ISE 1.2 With WLC and AD

Similar Messages

• ISE CWA WebAuth with WLC

  Hi all,
  I have a few questions regarding WebAuth or Guest access with ISE. I have setup a guest portal to do CWA and use ISE guest portal
  as the redirect page.
  I'm using ISE 1.1.2 and WLC version 7.3.101
  1- I have an issue authenticating with Chrome on W7 and android. I receive the splash page, i can authenticate but i always receive this error message. With IE and firefox i can accept and add an exception and authenticate successfully.

  Hi,
  Your best bet is to run true CWA and not use the redirect feature on the controller. Just allow dns and access to port 8443 in the ACL that is referenced by ISE when it sends the CWA redirect. You can use mac filtering as your L2 authentication.
  This will help in your redundant scenario so that when one ise goes down the second ise can send the CWA over to it.
  As far as certs if you are using mobile devices you may want to consider 3rd party certs.
  Let me know if that helps.
  Tarik Admani
  *Please rate helpful posts*

• What is the lowest ISE version supported with WLC 7.3.112.0

  Dears
  Kindly i want to know what is the lowest version of ISE supported with WLC 7.3.112.0 or WLC 7.3.101.0
  Please need your feedback.
  Regards,

  the lowest version of ise supported wlc 7.3 is ISE 1.2 as per document :
  Wireless LAN Controller (WLC) 2500 8
  7.3.112.0.(ED), 7.4.x, 7.5
  Yes 9
  Yes
  Yes
  Yes
  Yes
  Yes
  Yes
  Yes
  Yes
  Wireless LAN Controller (WLC) 5500 8
  7.3.112.0.(ED), 7.4.x, 7.5
  Yes 9
  Yes
  Yes
  Yes
  Yes
  Yes
  Yes
  Yes
  Yes
  Wireless LAN Controller (WLC) 7500 8
  7.3.112.0.(ED), 7.4.x, 7.5
  Yes 9
  Yes
  Yes
  Yes
  Yes
  Yes
  Yes
  No
  Yes
  Wireless LAN Controller (WLC) 8500 8
  7.3.112.0.(ED), 7.4.x, 7.5
  Yes 9
  Yes
  Yes
  Yes
  Yes
  Yes
  Yes
  No
  Yes
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/compatibility/ise_sdt.html
  ISE 1.1 won't support wlc 7.3 :
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-1/compatibility/ise_sdt.html
  Wireless LAN Controller (WLC) 2100, 4400
   7.0.116.0
   No6
   Yes
   No
   Yes
   Yes
   Yes
   Yes
   No
   No
   Wireless LAN Controller (WLC) 2500, 5500
   7.2.103.0
   No6
   Yes
   Yes
   Yes
   Yes
   Yes
   Yes
   Yes
   No
   WLC 7500 Series
   7.2.103.0 (basic RADIUS auth supported in 7.0.116.0)
   Yes6
   Yes
   No
   Yes (local only)
   No
   Yes
   No
   No
   No

• Help me : Problem with WLC and AP

  Hi,
  We have a few AP on our network which work fine.
  But, those which are behind our fw don't work.
  LAN WI-FI with WLC  <>--------Lan Routed---with Ap (Ok) ------------------
                                   <> -------FW <> Vlan behind Fw and APs not work fine.
  WLC = Software Version                 7.0.220.0
  Logs  on WLC :
  spamApTask2: Jun 04 11:49:59.494: %DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:631 Failed to complete DTLS handshake with peer 172.37.251.71
  *spamApTask1: Jun 04 11:48:49.323: %DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:631 Failed to complete DTLS handshake with peer 172.37.251.71
  *spamApTask2: Jun 04 11:47:39.149: %DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:631 Failed to complete DTLS handshake with peer 172.37.251.71
  *spamApTask1: Jun 04 11:46:28.978: %DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:631 Failed to complete DTLS handshake with peer 172.37.251.71
  *spamApTask2: Jun 04 11:45:18.806: %DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:631 Failed to complete DTLS handshake with peer 172.37.251.71
  *spamApTask1: Jun 04 11:44:08.632: %DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:631 Failed to complete DTLS handshake with peer 172.37.251.71
  *osapiBsnTimer: Jun 04 11:43:51.235: %DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:2202 Failed to complete DTLS handshake with peer 172.37.251.71
  debud dtls :
  *spamApTask1: Jun 04 11:22:42.434: 64:a0:e7:5f:e5:70 record=Alert epoch=0 seq=2
  *spamApTask1: Jun 04 11:22:42.435: 64:a0:e7:5f:e5:70 SSL_do_handshake: SSL_ERROR_SSL while communicating with 172.37.251.71 : (null)
  *spamApTask1: Jun 04 11:22:42.435: 64:a0:e7:5f:e5:70  Requested by openssl_dtls_process_packet
  *spamApTask1: Jun 04 11:22:42.435: dtls_conn_hash_delete: Deleting hash for Local 172.18.3.2:5246  Peer 172.37.251.71:52258
  *spamApTask1: Jun 04 11:22:42.435: 64:a0:e7:5f:e5:70 DTLS Connection 0x145520d0 closed by controller
  *spamApTask1: Jun 04 11:22:42.436: dtls_conn_hash_search: Searching hash for Local 172.18.3.2:5247  Peer 172.37.251.71:52258
  Cordially,

