ISE and non-auth Guest

Similar Messages

• ISE and NAC wireless guest networks

  I have a wireless network that is NAC controlled and use lobby ambassador for guest wireless. What is the best way to migrate to ISE for guest. Are there problems running NAC and ISE on the same controller?
  Sent from Cisco Technical Support iPad App

  Hello,
  For your query regarding ISE and NAC following are my  findings, which might help you in order to solve your query.
  for your first question:-
  ISE is a free software upgrade for customers who have NAC appliance or NAC profiler. This is for both for the base and advance licenses.
  ISE is a 50% software discount for customers who have  NAC guest server. The 50% discount is a migration part for the base license only. The advance features license will not be impacted by this discount.
  for your second question:-
  There should be no issues running NAC and ISE on the same controller until and unless you are using two SSIDs.

• ISE and non-802.1x devices

  Hi,
  I am looking for some input about how to profile and authorize non-802.1x devices. These devices are mostly barcode scanners connecting wireless with WPA/2. I am not sure how to authenticate them in ISE.
  We have two scenarios.
  1) LAP/WLC with several SSID/VLAN where the devices authenticate with WPA/2.
  2) Autonomous AP with several SSID/VLAN where the devices authenticate with WPA/2.
  There is a posibility to authenticate them on OUI, but I would like to have atleast another condition. Is it possible to use the WPA PSK?
  For the second scenario; is it possible to use autonomus AP and ISE? Barcode scaners need to go to one VLAN and other non802.1x devices to another. My guess is that the config should be somewhat similar to a switch, regarding AAA/RADIUS.
  Have anyone set up ISE with non802.1x devices? What/How did you do?
  Regards
  Philip

  I've quickly tried to authenticate against ISE with Autonomous AP
  No luck, maybe there is a work around but haven't tried as hard or there might not be:
  Failure Reason > Authentication Failure Code Lookup
  Failure Reason :
  11036 The Message-Authenticator RADIUS attribute is invalid
  Generated on:November 14, 2012 11:11:46 AM CST
  Description
  The Message-Authenticator RADIUS attribute is invalid. This maybe because of mismatched Shared Secrets.
  Resolution Steps
  Check whether the Shared Secrets on the AAA Client and ISE Server, match. Ensure that the AAA Client and the network device, have no hardware problems or problems with RADIUS compatibility. Also ensure that the network that connects the device to the ISE, has no hardware problems.

• ISE and Guest Portal

  WLC - 7.2.110.0
  ISE - 1.1.1
  I'm new to ISE. I want to set up a very basic method for BYOD users to access our wireless network. I've set up an SSID for external Web Auth, where users get redirected to the ISE Guest Portal: https://1.2.3.4:8443/guestportal/Login.action
  At that screen, users can enter their Active Directory credentials and login. Although the authentcation shows as successful under Operations -> Authentications, the user is redirected to the device registration page. On that page they see the message "We are unable to determine access privileges in order to access the network. Please contact your administrator." Their device MAC is listed, and they can enter a description but the "Register" button is greyed out.
  I'm getting overwhelmed with the amount of documentation available as well as the new terminology. I'm familiar with using Windows RADIUS servers, but ISE is very foreign to me now. Is there any documentation to help me understand how access requests are processed?

  As you asked the documents related to ISE and Guest Portal. I am sending you two docs which will help you in this case. Please find the below documents:
  http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_guest_pol.html
  http://www.cisco.com/en/US/docs/security/ise/1.0.4/user_guide/ise10_guest_pol.pdf

• Guest WLAN and Web Auth?

  Hi Guys,
  Maybe someone can help me out?
  I just finished setting up a trial "Cisco Virtual Wireless Controller" with nearly the same configuration as our Physical
  "Cisco Wireless Controller" with the exception of having 2 ports.  Anyhow, I managed to get everything working except for the WEB AUTH on the Guest WLAN.  When a client connects, he gets a DHCP address from our ASA but when we try to get to a website, we never reach the WEB AUTH page. 
  What I tried so far is..
  add a DNS Host Name to the virtual interface and assign it to our internal DNS server.dns name was resolving but we were unable to ping 1.1.1.1
  changed the virtual ip from 1.1.1.1 to 2.2.2.2 and modified the DNS entrydns name resoved but still could not ping 2.2.2.2(I think this is normal)
  changed the virtual IP to a private address of 192.168.102.1 and modified the dns entrysame result
  I've attached some screenshots of our configuration.

