they do not have to use the portal for corporate user with their own devices such as ipads. I know BYOD is a possiblity but would involve using a CA server on the inside of the network. This is not something I'm keen as it opens a channel from the guest network directly to their AD infrastructure.
  I'm leaning toward PEAP authentication atm using a GoDaddy SSL cert that is already installed. This would bypass the portal system and only involve client devices being configured once.
  Is there any other option that would be simple to setup as this is on a limited timescale ?
  Cheers,
  Nick

  Nick,
  They want a solution whereby they do not have to use the portal for  corporate user with their own devices such as ipads. I know BYOD is a  possiblity but would involve using a CA server on the inside of the  network. This is not something I'm keen as it opens a channel from the  guest network directly to their AD infrastructure.
  If you are referring to supplicant provisioning, the scep enrollment request is proxied from ISE and the private key and cert is transferred to the endpoint. This doesnt require your guest network having direct access to AD....just to ISE.
  Tarik Admani
  *Please rate helpful posts*

• Using ISE for guest access together with anchor controller WLC in DMZ

  Hi there,
  I setup a guest WLAN in our LAB environment. I have one internal WLC connection to an anchor controller in our DMZ. I'm using the WLC integrated web-auth portal which works fine.
  To gain more flexibility regarding guest account provisioning and reporting my idea is to use Cisco Identity Services Engine (ISE) for web-authentication. So the anchor controller in the DMZ would redirect the guest clients to the ISE portal.
  As the ISE is located on the internal network while the guest clients end up in the DMZ network this would mean that I have to open the web-auth portal port of ISE for all guest client IPs in order to be able to authenticate.
  Does anyone know of a better solution for this ? Where to place the ISE for this scenario, etc ?
  Thx
  Frank

  So i ran into a similar scenario on a recent deployment:
  We had the following:
  WLC-A on private network (Inside)
  ISE Servers ISE01 and ISE02 (Inside)
  WLC-B Anchor in DMZ for Guest traffic (DMZ)
  ISE Server 3 (DMZ)
  ISE01 and ISE02 are used for 802.1X for the private network WLAN.
  Customer does not allow guest traffic to move from a less secure network to a more secure network (Compliance reasons).
  The foreign controller (WLC-A) must handle all L2 authentication and it must use the same policy node that the clients will hit for web auth.  Since we want to do CWA, we use Mac Filtering with ISE as the radius server.  If you send this traffic RADIUS authentication for Mac Filtering to ISE01/ISE02, it will use https://ise01.mydomain.com/... to redirect the client to.  Since we don't allow traffic to traverse from the DMZ with the anchor in it back inside to the network where ISE01 and ISE02 are, client redirection fails.  (This was a limitation of ISE 1.1.  Not sure if this persists in 1.2 or not.
  So what now?  In our deployment we decided to use a 3rd ISE policy node (ISE03 in the DMZ) for guest authentiction from the Foreign controller so that the client will use a DNS of https://ise03.mydomain.com/... to redirect the client to.  Once the session is authenticated, ISE03 will send a CoA back to the foreign which will remove the redirect for the session.  Note, you do have to allow ISE03 to send a CoA.
  In summary, if you can't allow guest traffic to head back inside the network to hit the CWA portal, you must add a policy node in a DMZ to use for the CWA portal so they have a resolvable and reachable policy node.

• LWA Guest Access with ISE and WLC

  Hi guys,
  Our Company try to implement Guest Access with ISE dan WLC with Local Web Auth Method. But there is problem that comes up with the certificate. This is the scenario :
  1. Guests try to connect wifi with SSID Guest
  2. Once it connect, guests open the browser and try to open a webpage (example: cisco.com)
  3. Because, guests didn't login, so it redirect to "ISE Guest Login Page" (url became :
  https://ise-hostname:8443/guestportal/Login.action?switch_url=https://1.1.1.1/login.html&wlan=Guest&redirect=www.cisco.com/
  4. If there is no ISE Guest Login Page installed, message Untrusted Connection message will appear, but it will be fine if they "Add Exception and install the certificate"
  5. After that the Guest Login Page will appear, and guests input their username and password.
  6. Login success and they will be redirected to www.cisco.com and there is pop up from 1.1.1.1 (WLC Virtual Interface IP) with logout button.
  The problem happen in scenario 6, after login success, the webpage with ISE IP address and message certificate error for 1.1.1.1 is appear.
  I know it happened when guests didn't have the WLC Login Page Certificate...
  My Question is, is there a way to tunneling WLC Certificate on ISE ? Or what can we do to make ISE validate WLC Certificate, so guests doesn't need to install WLC Certificate/ Root Certificate before connect to Wifi ?
  Thx 4 your answer and sorry for my bad English....