  HI,
  - On the fw-
  a. Make sure the FW is open for udp 5246 and 5247 ports required for the capwap process.
  If this is a cisco ASA, you can set up ingress and egress packet captures to see what packets enter and leave the FW for this AP-
  cap capin interface match udp any
  cap capout interface match udp any
  **match captures bidirectional flow for the interesting traffic.
  b. Check the logs on the firewall for any drops.
  c. cap capdrop type asp-drop all
  This will tell you if the pkt was dropped and the reason for the drop
  d. You can run the packet-tracer command on the firewall tracking this udp flow-
  e.g. packet-tracer input inside udp 3.3.3.3 1212 2.2.2.3 5246 detailed
  - What AP model is this? Is it the same AP that connects to the controller if there is no fw in the path?
  - Does it use MIC or SSC cert? If SSC, make sure you have SSC checked and you will need to manually enter the hash for the AP on the controller under AP Authorization List -
  Security> AP Policies
  You can get the hash of the AP (f you dont have it) by enabling the following debug on the controller
  debug pm pki enable
  Other controller debugs for the AP-
  debug mac address
  debug capwap error enable
  debug capwap events enable
  - What about AP console log? Do you have access to that?

• Trunk with WLC and 1400BR problem

  hi everybody,
  i have the next proble, i hope someone can help me
  Actually I wrok with a 1522 Mesh Network,1130 LWAPP and Bridge 1400 point to point. 1522 and 1130 are asociated with WLC.
  I have a WLC4402 (4.1.192.22M (Mesh)image) this wlc is conected via trunk to Sw3750 ex:
  interface GigabitEthernet1/0/1
  switchport trunk encapsulation dot1q
  switchport mode trunk
  RAP1 is connected to the sameSw3750 ex:
  interface FastEthernet1/0/23
  description RAP1
  switchport access vlan 10
  **(VLAN 10 is Mgmt)**
  AP1(1130) is connected to the same Sw3750 ex:
  interface FastEthernet1/0/1
  description AP1
  switchport access vlan 10
  The 1410BR Root is connected via trunk to same Sw3750 ex:
  interface FastEthernet1/0/19
  description BR-1400R
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 10
  switchport mode trunk
  In the other point is the Non-Root connected to a Sw2960 ex:
  interface GigabitEthernet1/0/1
  switchport trunk native vlan 10
  switchport mode trunk
  AP2(1130) connected to the same Sw2960 ex:
  interface fa0/23
  descriptipon AP2
  switchport access vlan 10
  The network is work fine, Mesh UP (RAP and MAPs), and 1130 too.I connected the 1400 Bridge point after the Mesh is up, and the link between Root and Non Root is UP
  Now, when the Sw3750 goes down or reboot,the RAP and AP1(1130) can't associated to WLC. The ports of RAP and 1130 are down and up many times, so can't associated to a WLC. Only the Bridge point 1400 Root and Non-root are UP, and the AP2(1130) in the other side can associated to the WLC.
  When shutdown the port of the Root Bridge, Now the RAP1 and AP1(1130) can associated to the WLC and the Mesh Net is UP. Then no shutdown the Root Bridge port and the link between Bridges are UP, AP2(1130) up to the controller too.
  But after several minutes the Bridge down, and the event log in the Root is:Interface Dot11Radio0 Radio transmit power out of range.
  So i have this problems
  1) Trunks between WLC and 1400 BR
  2) Bridge conectivity range.
  Regards
  Antonio

  The Outdoor Bridge Range Calculation Utility uses parameters that include regulatory domain, device type, data rate, antenna gain, and a few others as inputs.
  You can avoid connectivity problems with the Outdoor Bridge Calculation Utility, as this tool helps you to predict the distance between devices. In a wireless environment without a tool like this, you cannot predict the distance between the bridges, the height at which you must place the antennas for maximum throughput, and other variables. This utility also helps you decide on the type of antenna that you must use in order to cover the distance between the bridges.

