ISE and CoA 'port bounce' on WLC 7.2

Similar Messages

• RADIUS CoA Port Bounce query

  Hello
  I have a question relating to RADIUS CoA Port Bounce.
  I'm planning to deploy 802.1x with ISE 1.3 to:
  802.1x authenticate corporate desktop PCs (with anyconnect client installed for user and machine authentication) - on successful machine authentication, ISE will dynamically assign a VLAN
  Profile Cisco IP phones
  In order for an authenticated corporate desktop to pick up an IP address on its dynamically assigned VLAN I was thinking of using CoA Port Bounce. If this desktop was connecting through a successfully profiled Cisco IP phone, am I right in saying that the resulting Port Bounce will also affect the phone (phone will de-register from callmanager)?
  Thanks
  Andy

  Hi Andy, if you are using PoE then a port-bounce the phone would definitely drop from the network and Call Manager. The phone would basically power down and then power back up.
  Now with that being said you should keep in mind that a port-bounce would remove the existing dot1x session and will a new session would be initialized. Thus, the endpoint would end up starting at the original VLAN again and then getting the new VLAN after authorization :) So I guess what I am trying to say is that port-bounce is not the solution for this. Instead, you should consider:
  1. Using dACLs instead of dynamic VLANs. That way you can have everyone in the same VLAN but use different dACLs to define network access
  2. Continue to use dynamic VLANs but keep in mind that some "dumb" devices won't detect the VLAN change, thus not grabbing a new IP address. The good news is that most modern devices will detect the VLAN change and should grab a new IP. For instance, you should not have any issues with Windows 7 and newer devices
  My recommendation is to go with option #1 though as that has always worked for me. 
  I hope this helps!
  Thank you for rating helpful posts!

• ISE WLC Port bounce with NAC

  Im having trouble renewing the IP address after a VLAN change after NAC Agent finishes its posture, the flow is as follows:
  1. Wireless client access into the network, is 802.1x
  2. NAC Agent succesfully validates posture and Coa is issued
  3. I see the new Vlan for that client on the WLC, however my captures indicate that no dhcp renewal is issued from the PC to the DHCP Server
  This is no guest access so the option for renew the VLAN dhcp is not a feasible one
  any comments will be gladly received.
  Thanks!

  Hello,
  I went through your query and for the same I have found the link below which may help in solving it:-
  http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_client_prov.html

• ISE and WLC for posture remediation

  Please can anybody clarify a few things in relation to ISE and wireless posture.
  1) Is the ACL-POSTURE-REDIRECT used for remediation, or is it just an ACL to redirect only some traffic to kickoff posture checking?
  2) Can/Should a dACL/wACL be specified as a remediation ACL?
  3) Do the WLC ACLs have to be written in long format (manually specifying source and dest ports/doesny direction any work?)
  4) Does anybody have working example ACLs for posture redirect (cpp) and remediation (dACL)?
  5) Any other advice or pointers would be helpful too as no docs i have found so far, be it TrustSec2, CiscoLive or anything else, dont seem to help me understand WLC posture and remediation
  thanks
  Nick

