ISE 1.2 With WLC and AD
Hi everyone,
What is the steps and Procedure implement Wired and wireless authentication with ISE, WLC and AD for a LAB environment. currently the following are done.
The wireless network is configured with 2 SSID (Staff and Guest)
Active Directory, DNS, DHCP, and NTP configured & synced.
ISE and AD running on C220 VMs, and WLC is 5760 Appliance.
Please provide your thoughts and assistance.
Regards
You have to implement dot1x and radius between your NAD and ISE device.
Using the switch 3850, that are the steps:
username RADIUS-HEALTH password radiusKey1 privilege 15
aaa new-model
aaa authentication login default local
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa authorization auth-proxy default group radius
aaa accounting update periodic 5
aaa accounting auth-proxy default start-stop group radius
aaa accounting dot1x default start-stop group radius
!this password will be used to communicate with ISE and to verify reachability
!between ISE and Switch
aaa server radius dynamic-author
client 172.16.1.18 server-key 7 radiuskey
client 172.16.1.20 server-key 7 radiuskey
ip domain-name lab.local
ip name-server 172.16.1.1
dot1x system-auth-control
interface GigabitEthernet1/0/3
switchport mode access
switchport voice vlan 50
switchport access vlan 10
ip access-group ACL-ALLOW in
authentication event fail action next-method
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
ip access-list extended ACL-ALLOW
permit ip any any
!the comm between radius and ise will occur on these Port
ip radius source-interface Vlan100
logging origin-id ip
logging source-interface Vlan100
logging host 172.16.1.20 transport udp port 20514
logging host 172.16.1.18 transport udp port 20514
ip radius source-interface Vlan100
logging origin-id ip
logging source-interface Vlan100
logging host 172.16.1.20 transport udp port 20514
logging host 172.16.1.18 transport udp port 20514
snmp-server community ciscoro RO
snmp-server community public RO
snmp-server trap-source Vlan100
snmp-server source-interface informs Vlan100
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 10 tries 3
radius-server vsa send accounting
radius-server vsa send authentication
!defining ISE servers
radius server ISE-RADIUS-1
address ipv4 172.16.1.20 auth-port 1812 acct-port 1813
automate-tester username RADIUS-HEALTH idle-time 15
key radiusKey
Please be sure that NTP servers and time are synchronized.
enable dot1X on windows machine, or using cisco NAM.
you can enable debugging on aaa authentication to see the events.
you have to create this user on ISE (RADIUS-HEALTH).
3850#test aaa group radius username password new-code
and observe the result. You are supposed to have user authenticated successfully.
You Must also have define these device in ISE on the radius interface.
ip radius source-interface ..... use this interface ip address to define Ip address of the NAD device in ISE.
administration-->network resources -->Network Devices-->Add
input the name
input the Ip address for radius communication
select the authentication settings and field the corresponding shared secret radius key
select snmp settings and select version 2c.
snmp community : ciscoro
you can customize the polling interval if you want and that all.
you are supposed to received message communication between your NAD and ISE.
After you can do the procedure for WLC device.
I will fill it after you have passed the first steps (3850 authentication).
Similar Messages
-
Hi all,
I have a few questions regarding WebAuth or Guest access with ISE. I have setup a guest portal to do CWA and use ISE guest portal
as the redirect page.
I'm using ISE 1.1.2 and WLC version 7.3.101
1- I have an issue authenticating with Chrome on W7 and android. I receive the splash page, i can authenticate but i always receive this error message. With IE and firefox i can accept and add an exception and authenticate successfully.Hi,
Your best bet is to run true CWA and not use the redirect feature on the controller. Just allow dns and access to port 8443 in the ACL that is referenced by ISE when it sends the CWA redirect. You can use mac filtering as your L2 authentication.
This will help in your redundant scenario so that when one ise goes down the second ise can send the CWA over to it.
As far as certs if you are using mobile devices you may want to consider 3rd party certs.