• WLC 5508 - AP 1600 serie's are conecting with WLC but unable to regester with WLC and country is US no matter what I do, i can't change it

  Hello everyone!
  I have a controller of the 5508 series and Ap 1602.
  Ap manage to obtain IP addresses from the DHCP server that is the 5508 controller.
  but the Rev fail to register, please I really vesoin help.
  Below are some show:
  1.  AP:  sh version
  AP0006.f6d5.ea9c#sh version
  Cisco IOS Software, C1600 Software (AP1G2-RCVK9W8-M), Version 15.2(2)JB, RELEASE SOFTWARE (fc1)
  Technical Support: http://www.cisco.com/techsupport
  Copyright (c) 1986-2012 by Cisco Systems, Inc.
  Compiled Tue 11-Dec-12 04:52 by prod_rel_team
  ROM: Bootstrap program is C1600 boot loader
  BOOTLDR: C1600 Boot Loader (AP1G2-BOOT-M) LoaderVersion 15.2(2)JAX, RELEASE SOFTWARE (fc1)
  AP0006.f6d5.ea9c uptime is 38 minutes
  System returned to ROM by power-on
  System image file is "flash:/ap1g2-rcvk9w8-mx/ap1g2-rcvk9w8-mx"
  Last reload reason:
  This product contains cryptographic features and is subject to United
  States and local country laws governing import, export, transfer and
  use. Delivery of Cisco cryptographic products does not imply
  third-party authority to import, export, distribute or use encryption.
  Importers, exporters, distributors and users are responsible for
  compliance with U.S. and local country laws. By using this product you
  agree to comply with applicable laws and regulations. If you are unable
  to comply with U.S. and local laws, return this product immediately.
  A summary of U.S. laws governing Cisco cryptographic products may be found at:
  http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
  If you require further assistance please contact us by sending email to
  [email protected].
  cisco AIR-CAP1602E-E-K9    (PowerPC) processor (revision A0) with 98294K/32768K bytes of memory.
  Processor board ID FGL1709Z6PC
  PowerPC CPU at 533Mhz, revision number 0x2151
  Last reset from power-on
  LWAPP image version 7.4.1.37
  1 Gigabit Ethernet interface
  32K bytes of flash-simulated non-volatile configuration memory.
  Base ethernet MAC Address: 00:06:F6:D5:EA:9C
  Part Number                          : 73-14508-04
  PCA Assembly Number                  : 000-00000-00
  PCA Revision Number                  :
  PCB Serial Number                    : FOC17020MTR
  Top Assembly Part Number             : 800-38553-01
  Top Assembly Serial Number           : FGL1709Z6PC
  Top Revision Number                  : A0
  Product/Model Number                 : AIR-CAP1602E-E-K9
  Configuration register is 0xF
  2.  AP:  sh ip interface brief
  Interface                  IP-Address      OK? Method Status                Protocol
  BVI1                       unassigned      YES DHCP   up                    up
  GigabitEthernet0           unassigned      NO  unset  up                    up
  GigabitEthernet0.1         unassigned      YES unset  up                    up
  3.  AP:  sh inventory
  ---nothing---
  4.  WLC:  sh sysinfo
  (Cisco Controller) >show sysinfo
  Manufacturer's Name.............................. Cisco Systems Inc.
  Product Name..................................... Cisco Controller
  Product Version.................................. 7.3.101.0
  Bootloader Version............................... 1.0.1
  Field Recovery Image Version..................... 6.0.182.0
  Firmware Version................................. FPGA 1.3, Env 1.6, USB console 1.27
  Build Type....................................... DATA + WPS
  System Name...................................... WLC-EEML
  System Location..................................
  System Contact...................................
  System ObjectID.................................. 1.3.6.1.4.1.9.1.1069
  Redundancy Mode.................................. Disabled
  IP Address....................................... 10.10.10.1
  Last Reset....................................... Software reset
  System Up Time................................... 1 days 1 hrs 13 mins 37 secs
  System Timezone Location.........................
  Configured Country............................... US  - United States
  Operating Environment............................ Commercial (0 to 40 C)
  Internal Temp Alarm Limits....................... 0 to 65 C
  Internal Temperature............................. +39 C
  --More-- or (q)uit
  External Temperature............................. +25 C
  Fan Status....................................... OK
  State of 802.11b Network......................... Enabled
  State of 802.11a Network......................... Enabled
  Number of WLANs.................................. 1
  Number of Active Clients......................... 0
  Burned-in MAC Address............................ E0:2F:6D:5D:7D:C0
  Power Supply 1................................... Present, OK
  Power Supply 2................................... Absent
  Maximum number of APs supported.................. 25
  5.  WLC:  sh time
  Time............................................. Fri Jan  3 12:21:37 2014
  Timezone delta................................... 0:0
  Timezone location................................
  NTP Servers
      NTP Polling Interval.........................     86400
       Index     NTP Key Index     NTP Server      NTP Msg Auth Status
  also, I'm in africa but
  I can not change the country or the time zone
  thank you in advance for your help