  Thx for your reply Peter, your solution is right,
  i don't choose CWA, because their DNS is not stable...
  i've found the problem...
  the third-party CA is revoked, so there is no way it will success until it fixed...
  and there is no guarantee, they will fix it soon..
  so solution that we choose is by disable "HTTPS" on WLC...
  "config network web-auth secureweb disable".
  "config network web-auth secureweb disable".
  "config network web-auth secureweb disable".
  "config network web-auth secureweb disable".
  "config network web-auth secureweb disable"
  thank you all...

• ISE to do wireless network guest access services

  Hi Forumers'
  I need to know how WLC can support ISE guest management in wireless mode.
  Tested and confirm by Cisco SE, Knowing that WLC currently does not support dynamic VLAN authorization for central web authentication. This limitation will be addressed in WLC 7.2 when MAB and CWA support is added to the code. On the other hand, DACLs on the other hand works and we can use that to restrict access of this guest traffic.
  So, option now is
  1. Can ISE support on WLC LWA guest access provision? This able to view guest user login and show at ISE monitoring.
  thanks
  Noel

  What you don't have at the moment with ISE and WLC is :
  -dynamic vlan asisgnement for webauth
  -the double-authentication (provoked by Radius CoA) required for central web authentication.
  For the rest, all is ok I think. So Local web authentication is supported. Either the webauth is handled by the WLC or you configured it as external on the WLC and the ISE acts as a guest portal.
  Guest users will be the guests you create on ISE, monitoring will happen etc ...

• Wireless Guest Access with 802.1X (PEAP/MSCHAPv2) and ISE?

  Hi,
  I have a setup based on WLC 5508, Catalyst 3750-X and AP3600i.
  The WLCs are running 7.3 and ISE is 1.1.1
  I'm trying to setup wireless guest access, where the guests connect to a SSID with 802.1X using PEAP/MSCHAPv2.
  They should receive their username/password either from a sponsor directly (corporate AD user which prints the credentials) or through a SMS.
  The credentials will be created by the sponsor, using the sponsor portal on the ISE.
  Now to the questions:
  Is it correct that the foreign WLC (i.e. the WLC within the internal corporate network), should be set to no L2 and L3 security on the guest WLAN, to avoid having the foreign WLC contact the ISE and all traffic be forwarded directly to the anchor WLC?
  Is it correct that the anchor WLC (i.e. the WLC in the DMZ), should be configured with 802.1X/WPA2 L2 security and the ISE servers as the RADIUS servers on the guest WLAN, to ensure that the client is correctly authenticated/authorized by the ISE?
  When a guest logs on, how can I ensure that only one device (MAC address) is allowed per user?
  As it is now, a guest is able to log on with (I assume) an unlimited number of devices, using the credentials they have received.
  Thankyou very much :-)
  Best Regards,
  Niels J. Larsen

  Hi,
  I have a setup based on WLC 5508, Catalyst 3750-X and AP3600i.
  The WLCs are running 7.3 and ISE is 1.1.1
  I'm trying to setup wireless guest access, where the guests connect to a SSID with 802.1X using PEAP/MSCHAPv2.
  They should receive their username/password either from a sponsor directly (corporate AD user which prints the credentials) or through a SMS.
  The credentials will be created by the sponsor, using the sponsor portal on the ISE.
  Now to the questions:
  Is it correct that the foreign WLC (i.e. the WLC within the internal corporate network), should be set to no L2 and L3 security on the guest WLAN, to avoid having the foreign WLC contact the ISE and all traffic be forwarded directly to the anchor WLC?
  Is it correct that the anchor WLC (i.e. the WLC in the DMZ), should be configured with 802.1X/WPA2 L2 security and the ISE servers as the RADIUS servers on the guest WLAN, to ensure that the client is correctly authenticated/authorized by the ISE?
  When a guest logs on, how can I ensure that only one device (MAC address) is allowed per user?
  As it is now, a guest is able to log on with (I assume) an unlimited number of devices, using the credentials they have received.
  Thankyou very much :-)
  Best Regards,
  Niels J. Larsen

• ISE guest access - can't match on Optional Data fields

  Hi all
  I need to have 2 different types of guest users that will get different level of access with DACL / Airspace ACL
  I thought that best way to do that is simply matching one of optional data fields you can setup in Sponsor Portal
  Unfortunately as soon as I reference Optional Data field in Authorization rule I get no match. Can't also match on username which would not help anyway.
  getting redirected, login, getting redirected again etc.......
  This is affecting both wireless and wired.
  As soon as I remove that additonal condition from authz rule guest access works fine - getting redirected, log in, surf the internet.
  Is this is bug with ISE that you can't match guest optional data fields?