Let me know if that helps.
Tarik Admani
*Please rate helpful posts* -
What is the lowest ISE version supported with WLC 7.3.112.0
Dears
Kindly i want to know what is the lowest version of ISE supported with WLC 7.3.112.0 or WLC 7.3.101.0
Please need your feedback.
Regards,the lowest version of ise supported wlc 7.3 is ISE 1.2 as per document :
Wireless LAN Controller (WLC) 2500 8
7.3.112.0.(ED), 7.4.x, 7.5
Yes 9
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Wireless LAN Controller (WLC) 5500 8
7.3.112.0.(ED), 7.4.x, 7.5
Yes 9
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Wireless LAN Controller (WLC) 7500 8
7.3.112.0.(ED), 7.4.x, 7.5
Yes 9
Yes
Yes
Yes
Yes
Yes
Yes
No
Yes
Wireless LAN Controller (WLC) 8500 8
7.3.112.0.(ED), 7.4.x, 7.5
Yes 9
Yes
Yes
Yes
Yes
Yes
Yes
No
Yes
http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/compatibility/ise_sdt.html
ISE 1.1 won't support wlc 7.3 :
http://www.cisco.com/c/en/us/td/docs/security/ise/1-1/compatibility/ise_sdt.html
Wireless LAN Controller (WLC) 2100, 4400
7.0.116.0
No6
Yes
No
Yes
Yes
Yes
Yes
No
No
Wireless LAN Controller (WLC) 2500, 5500
7.2.103.0
No6
Yes
Yes
Yes
Yes
Yes
Yes
Yes
No
WLC 7500 Series
7.2.103.0 (basic RADIUS auth supported in 7.0.116.0)
Yes6
Yes
No
Yes (local only)
No
Yes
No
No
No -
Help me : Problem with WLC and AP
Hi,
We have a few AP on our network which work fine.
But, those which are behind our fw don't work.
LAN WI-FI with WLC <>--------Lan Routed---with Ap (Ok) ------------------
<> -------FW <> Vlan behind Fw and APs not work fine.
WLC = Software Version 7.0.220.0
Logs on WLC :
spamApTask2: Jun 04 11:49:59.494: %DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:631 Failed to complete DTLS handshake with peer 172.37.251.71
*spamApTask1: Jun 04 11:48:49.323: %DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:631 Failed to complete DTLS handshake with peer 172.37.251.71
*spamApTask2: Jun 04 11:47:39.149: %DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:631 Failed to complete DTLS handshake with peer 172.37.251.71
*spamApTask1: Jun 04 11:46:28.978: %DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:631 Failed to complete DTLS handshake with peer 172.37.251.71
*spamApTask2: Jun 04 11:45:18.806: %DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:631 Failed to complete DTLS handshake with peer 172.37.251.71
*spamApTask1: Jun 04 11:44:08.632: %DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:631 Failed to complete DTLS handshake with peer 172.37.251.71
*osapiBsnTimer: Jun 04 11:43:51.235: %DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:2202 Failed to complete DTLS handshake with peer 172.37.251.71
debud dtls :
*spamApTask1: Jun 04 11:22:42.434: 64:a0:e7:5f:e5:70 record=Alert epoch=0 seq=2
*spamApTask1: Jun 04 11:22:42.435: 64:a0:e7:5f:e5:70 SSL_do_handshake: SSL_ERROR_SSL while communicating with 172.37.251.71 : (null)
*spamApTask1: Jun 04 11:22:42.435: 64:a0:e7:5f:e5:70 Requested by openssl_dtls_process_packet
*spamApTask1: Jun 04 11:22:42.435: dtls_conn_hash_delete: Deleting hash for Local 172.18.3.2:5246 Peer 172.37.251.71:52258
*spamApTask1: Jun 04 11:22:42.435: 64:a0:e7:5f:e5:70 DTLS Connection 0x145520d0 closed by controller
*spamApTask1: Jun 04 11:22:42.436: dtls_conn_hash_search: Searching hash for Local 172.18.3.2:5247 Peer 172.37.251.71:52258
Cordially,HI,
- On the fw-
a. Make sure the FW is open for udp 5246 and 5247 ports required for the capwap process.
