ISE 1.2 with AD

i have starnge issue but i think it is related to windows machines , i just want to know if any one faced it in ISE deployment.
the ISE authentication logging receive the machine name(identity) as "mac address" then when ISE ask AD for it , it will not find it and then drop the machine.
i tried to disjoin the pc from domain and join it again the issue resolved for some time but appeared again after several days.
Thanks,
Ibrahim

Configuring Active Directory as an External Identity Source:
• Ensure that Cisco ISE hostnames are 15 characters or less in length. Active Directory does not validate hostnames
larger than 15 characters.
• Ensure that the Microsoft Active Directory server does not reside behind a network address translator and does not
have a Network Address Translation (NAT) address.
• Ensure that the Microsoft Active Directory administrator account is valid, which is used for the join operation and it is
not configured with Change Password on Next Login in Microsoft Active Directory.
• To perform the following task, you must be a Super Admin or System Admin.
Note:
Even when Cisco ISE is connected to Active Directory, there may still be operation issues. To identify them refer to
the Authentication Report under Operations > Reports.
You must complete the following tasks to configure Active Directory as an external identity source.
• Connecting to the Active Directory Domain
• Enabling Password Changes, Machine Authentications, and Machine Access Restrictions
• Configuring Active Directory User Groups
Please check the below guide which may be helpful for you
http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_man_id_stores.html#wp1316139

Similar Messages

ISE 1.2 with MDM intergration

Hi, I'm trying to intergrate with Zen MDM.
has anyone seen this issue ?
there is no mdm policy to configure in ISE, as I know, but it keeps me to redirect to that page.
I already added MDM server in administration -> network resources -> MDM
and when I ping and nslookup, i can successfully ping and lookup the ip address of mdm.
Thank you.

jiyoung,
There are ACLs to be created on the WLC, Authorization Policies and Profiles on the ISE.
For a good understanding of what needs to be done to get this fully configured, go here:
http://wikicentral.cisco.com/display/VTANDGOLD/ISE+1.2
and choose the GOLDlab: ISE 1.2 - BYOD-MDM Lab on the right side for Partner Education.
If you cannot log in, your Account Manager can get you access. This is a really thorough walk-through of configuring the ISE to connect with a third-party MDM server and it lets you do all the configuration.
Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question. Otherwise, feel free to post follow-up questions.
Charles Moreton

Does Cisco ISE-3315-K9 with ise version: Service Engine: 1.0.4.573 support command accouting like ACS

Hi
Can Anybody can update whether ISE-3315-K9 with ise version: Service Engine: 1.0.4.573 , supports the command level accounting
Bascially , we have integrated Cisco Switches with Cisco ISE for Device Authentication using Radius , we are able get the authentication logs on to the devices , but for any command changes or update done on Cisco devices we are not able to get the command accounting ..
has succeed in command level accounting on Cisco ISE ..
Please update
Cisco ISE doesn't have TACACS feature ...

Command Accounting is a TACACS+ feature so not for ISE....yet.
However, you can do the following to send commands to syslog and not including passwords (hidekeys). I just picked 200 commands/lines to store in the local command buffer/log. increase or decrease as you have memory. The notify syslog is what sends it via syslog.
conf t
archive
log config
logging enable
logging size 200
hidekeys
notify syslog
end
wr mem
Remember, syslog is clear text :-) log away from user traffic when possible. Or use TLS based syslog when possible.
I hope you find this answer useful, if it was satisfactory for you, please mark the question as Answered.
Please rate post you consider useful.
-James