  Nick,
  Answers are inline:
  1) Is the ACL-POSTURE-REDIRECT used for remediation, or is it just an  ACL to redirect only some traffic to kickoff posture checking? This is for both (if ports 8905..are included) then this is for initial redirection, and remediation
  2) Can/Should a dACL/wACL be specified as a remediation ACL? Wireless does not support DACL, you will have to reference another ACL in the the authorization policy, the new versions have the Airespace ACL field, where you will have the ACL defined locally on the wlc.
  3) Do the WLC ACLs have to be written in long format (manually specifying source and dest ports/doesny direction any work?) Yes you have to add two entries, for example for all traffic redirection to ise...source = any, destination=iseipadd, source port=any, destination port=any direction=any action=permit
  source=iseipaddr, destination ip = any, source port=any, destination port=any, direction=any action permit. Its not the easiest but I will attach a screenshot that will show you my example.
  4) Does anybody have working example ACLs for posture redirect (cpp) and remediation (dACL)? ISE doesnt support DACLs so when you build your authorization profile in ISE you select the web authentication type (Posture Discovery) after that the ACL field will come up, there you will "call" the posture ACL which is defined on your controller.
  5)  Any other advice or pointers would be helpful too as no docs i have  found so far, be it TrustSec2, CiscoLive or anything else, dont seem to  help me understand WLC posture and remediation Keep in mind that you have to have radius NAC and AAA override enabled under the advanced settings for COA to work.
  You have to turn on COA under the global settings in ISE (Administration > Profiling > Coa Type > Reauth)
  Then you have to build your policies so that when a user connects to the network they are redirected to the download the nac agent (this is where the Posture Discovery and redirect ACL work in tandem).
  Once the client download the nac agent and is compliant the report is forwarded to ISE where a COA event is triggered.
  Then the client will reauthenticate and will hit another policy that will give them access once their machine is compliant, you can set the ACLs for restricted access, use dynamic vlan assignment, or just send the access-accept.
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• CoA issues between ISE and 3750x

  We are having an issue using the cisco ise 1.1.2 and a 3750x (Version 12.2(58)SE2)
  When the radius sends a reauthentication CoA message to the switch, the switch responds with a 'session contect not found' reply. I have upgraded the code to the latest levels on both the ise and switch and still have the same resultts.
  This reauthenticate is needed after the NAC profiler determines the pc is complient. I am receiving the complient message from the pc and switch, but becuase the switch never reauthentices the client after the CoA request, the client is never granted full access.
  I am not sure if the radius server is sending the wrong session id, or if the switch is looking at it wrong.
  Please Help...!!!!!
  -Debug --
  Log Buffer (10000 bytes):
  Feb 28 19:34:21.940 UTC: RADIUS: COA  received from id 38 10.122.1.82:40171, CoA Request, len 140
  Feb 28 19:34:21.940 UTC: COA: 10.122.1.82 request queued
  Feb 28 19:34:21.940 UTC: RADIUS:  authenticator 62 6B 15 C9 C7 A5 CA 88 - 4F B2 EE 4C A0 3D 9F 50
  Feb 28 19:34:21.948 UTC: RADIUS:  NAS-IP-Address      [4]   6   10.122.1.66
  Feb 28 19:34:21.948 UTC: RADIUS:  Event-Timestamp     [55]  6   1362080061
  Feb 28 19:34:21.948 UTC: RADIUS:  Message-Authenticato[80]  18
  Feb 28 19:34:21.948 UTC: RADIUS:   BC B3 BA 2A 11 BD 63 0B 22 7E 82 AA C2 A5 F7 C4              [ *c"~]
  Feb 28 19:34:21.948 UTC: RADIUS:  Vendor, Cisco       [26]  41
  Feb 28 19:34:21.948 UTC: RADIUS:   Cisco AVpair       [1]   35  "subscriber:command=reauthenticate"
  Feb 28 19:34:21.948 UTC: RADIUS:  Vendor, Cisco       [26]  49
  Feb 28 19:34:21.948 UTC: RADIUS:   Cisco AVpair       [1]   43  "audit-session-id=0A7A014200000272048AF0F1"
  Feb 28 19:34:21.948 UTC: COA: Message Authenticator decode passed
  Feb 28 19:34:21.948 UTC:  ++++++ CoA Attribute List ++++++
  Feb 28 19:34:21.948 UTC: 07353140 0 00000001 nas-ip-address(585) 4 10.122.1.66
  Feb 28 19:34:21.948 UTC: 0735375C 0 00000001 Event-Timestamp(430) 4 1362080061(512FB13D)
  Feb 28 19:34:21.948 UTC: 0735376C 0 00000009 audit-session-id(794) 24 0A7A014200000272048AF0F1
  Feb 28 19:34:21.948 UTC: 0735377C 0 00000009 ssg-command-code(475) 1 32
  Feb 28 19:34:21.948 UTC:
  Feb 28 19:34:21.957 UTC: AUTH-EVENT: auth_mgr_ch_search_record - Search record in IDC db failed
  Feb 28 19:34:21.957 UTC: RADIUS/ENCODE(00000000):Orig. component type = Invalid
  Feb 28 19:34:21.957 UTC: RADIUS(00000000): sending
  Feb 28 19:34:21.957 UTC: RADIUS(00000000): Send CoA Nack Response to 10.122.1.82:40171 id 38, len 62
  Feb 28 19:34:21.957 UTC: RADIUS:  authenticator DF 18 2F 59 21 4F 84 E1 - 61 B8 43 B8 01 C5 58 B4
  Feb 28 19:34:21.957 UTC: RADIUS:  Reply-Message       [18]  18
  Feb 28 19:34:21.957 UTC: RADIUS:   4E 6F 20 76 61 6C 69 64 20 53 65 73 73 69 6F 6E  [ No valid Session]
  Feb 28 19:34:21.957 UTC: RADIUS:  Dynamic-Author-Error[101] 6   Session Context Not Found [503]
  Feb 28 19:34:21.957 UTC: RADIUS:  Message-Authenticato[80]  18
  Feb 28 19:34:21.957 UTC: RADIUS:   30 C9 AE 52 80 2E A2 54 FF F3 4B C7 28 31 A9 61          [ 0R.TK(1a]
  ESWHQFL02-S#
  ESWHQFL02-S#
  -- Switch Config -
  aaa authentication login default group tacacs+ local-case
  aaa authentication login local_login local
  aaa authentication enable default group tacacs+ enable
  aaa authentication dot1x default group radius
  aaa authorization exec default group tacacs+ local
  aaa authorization commands 5 default group tacacs+ local
  aaa authorization commands 15 default group tacacs+ local
  aaa authorization network default group radius
  aaa authorization network auth-list group DOT1X
  aaa accounting dot1x default start-stop group radius
  aaa accounting exec default start-stop group tacacs+
  aaa accounting commands 5 default start-stop group tacacs+
  aaa accounting commands 15 default start-stop group tacacs+
  aaa accounting network default start-stop group tacacs+
  aaa server radius dynamic-author
  client 10.122.1.82 server-key 7 14141B180F0B
  client 10.122.1.80 server-key 7 045802150C2E
  aaa session-id common
  radius-server attribute 6 on-for-login-auth
  radius-server attribute 6 support-multiple
  radius-server attribute 8 include-in-access-req
  radius-server host 10.122.1.82 auth-port 1812 acct-port 1813 key 7 13061E010803
  radius-server host 10.122.1.80 auth-port 1812 acct-port 1813 key 7 104D000A0618
  radius-server deadtime 5
  radius-server key 7 030752180500
  radius-server vsa send accounting
  radius-server vsa send authentication