If this is a cisco ASA, you can set up ingress and egress packet captures to see what packets enter and leave the FW for this AP-
cap capin interface match udp any
cap capout interface match udp any
**match captures bidirectional flow for the interesting traffic.
b. Check the logs on the firewall for any drops.
c. cap capdrop type asp-drop all
This will tell you if the pkt was dropped and the reason for the drop
d. You can run the packet-tracer command on the firewall tracking this udp flow-
e.g. packet-tracer input inside udp 3.3.3.3 1212 2.2.2.3 5246 detailed
- What AP model is this? Is it the same AP that connects to the controller if there is no fw in the path?
- Does it use MIC or SSC cert? If SSC, make sure you have SSC checked and you will need to manually enter the hash for the AP on the controller under AP Authorization List -
Security> AP Policies
You can get the hash of the AP (f you dont have it) by enabling the following debug on the controller
debug pm pki enable
Other controller debugs for the AP-
debug mac address
debug capwap error enable
debug capwap events enable
- What about AP console log? Do you have access to that? -
Trunk with WLC and 1400BR problem
hi everybody,
i have the next proble, i hope someone can help me
Actually I wrok with a 1522 Mesh Network,1130 LWAPP and Bridge 1400 point to point. 1522 and 1130 are asociated with WLC.
I have a WLC4402 (4.1.192.22M (Mesh)image) this wlc is conected via trunk to Sw3750 ex:
interface GigabitEthernet1/0/1
switchport trunk encapsulation dot1q
switchport mode trunk
RAP1 is connected to the sameSw3750 ex:
interface FastEthernet1/0/23
description RAP1
switchport access vlan 10
**(VLAN 10 is Mgmt)**
AP1(1130) is connected to the same Sw3750 ex:
interface FastEthernet1/0/1
description AP1
switchport access vlan 10
The 1410BR Root is connected via trunk to same Sw3750 ex:
interface FastEthernet1/0/19
description BR-1400R
switchport trunk encapsulation dot1q
switchport trunk native vlan 10
switchport mode trunk
In the other point is the Non-Root connected to a Sw2960 ex:
interface GigabitEthernet1/0/1
switchport trunk native vlan 10
switchport mode trunk
AP2(1130) connected to the same Sw2960 ex:
interface fa0/23
descriptipon AP2
switchport access vlan 10
The network is work fine, Mesh UP (RAP and MAPs), and 1130 too.I connected the 1400 Bridge point after the Mesh is up, and the link between Root and Non Root is UP
Now, when the Sw3750 goes down or reboot,the RAP and AP1(1130) can't associated to WLC. The ports of RAP and 1130 are down and up many times, so can't associated to a WLC. Only the Bridge point 1400 Root and Non-root are UP, and the AP2(1130) in the other side can associated to the WLC.
When shutdown the port of the Root Bridge, Now the RAP1 and AP1(1130) can associated to the WLC and the Mesh Net is UP. Then no shutdown the Root Bridge port and the link between Bridges are UP, AP2(1130) up to the controller too.
But after several minutes the Bridge down, and the event log in the Root is:Interface Dot11Radio0 Radio transmit power out of range.
So i have this problems
1) Trunks between WLC and 1400 BR
2) Bridge conectivity range.
Regards
AntonioThe Outdoor Bridge Range Calculation Utility uses parameters that include regulatory domain, device type, data rate, antenna gain, and a few others as inputs.