  Hi,
  By CLI:
  Before change the country code on wlc , You must disable
  WLC > config 802.11a disable network
  WLC  >config 802.11b disable network
  WLC  >config country SA (...or wtever country u are in)
  And then enable both network again.
  WLC  >config 802.11a enable network
  WLC  >config 802.11b enable network
  By GUI:
  First disable both network 802.11a and 802.11b
  Follow these steps to disable the 802.11a and 802.11b/g networks as follows:
  a.          Choose Wireless> 802.11a/n > Network.
  b.          Unselect the 802.11a Network Status check box.
  c.          Click Apply to commit your changes.
  d.          Choose Wireless > 802.11b/g/n > Network.
  e.          Unselect the 802.11b/g Network Status check box.
  f.          Click Apply to commit your changes.
  Change country code on WLC now:
  Choose Wireless > Country
  after changing the country code please enable both networks(802.11a and 802.11b)
  Hope it helps.
  Regards
  Dont forget to rate helpful posts.

• ISE client provisioning with wlc 7.3

  Hi Experts,
  i have the following challenge. I will try to be synthetic.
  ISE 1.1.2.145
  WLC 7.3
  Wireless clients, dot1x eap peap, posture required.
  Clients should download the nac agent through redirection.
  So, i have an authorization policy that, for posture status= unknown, apply a redirect av, in the form:
  "https://ip:port:8443/.....action=cpp
  the access list is correctly applied on wlc.
  The challenge is, it works for http traffic, but dont work for https traffic or if the browser is using a proxy (port 3128, 8080 etc).
  In case you wonder, the access-list on wlc:
  permit icmp, dns
  permit traffic to the PDPs
  deny all else.
  Thanks
  Andrea

  You may want to consider, explicity denying the proxy traffic in the WLC ACL and see if that resolves your issue. You may need to get clarification from Cisco TAC to see when the client is in the WEBAUTH state that it only listens for http traffic.
  You may want to consider using this option (however I do not if this will work for radius webauth redirection) -
  http://www.cisco.com/en/US/docs/wireless/controller/7.4/configuration/guides/consolidated/b_cg74_CONSOLIDATED_chapter_01000100.html
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• Dynamic VLAN assignment with WLC and ACS for

  Currently, using our autonomous APs and ACS, our users get separate VLANs per building based on their security level (students or staff). Basically, the student VLAN in one building is different from that of the student VLANs in other buildings on campus. Currently, we do this by filling the Tunnel-Private-Group-ID IETF RADIUS attribute with the VLAN name. This all works because each individual AP can map VLAN names to different VLANs like this:
  dot11 vlan-name STUDENT vlan 2903
  dot11 vlan-name FACSTAF vlan 2905
  As we are working on our WiSM deployment, we see that the document below shows how to do the dynamic VLAN assignment on our WLAN controllers:
  http://www.cisco.com/en/US/customer/products/sw/secursw/ps2086/products_configuration_example09186a00808c9bd1.shtml
  However, we haven't figured out if it's possible to still provide our users with different VLANs for each building they're in.
  With the instructions above, it looks like ACS uses a Cisco RADIUS Attribute to indicate the Air-Interface-Name, mapping an ACS/AD group to a single WLC interface which can only have one VLAN/subnet associated with it.
  Does anybody know if what we're trying to accomplish is possible, or if we're really stuck with only one VLAN/subnet per mapped ACS group?