  As per the cisco recommendation IOSv12.2(52)SE is suitable for Catalyst 3750-X which will support all  the features without any issues like  MAB,802.1X,CWA,LWA,COA,VLAN,DACL,SAG as mentioned in the link below:
  http://www.cisco.com/en/US/docs/security/ise/1.1.1/compatibility/ise_sdt.html.
  I see you are using IOSv12.2(58)SE2,which is not recommended.So you can  downgrade to IOSv12.2(52)SE which will solve your issues.

• ISE with CWA and wired guest access via WLC Anchor

  Can an Anchor WLC (WLCa) provide a wired guest LAN service if the wlan guest access is using CWA?
  We are deploying a WLAN only ISE solution (it is a full license ISE though) but they just want a few wired guest ports.  I was hoping to add L2 switch to the DMZ where the WLCa is and that the L2 switch wouldnt need any other config as the WLCa just bridges the wired to the wlan vlan.  This Im sure i have done before.
  So now I have set wiredguest the same as i have done before ISE and my wired clients get an IP address, but when they redirect, the URL they get is different, and the redirect just doesnt work.
  It comes out as:
  https://my_ise_ip:8443/guestportal/Login.action?switch_url=https://my_ise_host/login.html&wlan=my_wired_guest_lan&redirect=www.google.co.uk
  So does my simple L2 only switch need an ISE config on it or should the WLCa be handling or the redirection just as it would for a wlan device.