You can avoid connectivity problems with the Outdoor Bridge Calculation Utility, as this tool helps you to predict the distance between devices. In a wireless environment without a tool like this, you cannot predict the distance between the bridges, the height at which you must place the antennas for maximum throughput, and other variables. This utility also helps you decide on the type of antenna that you must use in order to cover the distance between the bridges. -
Hello everyone!
I have a controller of the 5508 series and Ap 1602.
Ap manage to obtain IP addresses from the DHCP server that is the 5508 controller.
but the Rev fail to register, please I really vesoin help.
Below are some show:
1. AP: sh version
AP0006.f6d5.ea9c#sh version
Cisco IOS Software, C1600 Software (AP1G2-RCVK9W8-M), Version 15.2(2)JB, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2012 by Cisco Systems, Inc.
Compiled Tue 11-Dec-12 04:52 by prod_rel_team
ROM: Bootstrap program is C1600 boot loader
BOOTLDR: C1600 Boot Loader (AP1G2-BOOT-M) LoaderVersion 15.2(2)JAX, RELEASE SOFTWARE (fc1)
AP0006.f6d5.ea9c uptime is 38 minutes
System returned to ROM by power-on
System image file is "flash:/ap1g2-rcvk9w8-mx/ap1g2-rcvk9w8-mx"
Last reload reason:
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
[email protected].
cisco AIR-CAP1602E-E-K9 (PowerPC) processor (revision A0) with 98294K/32768K bytes of memory.
Processor board ID FGL1709Z6PC
PowerPC CPU at 533Mhz, revision number 0x2151
Last reset from power-on
LWAPP image version 7.4.1.37
1 Gigabit Ethernet interface
32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: 00:06:F6:D5:EA:9C
Part Number : 73-14508-04
PCA Assembly Number : 000-00000-00
PCA Revision Number :
PCB Serial Number : FOC17020MTR
Top Assembly Part Number : 800-38553-01
Top Assembly Serial Number : FGL1709Z6PC
Top Revision Number : A0
Product/Model Number : AIR-CAP1602E-E-K9
Configuration register is 0xF
2. AP: sh ip interface brief
Interface IP-Address OK? Method Status Protocol
BVI1 unassigned YES DHCP up up
GigabitEthernet0 unassigned NO unset up up
GigabitEthernet0.1 unassigned YES unset up up
3. AP: sh inventory
---nothing---
4. WLC: sh sysinfo
(Cisco Controller) >show sysinfo
Manufacturer's Name.............................. Cisco Systems Inc.
Product Name..................................... Cisco Controller
Product Version.................................. 7.3.101.0
Bootloader Version............................... 1.0.1
Field Recovery Image Version..................... 6.0.182.0
Firmware Version................................. FPGA 1.3, Env 1.6, USB console 1.27
Build Type....................................... DATA + WPS
System Name...................................... WLC-EEML
System Location..................................
System Contact...................................
System ObjectID.................................. 1.3.6.1.4.1.9.1.1069
Redundancy Mode.................................. Disabled
IP Address....................................... 10.10.10.1
Last Reset....................................... Software reset
System Up Time................................... 1 days 1 hrs 13 mins 37 secs
System Timezone Location.........................
Configured Country............................... US - United States
Operating Environment............................ Commercial (0 to 40 C)
Internal Temp Alarm Limits....................... 0 to 65 C
Internal Temperature............................. +39 C
--More-- or (q)uit
External Temperature............................. +25 C
Fan Status....................................... OK
State of 802.11b Network......................... Enabled
State of 802.11a Network......................... Enabled
Number of WLANs.................................. 1
Number of Active Clients......................... 0
Burned-in MAC Address............................ E0:2F:6D:5D:7D:C0
Power Supply 1................................... Present, OK
Power Supply 2................................... Absent
Maximum number of APs supported.................. 25
5. WLC: sh time
Time............................................. Fri Jan 3 12:21:37 2014
Timezone delta................................... 0:0
Timezone location................................