[WLC - CWA] [ISE] Wlan Portal with Local Switiching

Description: Guest Portal ISE (WLAN) in a Flexconnect local switching enviorment.
Problem: The communication stops everytime we turn on the feature Radius NAC on the WLC.
We are trying to use Central WebAuth in a Flexconnect environment and with so the procedure that we are using it´s the one that´s available in the cisco DOCS ( http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116087-configure-cwa-wlc-ise-00.html ) but there´s something occuring in my setup. I´ve configured step by step the WLC and ISE in accordance with previous DOC but I can´t establish communication everytime I turn on the feature RADIUS NAC in the WLC.
All the ACL´s were configured, I can see the ISE policy beeing sent to the client but when the PC tries to establish the connection to him nothing leaves the PC ( a simple ping was done ). I´ve tried a bunch of setups to see if it was a misconfiguration or something else but at the end , everytime I trun on the NAC feature the final client looses all the comms to anywere.
You can see in the following attachment the setup of WLC, and AP with flexconnect groups (I´ve also tried without a group but the final result was the same)
We are using a WLC 5500 with 7.6.120.0 ( http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-6/configuration-guide/b_cg76.html ) and the only thing I can foun is a simple note stating,
"Flex local switching with Radius NAC support is added in Release 7.2.110.0. It is not supported in 7.0 Releases and 7.2 Releases. Downgrading 7.2.110.0 and later releases to either 7.2 or 7.0 releases will require you to reconfigure the WLAN for Radius NAC feature to work."
In the Flexconnect Feature Matrix the RADIUS NAC is supported in a local switching enviorment ( http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/112042-technote-product-00.html?referring_site=RE&pos=3&page=http://www.cisco.com/c/en/us/support/docs/wireless/flex-7500-series-wireless-controllers/113605-ewa-flex-guide-00.html) but what we´ve found out so far it´s the other way around.
Another thing that we´ve found is that in the version 7.4 configuration guide ( http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-4/configuration/guides/consolidated/b_cg74_CONSOLIDATED/b_cg74_CONSOLIDATED_chapter_0110100.html#ID2372 ) cisco says that the "FlexConnect local switching is not supported."
So, after seeing several docs my question is: Does Cisco support Radius NAC in a local switching environment ?

Viten,
tnx for the quick reply but,
a) what do you mean by webauth ( http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116087-configure-cwa-wlc-ise-00.html) ?
b) When I say comms stop is that I´m simple using ping as a test to see what happens in the client.Whenever I activate the radius feature the final client (laptop) ceases all comms in a local switching environment.
BR,
DS

How to specify in the ISE mac-address with its description?

Hello :-)
I want to implement ISE 1.2.
We have a database of mac-addresses and their description (for example the phone with the Mac address, John).
When connecting the phone John to a wifi network, WLC checks its mac-address in the database and allows access.
How to specify in the ISE Mac address with its description?
In the endpoint settings in ISE 1.2 there is no description field. We have ISE1.2.1.198, vWLC 8.0.100, AIR-LAP1131, MS AD (Win2003).
How can I handle this situation? Any ideas?

This link http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_man_network_devices.html about managing network devices(router,switch), not endpoints(phone, notebook).

ISE 1.2 With WLC and AD

Hi everyone,
What is the steps and Procedure implement Wired and wireless authentication with ISE, WLC and AD for a LAB environment. currently the following are done.
The wireless network is configured with 2 SSID (Staff and Guest)
Active Directory, DNS, DHCP, and NTP configured & synced.
ISE and AD running on C220 VMs, and WLC is 5760 Appliance.
Please provide your thoughts and assistance.
Regards