  The ISE never receives an auth entry, so i dont believe the redirect is working for the wired client.  So even though the clients browser gets a redirect url which fails connection, the client info in the WLCa doesnt have a redirect ACL listed like a wlan client would

• ISE and Anchor WLCs?

  Hi All,
  I'm trying to put together a Guest WLAN setup and want to know the best approach.
  If I use ISE for Guest portal/access control do I still have the standard setup of Anchor WLCs in DMZ for the guest WLANs?
  Or does the ISE tell the internal WLC's to place the allowed guest users onto a guest VLAN accessible to the internal WLCs?
  Do I lose anything with ISE compared to the old WCS/WLC guest portal methods?
  Any thoughts would be appreciated.
  Thanks,
  Brendan

  Brendan,
  From my experience you still should use a dmz guest anchor controller. The only difference is the ports you will need to open on the FW between the guest anchor and ISE. Now you can still do this without a guest anchor if there isn't an existing one or one not planned for.
  Thanks,
  Scott Fella
  Sent from my iPhone

• Ask the Expert: Cisco BYOD Wireless Solution: ISE and WLC Integration

  With Jacob Ideji, Richard Hamby  and Raphael Ohaemenyi   
  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about  the new Identity Solutions Engine (ISE) and Wireless LAN Controller (WLC) hardware/software, integration, features, specifications, client details, or just questions about  Cisco's Bring-your-own device (BYOD) solution with cisco Experts Richard Hamby, Jacob Ideji, and Raphael Ohaemenyi. The interest in BYOD (Bring You Own Device) solutions in the enterprise has grown exponentially as guests and company users increasingly desire to use personal devices to access .  Cisco BYOD enhances user experience and productivity while providing security, ease-of-administration, and performance. The heart of the Cisco wireless BYOD solution is Identity Solutions Engine (ISE) utilizing the Cisco Unified Wireless portfolio.  Starting with ISE v1.1.1MR and WLC (Wireless LAN Controller) code v7.2.110.0 and higher, end-to-end wireless BYOD integration is reality. 
  Jacob Ideji is the technical team lead in the Cisco authentication, authorization and accounting (AAA) security team in Richardson, Texas. During his four years of experience at Cisco he has worked with Cisco VPN products, Cisco Network Admission Control (NAC) Appliance, Cisco Secure Access Control Server, and Dot1x technology as well as the current Cisco Identity Services Engine. He has a total of more than 12 years experience in the networking industry. Ideji holds CCNA, CCNP, CCSP, CCDA, CCDP, and CISM certifications from Cisco plus other industry certifications.
  Richard Hamby  works on the Cisco BYOD Plan, Design, Implement (PDI) Help Desk for Borderless Networks, where he is the subject matter expert on wireless, supporting partners in the deployment of Cisco Unified Wireless and Identity Services Engine solutions. Prior to his current position, Hamby was a customer support engineer with the Cisco Technical Assistance Center for 3 years on the authentication, authorization, accounting (AAA) and wireless technology teams. 
  Raphael Ohaemenyi  Raphael Ohaemenyi is a customer support engineer with the authentication, authorization and accounting (AAA) team in the Technical Assistance Center in Richardson, Texas, where he supports Cisco customers in identity management technologies. His areas of expertise include Cisco Access Control Server, Cisco Network Admission Control (NAC) Appliance, Cisco Identity Services Engine, and IEEE 802.1X technologies. He has been at Cisco for more than 2 years and has worked in the networking industry for 8 years. He holds CCNP, CCDP, and CCSP certification.
  Remember to use the rating system to let Jacob, Richard and Raphael know if you have received an adequate response.  
  Jacob, Richard and Raphael might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the wireless mobility sub community forum shortly after the event. This event lasts through Oct 5th, 2012. Visit this forum often to view responses to your questions and the questions of other community members.