NTP Servers
NTP Polling Interval......................... 86400
Index NTP Key Index NTP Server NTP Msg Auth Status
also, I'm in africa but
I can not change the country or the time zone
thank you in advance for your helpHi,
By CLI:
Before change the country code on wlc , You must disable
WLC > config 802.11a disable network
WLC >config 802.11b disable network
WLC >config country SA (...or wtever country u are in)
And then enable both network again.
WLC >config 802.11a enable network
WLC >config 802.11b enable network
By GUI:
First disable both network 802.11a and 802.11b
Follow these steps to disable the 802.11a and 802.11b/g networks as follows:
a. Choose Wireless> 802.11a/n > Network.
b. Unselect the 802.11a Network Status check box.
c. Click Apply to commit your changes.
d. Choose Wireless > 802.11b/g/n > Network.
e. Unselect the 802.11b/g Network Status check box.
f. Click Apply to commit your changes.
Change country code on WLC now:
Choose Wireless > Country
after changing the country code please enable both networks(802.11a and 802.11b)
Hope it helps.
Regards
Dont forget to rate helpful posts. -
ISE client provisioning with wlc 7.3
Hi Experts,
i have the following challenge. I will try to be synthetic.
ISE 1.1.2.145
WLC 7.3
Wireless clients, dot1x eap peap, posture required.
Clients should download the nac agent through redirection.
So, i have an authorization policy that, for posture status= unknown, apply a redirect av, in the form:
"https://ip:port:8443/.....action=cpp
the access list is correctly applied on wlc.
The challenge is, it works for http traffic, but dont work for https traffic or if the browser is using a proxy (port 3128, 8080 etc).
In case you wonder, the access-list on wlc:
permit icmp, dns
permit traffic to the PDPs
deny all else.
Thanks
AndreaYou may want to consider, explicity denying the proxy traffic in the WLC ACL and see if that resolves your issue. You may need to get clarification from Cisco TAC to see when the client is in the WEBAUTH state that it only listens for http traffic.
You may want to consider using this option (however I do not if this will work for radius webauth redirection) -
http://www.cisco.com/en/US/docs/wireless/controller/7.4/configuration/guides/consolidated/b_cg74_CONSOLIDATED_chapter_01000100.html
Thanks,
Tarik Admani
*Please rate helpful posts* -
Dynamic VLAN assignment with WLC and ACS for
Currently, using our autonomous APs and ACS, our users get separate VLANs per building based on their security level (students or staff). Basically, the student VLAN in one building is different from that of the student VLANs in other buildings on campus. Currently, we do this by filling the Tunnel-Private-Group-ID IETF RADIUS attribute with the VLAN name. This all works because each individual AP can map VLAN names to different VLANs like this:
dot11 vlan-name STUDENT vlan 2903
dot11 vlan-name FACSTAF vlan 2905
As we are working on our WiSM deployment, we see that the document below shows how to do the dynamic VLAN assignment on our WLAN controllers:
http://www.cisco.com/en/US/customer/products/sw/secursw/ps2086/products_configuration_example09186a00808c9bd1.shtml
However, we haven't figured out if it's possible to still provide our users with different VLANs for each building they're in.
With the instructions above, it looks like ACS uses a Cisco RADIUS Attribute to indicate the Air-Interface-Name, mapping an ACS/AD group to a single WLC interface which can only have one VLAN/subnet associated with it.
Does anybody know if what we're trying to accomplish is possible, or if we're really stuck with only one VLAN/subnet per mapped ACS group?We only have the one WiSM for all of campus, so it's handling everything. This Cisco docs do indicate how to put differnet users in different Vlans, but we don't currently see a way to also put them in different subnets per building.
This being the case, any suggestions on how best to handle more than a Class C subnet's worth of users? Should we just subnet larger than Class C, or is there a more elegant way of handling this? -
Vlan management with WLC and WCS
I'd like to know if it is possible to use the same vlan for the management of the WCS and for configuring a wlan?