  Troubleshooting Web Authentication
  After you configure web authentication, if the feature does not work as expected, complete these
  troubleshooting steps:
  Check if the client gets an IP address. If not, users can uncheck
  DHCP Required
  on the WLAN and
  give the wireless client a static IP address. This assumes association with the access point. Refer to
  the
  IP addressing issues
  section of
  Troubleshooting Client Issues in the Cisco Unified Wireless
  Network for troubleshooting DHCP related issues
  1.
  On WLC versions earlier than 3.2.150.10, you must manually enter
  https://1.1.1.1/login.html
  in
  order to navigate to the web authentication window.
  The next step in the process is DNS resolution of the URL in the web browser. When a WLAN client
  connects to a WLAN configured for web authentication, the client obtains an IP address from the
  DHCP server. The user opens a web browser and enters a website address. The client then performs
  the DNS resolution to obtain the IP address of the website. Now, when the client tries to reach the
  website, the WLC intercepts the HTTP Get session of the client and redirects the user to the web
  authentication login page.
  2.
  Therefore, ensure that the client is able to perform DNS resolution for the redirection to work. On
  Windows, choose
  Start > Run
  , enter
  CMD
  in order to open a command window, and do a  nslookup
  www.cisco.com" and see if the IP address comes back.
  On Macs/Linux: open a terminal window and do a  nslookup www.cisco.com" and see if the IP
  address comes back.
  If you believe the client is not getting DNS resolution, you can either:
  Enter either the IP address of the URL (for example, http://www.cisco.com is
  http://198.133.219.25)
  ♦
  Try to directly reach the controller's webauth page with
  https:///login.html. Typically this is http://1.1.1.1/login.html.
  ♦
  Does entering this URL bring up the web page? If yes, it is most likely a DNS problem. It might also
  be a certificate problem. The controller, by default, uses a self−signed certificate and most web
  browsers warn against using them.
  3.
  For web authentication using customized web page, ensure that the HTML code for the customized
  web page is appropriate.
  You can download a sample Web Authentication script from Cisco Software Downloads. For
  example, for the 4400 controllers, choose
  Products > Wireless > Wireless LAN Controller >
  Standalone Controllers > Cisco 4400 Series Wireless LAN Controllers > Cisco 4404 Wireless
  LAN Controller > Software on Chassis > Wireless Lan Controller Web Authentication
  Bundle−1.0.1
  and download the
  webauth_bundle.zip
  file.
  These parameters are added to the URL when the user's Internet browser is redirected to the
  customized login page:
  4.
  ap_mac The MAC address of the access point to which the wireless user is associated.
  ♦
  switch_url The URL of the controller to which the user credentials should be posted.
  ♦
  redirect The URL to which the user is redirected after authentication is successful.
  ♦
  statusCode The status code returned from the controller's web authentication server.
  ♦
  wlan The WLAN SSID to which the wireless user is associated.
  ♦
  These are the available status codes:
  Status Code 1: "You are already logged in. No further action is required on your part."
  ♦
  Status Code 2: "You are not configured to authenticate against web portal. No further action
  is required on your part."
  ♦
  Status Code 3: "The username specified cannot be used at this time. Perhaps the username is
  already logged into the system?"
  ♦
  Status Code 4: "You have been excluded."
  ♦
  Status Code 5: "The User Name and Password combination you have entered is invalid.
  Please try again."
  ♦
  All the files and pictures that need to appear on the Customized web page should be bundled into a
  .tar file before uploading to the WLC. Ensure that one of the files included in the tar bundle is
  login.html. You receive this error message if you do not include the login.html file:
  Refer to the Guidelines for Customized Web Authentication section of Wireless LAN Controller Web
  Authentication Configuration Example for more information on how to create a customized web
  authentication window.
  Note:
  Files that are large and files that have long names will result in an extraction error. It is
  recommended that pictures are in .jpg format.
  5.
  Internet Explorer 6.0 SP1 or later is the browser recommended for the use of web authentication.
  Other browsers may or may not work.
  6.
  Ensure that the
  Scripting
  option is not blocked on the client browser as the customized web page on
  the WLC is basically an HTML script. On IE 6.0, this is disabled by default for security purposes.
  7.
  Note:
  The Pop Up blocker needs to be disabled on the browser if you have configured any Pop Up
  messages for the user.
  Note:
  If you browse to an
  https
  site, redirection does not work. Refer to Cisco bug ID CSCar04580
  (registered customers only) for more information.
  If you have a
  host name
  configured for the
  virtual interface
  of the WLC, make sure that the DNS
  resolution is available for the host name of the virtual interface.
  Note:
  Navigate to the
  Controller > Interfaces
  menu from the WLC GUI in order to assign a
  DNS
  hostname
  to the virtual interface.
  8.
  Sometimes the firewall installed on the client computer blocks the web authentication login page.
  Disable the firewall before you try to access the login page. The firewall can be enabled again once
  the web authentication is completed.
  9.
  Topology/solution firewall can be placed between the client and web−auth server, which depends on
  the network. As for each network design/solution implemented, the end user should make sure these
  ports are allowed on the network firewall.
  Protocol
  Port
  HTTP/HTTPS Traffic
  TCP port 80/443
  CAPWAP Data/Control Traffic
  UDP port 5247/5246
  LWAPP Data/Control Traffic
  (before rel 5.0)
  UDP port 12222/12223
  EOIP packets
  IP protocol 97
  Mobility
  UDP port 16666 (non
  secured) UDP port 16667
  (secured IPSEC tunnel)
  10.
  For web authentication to occur, the client should first associate to the appropriate WLAN on the
  WLC. Navigate to the
  Monitor > Clients
  menu on the WLC GUI in order to see if the client is
  associated to the WLC. Check if the client has a valid IP address.
  11.
  Disable the Proxy Settings on the client browser until web authentication is completed.
  12.
  The default web authentication method is PAP. Ensure that PAP authentication is allowed on the
  RADIUS server for this to work. In order to check the status of client authentication, check the
  debugs and log messages from the RADIUS server. You can use the
  debug aaa all
  command on the
  WLC to view the debugs from the RADIUS server.
  13.
  Update the hardware driver on the computer to the latest code from manufacturer's website.
  14.
  Verify settings in the supplicant (program on laptop).
  15.
  When you use the Windows Zero Config supplicant built into Windows:
  Verify user has latest patches installed.
  ♦
  Run debugs on supplicant.
  ♦
  16.
  On the client, turn on the EAPOL (WPA+WPA2) and RASTLS logs from a command window, Start
  > Run > CMD:
  netsh ras set tracing eapol enable
  netsh ras set tracing rastls enable
  In order to disable the logs, run the same command but replace enable with disable. For XP, all logs
  will be located in C:\Windows\tracing.
  17.
  If you still have no login web page, collect and analyze this output from a single client:
  debug client
  debug dhcp message enable
  18.
  debug aaa all enable
  debug dot1x aaa enable
  debug mobility handoff enable
  If the issue is not resolved after you complete these steps, collect these debugs and use the TAC
  Service Request Tool (registered customers only) in order to open a Service Request.
  debug pm ssh−appgw enable
  debug pm ssh−tcp enable
  debug pm rules enable
  debug emweb server enable
  debug pm ssh−engine enable packet