  OOPS !!
  I will repost the whole messaqge with the correct external URL's:
  In  general, the Trustsec design and deployment guides address the specific  support for the various features of the 'whole' Cisco TS (and other  security) solution frameworks.  And then a drill-down (usually the  proper links are embedded) to the specifc feature, and then that feature  on a given device.  TS 2.1 defines the use of ISE or ACS5 as the policy  server, and confiugration examples for the platforms will include and  refer to them.
  TrustSec Home Page
  http://www.cisco.com/en/US/netsol/ns1051/index.html
  http://www.cisco.com/en/US/solutions/collateral/ns170/ns896/ns1051/product_bulletin_c25-712066.html
  http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5712/ps11637/ps11195/at_a_glance_c45-654884.pdf
  I find this page very helpful as a top-level start to what features and capabilities exist per device:
  http://www.cisco.com/en/US/solutions/ns170/ns896/ns1051/trustsec_matrix.html
  The TS 2.1 Design Guides
  http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns744/landing_DesignZone_TrustSec.html
  DesignZone has some updated docs as well
  http://www.cisco.com/en/US/netsol/ns982/networking_solutions_program_home.html#~bng
  As  the SGT functionality (at this point) is really more of a  router/LAN/client solution, the most detailed information will be in the  IOS TS guides like :
  http://www.cisco.com/en/US/docs/switches/datacenter/sw/6_x/nx-os/security/configuration/guide/b_Cisco_Nexus_7000_NX-OS_Security_Configuration_Guide__Release_6.x.html
  http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_cts/configuration/xe-3s/asr1000/sec-usr-cts-xe-3s-asr1000-book.html
  http://www.cisco.com/en/US/docs/switches/lan/trustsec/configuration/guide/trustsec.html

• ISE and WLC

  Dear friends,
  We are using ISE and WLC integrity in our network, we have Corporate and Guest SSID, we configured it but client cant connect to this ssid and cant be authenticated, please see attached files and tell me if i done something wrong in configuration of WLC
  10.10.17.201 is ISE
  Thank you for attention

  Hi,
  After viewing the Trap logs it seems you have checked on validate machine.
  On the client side, make sure you don't check validate machine and then try.

• ISE and WLC SRE module compatibilty matrix

  Hi all,
  We are running SRE module on router with code of 6.x release .Is there any compatibilty matrix available for ISE and WLC code to support CWA . because as of now , the wireless clients are not redirecting to the ISE login page.
  Kindly suggest.
  Thanks,
  Regards,
  Vijay

  The doc is for wireless guest using CWA. For wired guest, I don't know since you can do wired guest from a WLC that supports it or from a switch.
  Sent from Cisco Technical Support iPhone App

• Cisco ISE and WLC Access-List Design/Scalability

  Hi,
  I have a scenario whereby wireless clients are authenticated by the ISE and different ACLs are applied to it based on the rules on ISE. The problem I seems to be seeing is due to the limitation on the Cisco WLC which limit only 64 access-list entries. As the setup has only a few SVI/interfaces and multiple different access-lists are applied to the same interface base on the user groups; I was wondering if there may be a scalable design/approach whereby the access-list entries may scale beside creating a vlan for each user group and applying the access-list on the layer 3 interface instead? I have illustrated the setup below for reference:
  User group 1 -- Apply ACL 1 --On Vlan 1 
  User group 2 -- Apply ACL 2 -- On Vlan 1
  User group 3 -- Apply ACL 3 -- On Vlan 1
  The problem is only seen for wireless users, it is not seen on wired users as the ACLs may be applied successfully without any limitation to the switches.
  Any suggestion is appreciated.
  Thanks.

  Actually, you have limitations on the switch side as well. Lengthy ACLs can deplete the switch's TCAM resources. Take a look at this link:
  http://www.cisco.com/c/en/us/support/docs/switches/catalyst-3750-series-switches/68461-high-cpu-utilization-cat3750.html
  The new WLCs that are based on IOS XE and not the old Wireless/Aironet OS will provide the a better experience when it comes to such issues. 
  Overall, I see three ways to overcome your current issue:
  1. Shrink the ACLs by making them less specific
  2. Utilize the L3 interfaces on a L3 switch or FW and apply ACLs there
  3. Use SGT/SGA
  Hope this helps!
  Thank you for rating helpful posts!