  Hi evnafets,
  You were right. How silly I am didnt see that small thing- but STILL PROBLEM IS UNSOLVED.
  [ore]
  java.sql.SQLException: [Microsoft][ODBC Microsoft
  Access Driver] Missing ), ], o
  r Item in query expression 'Post_Date LIKE
  to_date('04-06-2005',' dd/MM/yyyy''.
  Like it says, you have a missing ")" character
  rs=stmt.executeQuery("SELECT Name FROM
  NoticeBoardTable WHERE Post_Date LIKE to_date('"+
  date_str+"', 'dd/MM/yyyy' <--HERE NEED A CLOSING
  BRACKET ");
  When I did this it said to_date function is not available that because Ms-access doesn't have this function. Then I just changed the query to:-
  rs=stmt.executeQuery("SELECT Name FROM NoticeBoardTable WHERE Post_Date LIKE "+ date_sql ); . Although it didnt generate any exception, but dont show any record.
  But even better would be to use a prepared
  statement.
  String sql = "SELECT Name FROM NoticeBoardTable
  WHERE Post_Date LIKE  ?";
  PreparedStatement stmt = con.prepareStatement(sql);
  stmt.setDate(1, date_sql);
  ResultSet rs = stmt.executeQuery();
  I had prepared statement in my final servlet, I made this one just to check why its not working on dates. Also on your advice I changed it to prepared statement. It runs fine but didn't show any record with date 04-06-2005 although I have it in my database (not generating any exception).
  I print the sql date throuht servlet just to check , its showing 2005-06-04. May be its formate problem.
  Thanks
  Regards

• Guest access with CWA on ISE

  Hi support community
  we just implemented CWA for wireless guest access using ISE. however we have an issue, the redirect URL is a name, not an IP address, and the guest dhcp scope use public DNS servers, so CWA doesn't work unless we set the company DNS servers.
  so my question... is there a way to configure ISE to send the ip address instead the name for redirection in CWA?
  Many thanks in advance...

  Hi, thanks for answering...
  Yes the problem is that public DNS servers obiously can't resolve ISE servers names. Additionaly the guest VLAN has an ACL blocking all the traffic destined to internal resourses with some exceptions (DHCP, DNS and ISE port for CWA).
  however, guest can access to some company services, but as if they were located on internet, ie through the public ip address, so if we use internal servers, they resolve the internal ip address and connections fails. the Muhammad suggestions could be the solution for the problem....but now is something to discuss with the DNS server administrator...
  thanks

• Guest Access - Easy creation of Guest-Vouchers

  Hi
  I have previous used WCS together with my WLC 2504 to create guest-users.
  Employees in the corporation can through their AD-Credentials log into WCS, and create guest users for the Wifi-Network.
  The WCS solution for creation guest users is however to complicated and many users choose to call our helpdesk insted of self-service. Other users create guest accounts and set them to never-expire, I then manually have to clean up in the never-expire accounts later..
  We have 20 departments arround the contry, some bigger than others and therefore we don't have an reception in every department. Every employee should therefore be able to create guest-accounts themselves.
  I've tried to use "Captive Portal" by Pfsense but it just issue a lot of vouchers there need to be printed and distributed to the departments, its a kind old-fashion.
  The optimal solution would be a internal website where employees can log into. Here they could type their guests mobilephone number, and a 8 hour voucher wold be send by sms. Easy and end-user friendly.
  Another solution could be a website that create an 8 our voucher with one-click and then print the voucher (insted of sms)
  In WCS the users have to choose add-user - profile - controller list - expire time - etc etc before the login is created...
  Can anyone recommend a good solution for this, not to expensive. We don't got guest that often.
  Best Regards, Steffen.

  ISE have rich Guest management features built in to it. ISE guest services enable you to provide secure network access to guests such as visitors, contractors, consultants, and customers.Cisco ISE provides web-based and mobile portals to provide on-boarding for guests (and even employees) to your company’s network and internal resources and services.
  From the Admin portal, you can create and edit guest and sponsor portals, configure guest access privileges by defining their guest type, and assign sponsor privileges for creating and managing guest accounts.
  Check the following link for more information
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/admin_guide/b_ise_admin_guide_13/b_ise_admin_guide_sample_chapter_01111.html

• ISE 1.2 Guest Report based on specific Guest IP Address

  Hi
  I have a simple requirement which I am not able to find the way. Maybe someone can help me out.
  I have a WLC / WiSM2 (7.5) Guest Controller and ISE 1.2 (Patch5) in production with only CWA for Guest Access.
  Since I should create a query based on the Guest's IP Address, I tried to find a way to do so. But the "Guest Activity" report is empty (I do not have a cisco ASA with URL logging in place).
  If I do a "Guest Accounting" Report, I am able to see the IP Address attribute per user (so the data is there). But there is no way to filter on that coloum (neither thorugh the filter button which only allows to filter on Endpoint ID and/or Identity, nor is there an option like in ACS 5.x to do an Interactive search).
  Any help?
  The Authentication tab would do the job as well, but there are no filterable time ranges....
  Thanks!

  If anybody get into the same isse, I got an answer from cisco to this, what I found out as well as a possible, but not very handy way:
  "A workaround is to configure a remote syslog target to capture logging category Administrative and Operational Audit and filter and parse the logs accordingly."