I try to make this lab and when I declare a dynamic interface that is in the same subnet as the WCS ip address, the reliability between controler and WCS is lost.I know that I should not put servers on the same vlan as wireless client but I just want to know if it is possible or if Cisco implemented something to avoid this to understand why my lab didn't work with this configuration.
Thanks -
WLC 5508 - AP's are conecting with WLC but unable to regester with WLC
Hi,
I have old 4400 series wlc and recently I have configured 5508 wlc and 6 new Access Point.
when you go to MONITER - AP Join their it shows connected AP detail with AP IP address but if u see it in under WIRELESS Option their is not showing any AP's detail.
I mean to say that AP's are connecting with WLC and also getting IP address but unable to regester with WLC.
Even I have checked with remove Radius configuration also from wlc as well as from acs.
please suggest......Im not able to post info it says below msg, plesse suggest how i can provide detail.
This message can not be displayed due to its content. Please use the contact us link with any questions.
Also I like to say that after factory rest 4 out of 6 is done now 2 remain. -
Hi All,
has anybody experiences with WLC and IPv6? I have activated the Check Box for IPv6 Support, but it does not work. Regards, MichaelHi ,
Have you configued uplink router/sw to support ipv6 ; the sample config would look like this
ipv6 unicast-routing
interface FastEthernet0/0.6
encapsulation dot1Q 56
ip address 10.50.56.1 255.255.255.0
ip access-group GNS2 in
ip access-group GNS2 out
ip helper-address 10.50.1.21
ip pim sparse-dense-mode
ip multicast ttl-threshold 1
no snmp trap link-status
ipv6 address 2006::/64 eui-64
ipv6 address autoconfig
ipv6 enable
let me if this works for you or not
regards
Seema -
Hello everyone
I hope if anyone can help me.
a Building has 3 companies (A,B and C)
and I have one WLC
in each company there is 3 AP
I want to configure WLC whereas any AP in company A cant communicate to other AP in company B and C
and the same to all companies
I mean totally separate in IP scheme (no routing between them)
can that done with WLC and LWAP ??
PLZ advicethank you all for your reply
I would like to ask you another question fo another scenario.
I have one WLC installed in one subnet, let's say in the head quarter network, while the LAPs are installed in the branches and there is WAN connectivity between the HQ and the branch and OSPF routing is enabled between this WAN network. How can I do my configuration in order to register the LAPs installed in the branch with WLC installed in the HQ?
Thanks, -
[WLC - CWA] [ISE] Wlan Portal with Local Switiching
Description: Guest Portal ISE (WLAN) in a Flexconnect local switching enviorment.
Problem: The communication stops everytime we turn on the feature Radius NAC on the WLC.
We are trying to use Central WebAuth in a Flexconnect environment and with so the procedure that we are using it´s the one that´s available in the cisco DOCS ( http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116087-configure-cwa-wlc-ise-00.html ) but there´s something occuring in my setup. I´ve configured step by step the WLC and ISE in accordance with previous DOC but I can´t establish communication everytime I turn on the feature RADIUS NAC in the WLC.
All the ACL´s were configured, I can see the ISE policy beeing sent to the client but when the PC tries to establish the connection to him nothing leaves the PC ( a simple ping was done ). I´ve tried a bunch of setups to see if it was a misconfiguration or something else but at the end , everytime I trun on the NAC feature the final client looses all the comms to anywere.
You can see in the following attachment the setup of WLC, and AP with flexconnect groups (I´ve also tried without a group but the final result was the same)
We are using a WLC 5500 with 7.6.120.0 ( http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-6/configuration-guide/b_cg76.html ) and the only thing I can foun is a simple note stating,
"Flex local switching with Radius NAC support is added in Release 7.2.110.0. It is not supported in 7.0 Releases and 7.2 Releases. Downgrading 7.2.110.0 and later releases to either 7.2 or 7.0 releases will require you to reconfigure the WLAN for Radius NAC feature to work."