  We only have the one WiSM for all of campus, so it's handling everything. This Cisco docs do indicate how to put differnet users in different Vlans, but we don't currently see a way to also put them in different subnets per building.
  This being the case, any suggestions on how best to handle more than a Class C subnet's worth of users? Should we just subnet larger than Class C, or is there a more elegant way of handling this?

• Vlan management with WLC and WCS

  I'd like to know if it is possible to use the same vlan for the management of the WCS and for configuring a wlan?
  I try to make this lab and when I declare a dynamic interface that is in the same subnet as the WCS ip address, the reliability between controler and WCS is lost.

  I know that I should not put servers on the same vlan as wireless client but I just want to know if it is possible or if Cisco implemented something to avoid this to understand why my lab didn't work with this configuration.
  Thanks

• WLC 5508 - AP's are conecting with WLC but unable to regester with WLC

  Hi,
  I have old 4400 series wlc and recently I have configured 5508 wlc and 6 new Access Point.
  when you go to MONITER - AP Join their it shows connected AP detail with AP IP address but if u see it in under WIRELESS Option their is not showing any AP's detail.
  I mean to say that AP's are connecting with WLC and also getting IP address but unable to regester with WLC.
  Even I have  checked with remove Radius configuration also from wlc as well as from acs.
  please suggest......

  Im not able to post info it says below msg, plesse suggest how i can provide detail.
  This message can not be displayed due to its content. Please use the contact us link with any questions.
  Also I like to say that after factory rest 4 out of 6 is done now 2 remain.

• WLC and IPv6

  Hi All,
  has anybody experiences with WLC and IPv6? I have activated the Check Box for IPv6 Support, but it does not work. Regards, Michael

  Hi ,
  Have you configued uplink router/sw to support ipv6 ; the sample config would look like this
  ipv6 unicast-routing
  interface FastEthernet0/0.6
  encapsulation dot1Q 56
  ip address 10.50.56.1 255.255.255.0
  ip access-group GNS2 in
  ip access-group GNS2 out
  ip helper-address 10.50.1.21
  ip pim sparse-dense-mode
  ip multicast ttl-threshold 1
  no snmp trap link-status
  ipv6 address 2006::/64 eui-64
  ipv6 address autoconfig
  ipv6 enable
  let me if this works for you or not
  regards
  Seema

• WLC and AP in L3

  Hello everyone
  I hope if anyone can help me.
  a Building has 3 companies (A,B and C)
  and I have one WLC
  in each company there is 3 AP
  I want to configure WLC whereas any AP in company A cant communicate to other AP in company B and C
  and the same to all companies
  I mean totally separate in IP scheme (no routing between them)
  can that done with WLC and LWAP ??
  PLZ advice

  thank you all for your reply
  I would like to ask you another question fo another scenario.
  I have one WLC installed in one subnet, let's say in the head quarter network, while the LAPs are installed in the branches and there is WAN connectivity between the HQ and the branch and OSPF routing is enabled between this WAN network. How can I do my configuration in order to register the LAPs installed in the branch with WLC installed in the HQ?
  Thanks,