• Cisco ISE and WLC Timeout Best Practices

  I am fairly new to ISE. Our Cisco WLC is using 802.1x and ISE is configured for PEAP with all inner methods enabled.
  I am looking for some guidance around where I should be configuring timeouts. There is a PEAP Session timeout in ISE, a session timeout on the WLC and a RADIUS reauthentication timeout that can be set in the Authorization profile results object in ISE.
  Currently I have the WLC configured for its default 1800 second timeout and ISE PEAP timeout at the default 7,200 value.

  I ended up answering my own question. The authorization session timeouts should be set in ISE if at all.
  Once I removed the session timeout value from the WLC and used the re-auth value in the ISE policy I had less complaints about disconnects.
  The session timeout on the PEAP settings has not caused any ill affects at it's default. The session resume has taken a huge load off of AAA though. Its worth turning on.

• How to Sync clock on WLC ISE and AD

  Hi there,
  I am stuck in NTP, deployed WLC CWA using ISE that is integrated with AD. I tried using AD as NTP source but no luck(universal fact that Cisco uses NTP where as Microsoft uses SNTP).
  The issue is, if time is not synced between WLC, ISE and AD; web redirection stopped working and no authentication takes place.
  I tried installting Meinbergglobal NTP software to distribute time to my Cisco devices. It does work with Cisco devices but it acts as master and do not sync its own time with AD.
  I am trying to figure out a way to sync Cisco with Microsoft, is there any way in this world to do so???
  Please help..
  Thanks in advance           

  You mean I should sync AD and all my cisco devices with global NTP server?
  Yes and no.  If you know your network well, doing this is a pain in the proverbial backside because you have to open firewall rules to everyone going out to the global NTP server.
  The smart thing to do is what George has described.  You select a few (between two to four) to go out to the internet to synchronize.  Normally I would nominate our core routers do this.  Next, all our distribution switches and core switches synchronize to our core routers.  All our servers, PCs, printers, WLC, switches  sychronize to our distro switches. 

• WLC 7.5 Sleeping clients with ISE and Central WEB Auth(CWA)

  Hi there,
  Is it possibe to use sleeping clients when using ISE and CWA?
  I was thinking of enabling layer3 auth with web auth on mac auth failure, but will that work with CWA?
  Or is the only solution to use LWA?

  Controller-> General-> User Idle Timeout (seconds) = 50 000 sec.
  And your users will be connected all this time even if they going in sleepmode
  be carefull with CPU loading

• ISE and VLAN assignment

  Hi All,
  Can ISE place a connection into a VLAN based on MAC address? (Both wired and wireless).
  Scenario is as follows:
  •- Users are wired and wireless, distributed around the campus. There are a dozen VLANs, one per closet, that are dedicated to users.
  •- Laptops are bad at least in the mind of the customer. So a laptop (wired or wireless) leaves the campus and returns; possibly with the plague.
  •- For each closet we want to create a “restricted” VLAN for bad laptops; and a “good” VLAN for desktop users.
  •- We have a list of all the laptop MAC addresses; and a list of all the desktop MAC addresses.
  •- Can we see the laptop MAC address logging in; and place that laptop into a relevant “restricted” VLAN, based on location?
  •- Likewise can we see all the other MAC addresses and place the user into a relevant “good” VLAN, based on location?
  Thanks for your comments!
  Andrew

  If you create a rule per location then yes.
  If a rule per location is not suitable then you could use one rule, which dumps them in to a vlan based on the vlan name, but then you obviously need separate vtp domains per location.
  Careful when you dynamically allocate vlans that you may need to change to port bounce for COA to allow DHCP to do its thing, which is a global setting up until version 1.2.
  Version 1.2 also has other flexibilities which might be useful to you (nested rules so I believe you may be able to have one rule with multiple profiles based on location), but I've not played with them too much yet.
  Sent from Cisco Technical Support iPhone App