In the Flexconnect Feature Matrix the RADIUS NAC is supported in a local switching enviorment ( http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/112042-technote-product-00.html?referring_site=RE&pos=3&page=http://www.cisco.com/c/en/us/support/docs/wireless/flex-7500-series-wireless-controllers/113605-ewa-flex-guide-00.html) but what we´ve found out so far it´s the other way around.
Another thing that we´ve found is that in the version 7.4 configuration guide ( http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-4/configuration/guides/consolidated/b_cg74_CONSOLIDATED/b_cg74_CONSOLIDATED_chapter_0110100.html#ID2372 ) cisco says that the "FlexConnect local switching is not supported."
So, after seeing several docs my question is: Does Cisco support Radius NAC in a local switching environment ?Viten,
tnx for the quick reply but,
a) what do you mean by webauth ( http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116087-configure-cwa-wlc-ise-00.html) ?
b) When I say comms stop is that I´m simple using ping as a test to see what happens in the client.Whenever I activate the radius feature the final client (laptop) ceases all comms in a local switching environment.
BR,
DS -
We are migrating to ISE for guest access and are having problems with the COA being delivered after a successful authentication. ISE attempts to send it but nothing changes on the WLC. The message in ISE is Dynamic Authorization failed and a message that ISE didn't receive a response from the NAD, verify communication. What is odd is the original guest request comes in from the IP address of the service port on the WLC but anything doing with the COA is seen from the management. I have both IP's defined for the device in ISE. I am about to do a session reauthentication within ISE and the WLC applies the changes. I have verified that RFC 3576 is enabled, but the show radius rfc3576 stats shows no values. The WLC is running 7.6.130. I have attempted to debug on the WLC side to see if the message is even being delivered but non the debugs i have attempted seem to offer any good information.
Anyone have any suggestions?
Thanks,
JoeHi Joe,
I dont really know what you are trying to do with the COA , as it is used in the CWA solution and BYOD solution as well. But even before trying that , I would advise you to go step by step and solve the n/w issue first. You are able to see the request from service port which should not happen because then the incoming/outgoing traffic takes different path. You must be facing this situation as you might have some network routes matching ISE subnet/Ip address in the GUI>Controller>Network routes as there is no need of those routes. If the service port needs to be used during controller down scenario then use a laptop in the same subnet of Service port ip and connect to the service port.
Regards
Dhiresh
**Please rate helpful posts** -
An issue with authentication and authorization on ISE 1.2
Hi, I'm new to ISE.
I have an issue with authentication and authorization.
I have ISE 1.2 plus patch 6 installed on VMware.
I have built-in Windows XP supplicant and 2960 cisco switch with IOS c2960-lanbasek9-mz.150-2.SE5.bin
On supplicant I use EAP(PEAP) with EAP-MSCHAP v2.
I created authentication and authorization rules with Active Directory as External Identity Source. Also I applied authorization profile with DACL.I login on Windows XP machine under different Active Directory accounts. Everything works fine (authentication, authorization ), but only for several hours. After several hours passed , authentication and authorization stop working . I can see that ISE trying authenticate and authorize users, but ISE always use only one account for authentication and authorization . Even if I login under different accounts ISE continue to use only one last account.
I traied to reboot switch and PC,but it didn’t help. Only rebooting of ISE helps. After ISE rebooting, authentication and authorization start to work properly for several hours.
I don’t understand is it a glitch or I misconfigured ISE or switch, supplicant?
What should I do to resolve this issue?
Switch configuration:
testISE#sh runn
Building configuration...