You have to implement dot1x and radius between your NAD and ISE device.
Using the switch 3850, that are the steps:
username RADIUS-HEALTH password radiusKey1 privilege 15
aaa new-model
aaa authentication login default local
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa authorization auth-proxy default group radius
aaa accounting update periodic 5
aaa accounting auth-proxy default start-stop group radius
aaa accounting dot1x default start-stop group radius
!this password will be used to communicate with ISE and to verify reachability
!between ISE and Switch
aaa server radius dynamic-author
client 172.16.1.18 server-key 7 radiuskey
client 172.16.1.20 server-key 7 radiuskey
ip domain-name lab.local
ip name-server 172.16.1.1
dot1x system-auth-control
interface GigabitEthernet1/0/3
switchport mode access
switchport voice vlan 50
switchport access vlan 10
ip access-group ACL-ALLOW in
authentication event fail action next-method
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
ip access-list extended ACL-ALLOW
permit ip any any
!the comm between radius and ise will occur on these Port
ip radius source-interface Vlan100
logging origin-id ip
logging source-interface Vlan100
logging host 172.16.1.20 transport udp port 20514
logging host 172.16.1.18 transport udp port 20514
ip radius source-interface Vlan100
logging origin-id ip
logging source-interface Vlan100
logging host 172.16.1.20 transport udp port 20514
logging host 172.16.1.18 transport udp port 20514
snmp-server community ciscoro RO
snmp-server community public RO
snmp-server trap-source Vlan100
snmp-server source-interface informs Vlan100
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 10 tries 3
radius-server vsa send accounting
radius-server vsa send authentication
!defining ISE servers
radius server ISE-RADIUS-1
address ipv4 172.16.1.20 auth-port 1812 acct-port 1813
automate-tester username RADIUS-HEALTH idle-time 15
key radiusKey
Please be sure that NTP servers and time are synchronized.
enable dot1X on windows machine, or using cisco NAM.
you can enable debugging on aaa authentication to see the events.
you have to create this user on ISE (RADIUS-HEALTH).
3850#test aaa group radius username password new-code
and observe the result. You are supposed to have user authenticated successfully.
You Must also have define these device in ISE on the radius interface.
ip radius source-interface ..... use this interface ip address to define Ip address of the NAD device in ISE.
administration-->network resources -->Network Devices-->Add
input the name
input the Ip address for radius communication
select the authentication settings and field the corresponding shared secret radius key
select snmp settings and select version 2c.
snmp community : ciscoro
you can customize the polling interval if you want and that all.
you are supposed to received message communication between your NAD and ISE.
After you can do the procedure for WLC device.
I will fill it after you have passed the first steps (3850 authentication).

[Cisco ISE 1.2 with 3850 - Trunk AP] Problem with MAB

Hi everyone,
After reading some documentation about using MAB in a trunk port with the 3850 I would like to know if someone has implemented ISE policies with a 3850 interface in trunk mode. My problem is that when I try using MAB in a trunk port the mac address of the AP it´s no visible in the "show mac address interface" and because of that the AP is not authenticated in ISE. The thing is that if I use a 2960 everything goes smoothly with no problems!
Let me show you what I have,
interface GigabitEthernet1/0/3
description AP
switchport trunk native vlan 999
switchport mode trunk
trust device cisco-phone
authentication event fail action next-method
authentication host-mode multi-host
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
dot1x pae authenticator
dot1x max-req 4
auto qos voip cisco-phone
service-policy input AutoQos-4.0-CiscoPhone-Input-Policy
service-policy output AutoQos-4.0-Output-Policy
############################################# switch model - 3850 ##################################################
SW1#sh mac address-table interface GigabitEthernet1/0/3
          Mac Address Table
Vlan    Mac Address       Type        Ports
SW1#sh dot1x interface Gi1/0/3
Dot1x Info for GigabitEthernet1/0/3
PAE                       = AUTHENTICATOR
QuietPeriod               = 60
ServerTimeout             = 0
SuppTimeout               = 30
ReAuthMax                 = 2
MaxReq                    = 4
TxPeriod                  = 30
Switch Ports Model              SW Version        SW Image              Mode
*    1 56    WS-C3850-48P       03.03.03SE        cat3k_caa-universalk9 INSTALL
############################################# Different switch model - 2960 ##################################################
interface GigabitEthernet1/0/1
description AP
switchport trunk native vlan 999
switchport mode trunk
srr-queue bandwidth share 1 30 35 5
priority-queue out
authentication event fail action next-method
authentication host-mode multi-host
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
mls qos trust device cisco-phone
mls qos trust cos
dot1x pae authenticator
dot1x max-req 4
auto qos voip cisco-phone
service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY
SW1#$cation sessions interface GigabitEthernet1/0/1
            Interface: GigabitEthernet1/0/1
          MAC Address: xxxx.xxxx.4a38
           IP Address: 172.18.1.170
            User-Name: xx-xx-xx-xx-4A-38
               Status: Authz Success
               Domain: DATA
       Oper host mode: multi-host
     Oper control dir: both
        Authorized By: Authentication Server
          Vlan Policy: N/A
      Session timeout: N/A
         Idle timeout: N/A
    Common Session ID: 0A18129D000060E39DAE8A8A
      Acct Session ID: 0x0000725D
               Handle: 0x0F00028C
Runnable methods list:
       Method   State
       mab      Authc Success
       Switch Ports Model              SW Version            SW Image
     1 28    WS-C2960X-24PS-L   15.0(2)EX5            C2960X-UNIVERSALK9-M
SW2#sh dot1x interface Gi1/0/1
Dot1x Info for GigabitEthernet1/0/1
PAE                       = AUTHENTICATOR
QuietPeriod               = 60
ServerTimeout             = 0
SuppTimeout               = 30
ReAuthMax                 = 2
MaxReq                    = 4
TxPeriod                  = 30
Am I doing something wrong?
BR,