• ISE and 802.1x - Retrieve User Cert from AD for Auth without it being in the Personal Store?

  Hello,
  We are implementing 802.1x EAP-TLS wired at the moment with Cisco ISE, and wireless is to come after that, along with our internal PKI.  I set up the PKI, and our network engineer is setting up the ISE.  We currently have it set to first authenticate the computers with a computer certificate (allowing access to AD, among some other things), and then further authenticate the users with user certificates.
  I don't have much knowledge of Cisco ISE, and plan to learn as we go, but I'm wondering:
  Is it possible to authenticate the computer via the computer certificate, getting access to AD, and then have the ISE check AD for the User certificate INSTEAD of the User certificate being in the local Personal store of the client computer?  We have autoenrollment going for user certificates, but it seems to be cumbersome (in thought) that once 802.1x is enabled, a new computer/employee coming on the network has to first go to an unauthenticated port to be able to download the User certificate in the Personal store, before then being able to use an 802.1x port?
  I guess that makes two questions:
  1) Can ISE pull the user cert from AD, without needing it in the local Personal store?
  2) What's the easiest way to handle new computers/users that don't already have the User cert in their local Personal store once 802.1x is enabled?

  1)No
  2)Use EAP-Chaining with EAP-TLS and PEAP
  For this scenario, i would go with Cisco AnyConnect NAM, and then use EAP-Chaining, with EAP-TLS for machine auth, and then PEAP for user authentication. This way you can make sure that both the machine and the user is authenticated, and more importantly, that a user can not get on the network with their user identity only and no machine identity. Using windows own supplicant for this, gives no garantee that the user has logged in from an authenticated machine. The feature that used to be used for this before EAP-Chaining was introduced, is called MAR, and has many problems, making it almost useless in a corporate environment. Security wise, the PEAP-MSCHAPV2 is tunneled in EAP-FAST and does not have the same security issues as regular PEAP.

• WLC 7.5 Sleeping clients with ISE and Central WEB Auth(CWA)

  Hi there,
  Is it possibe to use sleeping clients when using ISE and CWA?
  I was thinking of enabling layer3 auth with web auth on mac auth failure, but will that work with CWA?
  Or is the only solution to use LWA?

  Controller-> General-> User Idle Timeout (seconds) = 50 000 sec.
  And your users will be connected all this time even if they going in sleepmode
  be carefull with CPU loading

• Guest WebAuth with ISE and WLC

  I have a couple of issues with this solution:
  a) Each time a user logs in, the untrusted certificate message appears twice. The first one with the WLC IP address, the second one with the ISE IP address. Is this a bug or some kind of mistake configuration?
  b) In the Guest Accounting report every guest session is reported twice. One with the correct log in and log out times, the second indicates the user is still on network even after several days he/she had been disconnected.
  I think the second issue is in some way related with the first one.
  Thanks in advance
  Daniel Escalante

  I am trying to figure out the protocol sequence:
  1) The PC client gets IP address from the DHCP (anchor WLC in this case)
  2) When the browser is open and a HTML request is send, the WLC intercepts it and redirect to ISE
  3) Before the Guest Authentication Portal is displayed in the browser PC, an untrusted certicate message coming from the ISE should be displayed.
  4) Once the untrusted certificate message is accepted (continue), the guest authentication portal is displayed
  5) The user type in its credentials
  6) the Successful Login message is received with the WLC IP address
  7) the user is able to browse the internet
  The problem appears in steps 3 and 4. The untrusted certificate message is first showed with the WLC Virtual IP address and then with the ISE IP address.
  I think the message with the WLC address should not be sent, only the ISE message.
  In Step 6 the successful login message should indicate the ISE IP address, no the WLC IP Virtual address.
  I will appreciate your assistance to clarify the event sequence and proper functionality
  Thanks in advance.
  Daniel Escalante.

• CWA using ISE and mobility anchor

  My team is trying to demo wireless guest access using CWA with an ISE server.  We appear to be hitting an issue when combining this with mobility anchoring.
  When we don't use a mobility anchor the authentication goes off without a hitch seemingly proving that the ISE configuration is sound.  The test laptop associates and gets redirected, auths, moves to the RUN state and access to the network is granted.
  When the mobility anchor is enabled, the test laptop does get redirected, authentication is successful, but the process does not fully complete, as on the foreign controller the user is in RUN state whereas on the anchor the user is still stuck at CWA required.
  Now, I've read the L2 auth occurs between the foreign controller and ISE, and the L3 auth occurs between the anchor controller and ISE, but this does not appear to borne out in packet captures of the process where both parts of the auth seems to go to and from the foreign controller and ISE.
  I'm curious to know if anyone else has come across this issue, or has ideas where I should be looking in the config or debugs to find the root cause.
  When setting up the controllers and ISE this guide (linked below) was used and the controllers are 2504 controllers on 7.5 series software and ISE is on the latest 1.2 patches:
  http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bead09.shtml
  To me it seems to be mobility related, but the authentication flow does seem to be off compared with what the guide says.