• [WLC - CWA] [ISE] Wlan Portal with Local Switiching

  Description: Guest Portal ISE (WLAN) in a Flexconnect local switching enviorment.
  Problem: The communication stops everytime we turn on the feature Radius NAC on the WLC.
  We are trying to use Central WebAuth in a Flexconnect environment and with so the procedure that we are using it´s the one that´s available in the cisco DOCS ( http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116087-configure-cwa-wlc-ise-00.html ) but there´s something occuring in my setup. I´ve configured step by step the WLC and ISE in accordance with previous DOC but I can´t establish communication everytime I turn on the feature RADIUS NAC in the WLC.
  All the ACL´s were configured, I can see the ISE policy beeing sent to the client but when the PC tries to establish the connection to him nothing leaves the PC ( a simple ping was done ). I´ve tried a bunch of setups to see if it was a misconfiguration or something else but at the end , everytime I trun on the NAC feature the final client looses all the comms to anywere.
  You can see in the following attachment the setup of WLC, and AP with flexconnect groups (I´ve also tried without a group but the final result was the same)
  We are using a WLC 5500 with 7.6.120.0 ( http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-6/configuration-guide/b_cg76.html ) and the only thing I can foun is a simple note stating,
  "Flex local switching with Radius NAC support is added in Release 7.2.110.0. It is not supported in 7.0 Releases and 7.2 Releases. Downgrading 7.2.110.0 and later releases to either 7.2 or 7.0 releases will require you to reconfigure the WLAN for Radius NAC feature to work."
  In the Flexconnect Feature Matrix the RADIUS NAC is supported in a local switching enviorment ( http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/112042-technote-product-00.html?referring_site=RE&pos=3&page=http://www.cisco.com/c/en/us/support/docs/wireless/flex-7500-series-wireless-controllers/113605-ewa-flex-guide-00.html) but what  we´ve found out so far it´s  the other way around.
  Another thing that we´ve found is that in the version 7.4 configuration guide ( http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-4/configuration/guides/consolidated/b_cg74_CONSOLIDATED/b_cg74_CONSOLIDATED_chapter_0110100.html#ID2372 ) cisco says that the "FlexConnect local switching is not supported."
  So, after seeing several docs my question is: Does Cisco support Radius NAC in a local switching environment ?

  Viten,
  tnx for the quick reply but,
  a) what do you mean by webauth ( http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116087-configure-cwa-wlc-ise-00.html) ?
  b) When I say comms stop is that I´m simple using ping as a test to see what happens in the client.Whenever I activate the radius feature the final client (laptop) ceases all comms in a local switching environment.
  BR,
  DS

• WLC and ISE guest access COA

  We are migrating to ISE for guest access and are having problems with the COA being delivered after a successful authentication.  ISE attempts to send it but nothing changes on the WLC.  The message in ISE is Dynamic Authorization failed and a message that ISE didn't receive a response from the NAD, verify communication.  What is odd is the original guest request comes in from the IP address of the service port on the WLC but anything doing with the COA is seen from the management.  I have both IP's defined for the device in ISE.  I am about to do a session reauthentication within ISE and the WLC applies the changes.  I have verified that RFC 3576 is enabled, but the show radius rfc3576 stats shows no values.  The WLC is running 7.6.130.  I have attempted to debug on the WLC side to see if the message is even being delivered but non the debugs i have attempted seem to offer any good information.
  Anyone have any suggestions?  
  Thanks,
  Joe

  Hi Joe,
  I dont really know what you are trying to do with the COA , as it is used in the CWA solution and BYOD solution as well. But even before trying that , I would advise you to go step by step and solve the n/w issue first. You are able to see the request from service port which should not happen because then the incoming/outgoing traffic takes different path. You must be facing this situation as you might have some network routes matching ISE subnet/Ip address in the GUI>Controller>Network routes as there is no need of those routes. If the service port needs to be used during controller down scenario then use a laptop in the same subnet of Service port ip and connect to the service port.
  Regards
  Dhiresh
  **Please rate helpful posts**