Current configuration : 7103 bytes
! Last configuration change at 12:20:15Tue Apr 15 2014
! NVRAM config last updated at 10:35:02 Tue Apr 15 2014
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname testISE
boot-start-marker
boot-end-marker
no logging console
logging monitor informational
enable secret 5 ************
enable password ********
username radius-test password 0 ********
username admin privilege 15 secret 5 ******************
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa authorization auth-proxy default group radius
aaa accounting update periodic 5
aaa accounting dot1x default start-stop group radius
aaa server radius dynamic-author
client 172.16.0.90 server-key ********
aaa session-id common
clock timezone 4 0
system mtu routing 1500
authentication mac-move permit
ip dhcp snooping vlan 1,22
ip dhcp snooping
ip domain-name elauloks
ip device tracking probe use-svi
ip device tracking
epm logging
crypto pki trustpoint TP-self-signed-1888913408
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1888913408
revocation-check none
rsakeypair TP-self-signed-1888913408
crypto pki certificate chain TP-self-signed-1888913408
dot1x system-auth-control
spanning-tree mode pvst
spanning-tree extend system-id
vlan internal allocation policy ascending
ip ssh version 2
interface FastEthernet0/5
switchport mode access
ip access-group ACL-ALLOW in
authentication event fail action next-method
authentication event server dead action reinitialize vlan 1
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
interface FastEthernet0/6
switchport mode access
ip access-group ACL-ALLOW in
authentication event fail action next-method
authentication event server dead action reinitialize vlan 1
authentication event server alive action reinitialize
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
interface FastEthernet0/7
interface Vlan1
ip address 172.16.0.204 255.255.240.0
no ip route-cache
ip default-gateway 172.16.0.1
ip http server
ip http secure-server
ip access-list extended ACL-ALLOW
deny icmp any host 172.16.0.1
permit ip any any
ip radius source-interface Vlan1
logging origin-id ip
logging source-interface Vlan1
logging host 172.16.0.90 transport udp port 20514
snmp-server community public RO
snmp-server community ciscoro RO
snmp-server trap-source Vlan1
snmp-server source-interface informs Vlan1
snmp-server enable traps snmp linkdown linkup
snmp-server enable traps mac-notification change move
snmp-server host 172.16.0.90 ciscoro
radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 5 tries 3
radius-server vsa send accounting
radius-server vsa send authentication
radius server ISE-Alex
address ipv4 172.16.0.90 auth-port 1812 acct-port 1813
automate-tester username radius-test idle-time 15
key ******
ntp server 172.16.0.1
ntp server 172.16.0.5
endYes. Tried that (several times) didn't work. 5 people in my office, all with vers. 6.0.1 couldn't access their gmail accounts. Kept getting error message that username and password invalid. Finally solved the issue by using Microsoft Exchange and "m.google.com" as server and domain and that the trick. Think there is an issue with imap.gmail.com and IOS 6.0.1. I'm sure the 5 of us suddently experiencing this issue aren't the only ones. Apple will figure it out. Thanks.
Maybe you are looking for
-
Time taken to format external hard disk
I have just purchased a 1T external hard drive and now using the erase disk to reformat from FAT-32 to Mac OS Extended (Journaled). I let this run over night (8 hours), however in the morning it still had not finished. As I thought it may have frozen
-
Fake mail appearing in every gmail notification widget
I don't know what happened or how, and searching online and here in the forums has yielded no solutions or even examples of others experiencing the same problem. Here's the story: I use GotMailG in dashboard to check my mail, as I have multiple gmail
-
Error: "no jsafe in java.library.path"
I am getting the following error when Weblogic starts: java.lang.UnsatisfiedLinkError: no jsafe in java.library.path What does this mean, and how do I fix it? I am running WL5.1 on HP-UX11. Thanks! Rick Cole [email protected]
-
How to fix itunes 11 crashing when opening songs or videos?
Please help me? After itunes 11 upgrade, itunes keep crashing when trying to open songs/videos?
-
Adobe Reader for Leopard? Why?
Good Morning, Little confused here. Why would Adobe offer Reader to Mac users? *What is the advantage?* I have PDF viewing ability, creation and adjustment/usage just with my Leopard OS. What am I missing here?