I know what you mean and I agree with what you are saying :) Nonetheless, at the moment, the official stance from Cisco on this is that 802.1x is not supported on trunk ports. Now one can argue that MAB is different but I think we are just splitting hairs here :)
Like I said, I have gotten stuff to work before but always had some goofy things happening so in general I have stayed away from doing it.
Now in your situation, if your configuration is working fine on the 2960 but not on the 3850, then most likely the issue is with the XE code running on the 3850s. The XE code has been very problematic until recently so you are probably hitting some sort of a defect. As a result, I recommend that you upgrade the switch(es) to 3.3.5 or 3.6.1. Version 3.7.x is also out but it just came out 8 days ago so I would not recommend going to it.
Thank you for rating helpful posts!

ISE EAP-Chaining with machine, certificate and domain credentials

Good morning,
A customer wants to do the following for their corporate wireless users (all clients will be customer assets):
Corp. wireless to authenticate with 2-factor authentication:
•1. Certificate
•2. Machine auth thru AD
•3. Domain creds
When client authenticates, they want to match on 2 out of the 3 conditions before allowing access.
Clients are Windows laptops and corporate iPhones.
Certs can be issued thru GPO and MDM for iPhones
Client supplicant on laptops is native Windows - which I understand is a compatibility issue from this thread: https://supportforums.cisco.com/thread/2185627
My first question is: can this be done?
Second question: how would i implement this from an AuthC/AuthZ perspective?
Thanks in advance,
Andrew

You can do this configuring anyconnect with NAM modules on endpoints! But I don't make sense configure some clients with certificate and others with domains credentials...
For your information, I'm actually configuring EAP-Chaining on ISE 1.2 and i'm gotting some problems. The first one I got with windows 8, for some reason windows was sending wrong information about the machine password but I solved the problem installing a KB on windows 8 machines (http://support.microsoft.com/kb/2743127/en-us). The second one I got with windows 7 that are sending information correctly about domain but wrong information about user credentials, on ISE logs I can see that windows 7 are sending user "anonymous" + machine name on the first longin... after windows 7 start if I remove the cable and connect again the authentication and authorization happen correctly. I still invastigate the root cause and if there is a KB to solve the problem as I did with windows 8.
Good luck and keep in touch.
http://support.microsoft.com/kb/2743127/en-us

ISE Admin Access with AD Credentials fails after upgrade 1.2.1 to 1.3.0

Hello,
After upgrading ISE VM from 1.2.1 to 1.3.0.876, I can't connect on ISE with AD Credentials (Invalid Username or Password). It worked find before upgrading to 1.3.
On another ISE VM in 1.3.0.876 version (w/o upgrade) with this kind of configuration, it's OK.
I have double check the Post-upgrade tasks (particularly rejoining Active Directory). Everything worked find after this upgrade except the admin access with AD credentials.
I don't use user certificate-based authentication for admin access. So I didn't execute application start ise safe CLI.
My 802.1x wireless users passed authentication with AD credentials. So the ISE had correctly join my AD.
I didn't find anything related to this admin access with AD credentials failure in the output of show logging application ise and show logging.
I don't find anything related to this in bug search on Cisco tools.
I tried to :
- update the SID of my Admin AD Group, the result is still the same.
- delete my admin access with AD credentials configuration then make this configuration again, but still the same error.
Any ideas on this ? Could I find elements in another log ?
Regards.