• An issue with authentication and authorization on ISE 1.2

  Hi, I'm new to ISE.
  I have an issue with authentication and authorization.
  I have ISE 1.2 plus patch 6 installed on VMware.
  I have built-in Windows XP supplicant and 2960 cisco switch with IOS c2960-lanbasek9-mz.150-2.SE5.bin
  On supplicant I use EAP(PEAP) with EAP-MSCHAP v2.
  I created  authentication and authorization rules with Active Directory  as External Identity Source. Also I applied  authorization profile with DACL.I login on Windows XP machine under different Active Directory accounts. Everything works fine (authentication, authorization ), but only for several hours. After several hours passed , authentication and authorization stop working . I can see that ISE trying authenticate and authorize users, but ISE always use only one account for  authentication and authorization . Even if I login under different accounts ISE continue to use only one last account.
  I traied to reboot switch and PC,but it didn’t help. Only rebooting of ISE helps. After ISE rebooting, authentication and authorization start to work properly for several hours.
  I don’t understand is it a glitch or I misconfigured ISE or switch, supplicant?
  What  should I do to resolve this issue?
  Switch configuration:
   testISE#sh runn
  Building configuration...
  Current configuration : 7103 bytes
  ! Last configuration change at 12:20:15Tue Apr 15 2014
  ! NVRAM config last updated at 10:35:02  Tue Apr 15 2014
  version 15.0
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname testISE
  boot-start-marker
  boot-end-marker
  no logging console
  logging monitor informational
  enable secret 5 ************
  enable password ********
  username radius-test password 0 ********
  username admin privilege 15 secret 5 ******************
  aaa new-model
  aaa authentication dot1x default group radius
  aaa authorization network default group radius
  aaa authorization auth-proxy default group radius
  aaa accounting update periodic 5
  aaa accounting dot1x default start-stop group radius
  aaa server radius dynamic-author
   client 172.16.0.90 server-key ********
  aaa session-id common
  clock timezone 4 0
  system mtu routing 1500
  authentication mac-move permit
  ip dhcp snooping vlan 1,22
  ip dhcp snooping
  ip domain-name elauloks
  ip device tracking probe use-svi
  ip device tracking
  epm logging
  crypto pki trustpoint TP-self-signed-1888913408
   enrollment selfsigned
   subject-name cn=IOS-Self-Signed-Certificate-1888913408
   revocation-check none
   rsakeypair TP-self-signed-1888913408
  crypto pki certificate chain TP-self-signed-1888913408
  dot1x system-auth-control
  spanning-tree mode pvst
  spanning-tree extend system-id
  vlan internal allocation policy ascending
  ip ssh version 2
  interface FastEthernet0/5
   switchport mode access
   ip access-group ACL-ALLOW in
   authentication event fail action next-method
   authentication event server dead action reinitialize vlan 1
   authentication event server alive action reinitialize
   authentication host-mode multi-auth
   authentication open
   authentication order dot1x mab
   authentication priority dot1x mab
   authentication port-control auto
   authentication periodic
   authentication timer reauthenticate server
   authentication violation restrict
   mab
   dot1x pae authenticator
   dot1x timeout tx-period 10
   spanning-tree portfast
  interface FastEthernet0/6
   switchport mode access
   ip access-group ACL-ALLOW in
   authentication event fail action next-method
   authentication event server dead action reinitialize vlan 1
   authentication event server alive action reinitialize
   authentication order dot1x mab
   authentication priority dot1x mab
   authentication port-control auto
   authentication periodic
   authentication timer reauthenticate server
   authentication violation restrict
   mab
   dot1x pae authenticator
   dot1x timeout tx-period 10
   spanning-tree portfast
  interface FastEthernet0/7
  interface Vlan1
   ip address 172.16.0.204 255.255.240.0
   no ip route-cache
  ip default-gateway 172.16.0.1
  ip http server
  ip http secure-server
  ip access-list extended ACL-ALLOW
   deny   icmp any host 172.16.0.1
   permit ip any any
  ip radius source-interface Vlan1
  logging origin-id ip
  logging source-interface Vlan1
  logging host 172.16.0.90 transport udp port 20514
  snmp-server community public RO
  snmp-server community ciscoro RO
  snmp-server trap-source Vlan1
  snmp-server source-interface informs Vlan1
  snmp-server enable traps snmp linkdown linkup
  snmp-server enable traps mac-notification change move
  snmp-server host 172.16.0.90 ciscoro
  radius-server attribute 6 on-for-login-auth
  radius-server attribute 6 support-multiple
  radius-server attribute 8 include-in-access-req
  radius-server attribute 25 access-request include
  radius-server dead-criteria time 5 tries 3
  radius-server vsa send accounting
  radius-server vsa send authentication
  radius server ISE-Alex
   address ipv4 172.16.0.90 auth-port 1812 acct-port 1813
   automate-tester username radius-test idle-time 15
   key ******
  ntp server 172.16.0.1
  ntp server 172.16.0.5
  end

  Yes. Tried that (several times) didn't work.  5 people in my office, all with vers. 6.0.1 couldn't access their gmail accounts.  Kept getting error message that username and password invalid.  Finally solved the issue by using Microsoft Exchange and "m.google.com" as server and domain and that the trick.  Think there is an issue with imap.gmail.com and IOS 6.0.1.  I'm sure the 5 of us suddently experiencing this issue aren't the only ones.  Apple will figure it out.  Thanks.