Dear Markus,
After logging as user "prdadm"
su - prdadm
bssltests% bash-3.00$ ls -a
.                            .dbenv_bssltests.sh-old      .sapenv_bssltests.sh         startdb.log
..                           .dbenv_bssltests.sh-old10    .sapenv_bssltests.sh-new     startsap_.log
.bash_history                .dbsrc_bssltests.csh         .sapenv_bssltests.sh-old10   startsap_DVEBMGS00.log
.cshrc                       .dbsrc_bssltests.sh          .sapsrc_bssltests.csh        startsap_DVEBMGS01.log
.dbenv_bssltests.csh         .login                       .sapsrc_bssltests.sh         stopdb.log
.dbenv_bssltests.csh-new     .profile                     dev_sapstart                 stopsap_.log
.dbenv_bssltests.csh-old     .sapenv_bssltests.csh        local.cshrc                  stopsap_DVEBMGS00.log
.dbenv_bssltests.csh-old10   .sapenv_bssltests.csh-new    local.login                  stopsap_DVEBMGS01.log
.dbenv_bssltests.sh          .sapenv_bssltests.csh-old    local.profile                trans.log
.dbenv_bssltests.sh-new      .sapenv_bssltests.csh-old10 sqlnet.log
bash-3.00$
bash-3.00$
I have changed envt settings in .dbenv_bssltests.csh & .dbenv_bssltests.sh
.sapenv_bssltests.sh & .sapenv_bssltests.csh [4 files]
Regards,
Ankita

ISE 1.2 with CoA

Hi, It is really difficult to deploy 802.1x from scratch...
after provisioning for wired, shouldn't re-authentication occure ?? so the clients can authenticate with their USER ID/PW..
It is working with Windows, however, It seems not to work with MAC OSX..
when I use OSX, I have to click Connect and put credential. it is not like windows..
I dont know if it originally has a lot of issues, or it is because of new release, the clients do not have smooth transition from no authentication to 802.1X..
there are a lot to guide clients.... I know it will be just one time, but I did not want the clients to have no issues like this one..

Hi
Please go through this link at page no 516
http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_ug.pdf

EAP-TLS and ISE 1.1 with AD certificates

Hello,
I am trying to configure EAP-TLS authentication with AD certificates.
All ISE servers are joined to AD
I have the root certificate from the CA to Activie Directory installed on the ISE servers
I created the certificate authentication profile using the root certificate
I have PEAP\EAP-TLS enabled as my allowed protocol
I am getting the following error for authentication:
"11507 Extracted EAP-Response/Identity
12500 Prepared EAP-Request proposing EAP-TLS with challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12301 Extracted EAP-Response/NAK requesting to use PEAP instead
12300 Prepared EAP-Request proposing PEAP with challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12302 Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated
12318 Successfully negotiated PEAP version 0
12800 Extracted first TLS record; TLS handshake started
12805 Extracted TLS ClientHello message
12814 Prepared TLS Alert message
12817 TLS handshake failed
12309 PEAP handshake failed"
I have self-signed certificates on the ISE servers – do they need to be signed by the same CA as the client?
Any other issues I am missing?
Thanks,
Michael Wynston
Senior Solutions Architect
CCIE# 5449
Email: [email protected]
Phone: (212)401-5059
Cell: (908)413-5813
AOL IM: cw2kman
E-Plus
http://www.eplus.com

Please review the below link which might be helpful :
http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_60_byod_certificates.pdf
http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_man_id_stores.pdf

ISE CWA WebAuth with WLC

Hi all,
I have a few questions regarding WebAuth or Guest access with ISE. I have setup a guest portal to do CWA and use ISE guest portal
as the redirect page.
I'm using ISE 1.1.2 and WLC version 7.3.101
1- I have an issue authenticating with Chrome on W7 and android. I receive the splash page, i can authenticate but i always receive this error message. With IE and firefox i can accept and add an exception and authenticate successfully.

Hi,
Your best bet is to run true CWA and not use the redirect feature on the controller. Just allow dns and access to port 8443 in the ACL that is referenced by ISE when it sends the CWA redirect. You can use mac filtering as your L2 authentication.
This will help in your redundant scenario so that when one ise goes down the second ise can send the CWA over to it.
As far as certs if you are using mobile devices you may want to consider 3rd party certs.
Let me know if that helps.
Tarik Admani
*Please rate helpful posts*

ISE and Selfservice with single SSID

Hi, i have:
WLAN 2504 Controller with 7.2 Software
ISE 1.1.2
A single SSID with 802.1x Authentication
Today the wireless users are authenticated against an cisco acs. I want to switch to the ISE and make use of the mydevices portal. I want to re-use my single SSID and don't want to make any provisioning.
- The user connects to the single SSID
- The user configures peap authentication on his device
- The user authenticates to a ldap directory with username and password
- After successfull authentication the user will be redirected to the mydevices portal
- he logs in with his ldap credentials
- the mac address of his current device is listed in the mydevice portal
- user adds his device to the known devices list
- manual reconnect to my ssid
Is this possible with ISE? Is there a howto out there with exact this scenario?
Kind regards

Hello Andreas,
WLC 2504 supports CWA, CoA & dACL.
This wireless controller also supports MAC filtering with RADIUS lookup. For WLCs that support version 7.2.103.0, there is support for session ID and COA with MAC filtering so it is more MAB-like. So it should fulfill your requirement and you can use single SSID.
For more detailed help review “Universal WLC Configuration Guide” & “ISE 1.1.x Network Component Compatibility” at the following location:
http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_11_universal_wlc_config.pdf
http://www.cisco.com/en/US/partner/docs/security/ise/1.1.1/compatibility/ise_sdt.html
Regards,
Ashok

ISE wireless CPP with redirect exclusions, possible?

Hi all, a little bit of a tricky situation here. I've got a wireless network and ISE 1.1.1. The wireless is mixed 7.0 and 7.3 code.
On an ISE wired installation it's easy to have an authorization rule that URL redirects users to the client provisioning portal *BUT* to have a redirect ACL on the switch with deny statements that excludes specific websites from the redirection. This is done so users can click on remediation links from the NAC Agent and get to websites to download anti-virus, sig updates, windows updates, etc... but all other web attempts get redirected to the CPP.
All fine and it works perfectly on the wired network. HOWEVER, I can't seem to find a similar way to do this on the wireless network. While you can create a posture redirection policy to send them to the CPP with an ACL, that ACL seems to only permit or deny traffic per a standard ACL. Meaning a user gets on but any attempt to go anywhere in a browser redirects to the CPP. This makes it impossible to get to the remediation pages.
Is there any way to accomplish what I'm trying to do here? It seems like it should be a basic function.

Sorry I had some personal issues to deal with and just got a chance to follow up on this. Firs of all, good job on figuring it out and posting the findings back here! (+5) from me for that!
To answer your questions:
#1. You are 100% about the logic on the WLC ACLs vs Switch ACLs. On switches "deny" means "don't redirect" the traffic, thus permit it on the network. On the WLCs "deny" means "redirect" the traffic, hence don't allow it on the network. I am not sure why Cisco did this but different BUs, different teams, etc
#2. You are also correct on this one. Your vWLC and ISE are working as expected. While switches support dACLs, WLCs only support "named ACL." As a result, when referencing ACLs on ISE for wireless, that ACL has to exist on the WLC and it MUST BE NAMED THE SAME or it won't work.
Hope this helps. If you issues are resolved please mark the thread as "answered"
Thank you for rating!

ISE Guest CWA with Smart Phones

I've configured the Guest Web Authentication in the ISE and I've tested and every thing is working fine. I got the redirect url, I could authentication and then got an access. However, If I got the redirect url and then disconnect from the guest SSID and connect to another SSID on the same WLC (not associated to the ISE) and then connect back to the guest SSID, I'm not getting the redirect url.
I've checked the ISE and I noticed that the radius session is not terminated if I disconnected from the SSID. I tried to add an attribute in the authorization profile to have radius idle timeout, it did work and the ISE initiate new session ID, but the smartphone is not getting the url.
Anyone have/had this issue ?

I've done a test with CWA + open SSID and I don't see the problem. (iPod, latest SW update, pretty old HW)
My steps:
1) connected to CWA SSID and it asked me to register, provided my username and password to see if they are correct
2) disconnected (connected to openSSID) without registering.
3) Checked reachablity over openSSID
4) reconnected to the CWA one.
5) Got redirected automatically.
Did I miss anything? Any more steps you've done?
M.

ISE 1.2 with AD

Similar Messages

Maybe you are looking for