  FOREIGN
  *apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Adding mobile on LWAPP AP 0c:d9:96:ba:7d:20(1)
  *apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Association received from mobile on BSSID 0c:d9:96:ba:7d:2f
  *apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Global 200 Clients are allowed to AP radio
  *apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Max Client Trap Threshold: 0  cur: 0
  *apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Rf profile 600 Clients are allowed to AP wlan
  *apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Applying Interface policy on Mobile, role Unassociated. Ms NAC State 0 Quarantine Vlan 0 Access Vlan 0
  *apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Re-applying interface policy for client
  *apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 0.0.0.0 START (0) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2164)
  *apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 0.0.0.0 START (0) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2185)
  *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 apfApplyWlanPolicy: Retaining the ACL recieved in AAA attributes 255 on mobile
  *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 apfApplyWlanPolicy: Apply WLAN Policy over PMIPv6 Client Mobility Type
  *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 In processSsidIE:4565 setting Central switched to TRUE
  *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 In processSsidIE:4568 apVapId = 1 and Split Acl Id = 65535
  *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 Applying site-specific Local Bridging override for station 00:1e:c2:c0:96:05 - vapId 1, site 'AP-Group-CHEC.default', interface 'management'
  *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 Applying Local Bridging Interface Policy for station 00:1e:c2:c0:96:05 - vlan 84, interface id 0, interface 'management'
  *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 processSsidIE  statusCode is 0 and status is 0
  *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 processSsidIE  ssid_done_flag is 0 finish_flag is 0
  *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 STA - rates (8): 140 18 152 36 176 72 96 108 0 0 0 0 0 0 0 0
  *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 suppRates  statusCode is 0 and gotSuppRatesElement is 1
  *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 apfProcessAssocReq (apf_80211.c:7830) Changing state for mobile 00:1e:c2:c0:96:05 on AP 0c:d9:96:ba:7d:20 from Idle to AAA Pending
  *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 Scheduling deletion of Mobile Station:  (callerId: 20) in 10 seconds
  *radiusTransportThread: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Username entry (00-1E-C2-C0-96-05) created for mobile, length = 253
  *radiusTransportThread: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Username entry (00-1E-C2-C0-96-05) created in mscb for mobile, length = 253
  *apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Received SGT for this Client.
  *apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Redirect URL received for client from RADIUS. Client will be moved to WebAuth_Reqd state to facilitate redirection. Skip web-auth Flag = 0
  *apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Resetting web IPv4 acl from 255 to 255
  *apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Resetting web IPv4 Flex acl from 65535 to 65535
  *apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Applying Interface policy on Mobile, role Unassociated. Ms NAC State 2 Quarantine Vlan 0 Access Vlan 84
  *apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Re-applying interface policy for client
  *apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 0.0.0.0 START (0) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2164)
  *apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 0.0.0.0 START (0) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2185)
  *apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 apfApplyWlanPolicy: Retaining the ACL recieved in AAA attributes 0 on mobile
  *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 apfApplyWlanPolicy: Apply WLAN Policy over PMIPv6 Client Mobility Type
  *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 Inserting AAA Override struct for mobile
  MAC: 00:1e:c2:c0:96:05, source 2
  *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 0.0.0.0 START (0) Initializing policy
  *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state START (0)
  *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 0.0.0.0 AUTHCHECK (2) Change state to L2AUTHCOMPLETE (4) last state AUTHCHECK (2)
  *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 Not Using WMM Compliance code qosCap 00
  *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 0.0.0.0 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP 0c:d9:96:ba:7d:20 vapId 1 apVapId 1 flex-acl-name:
  *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 0.0.0.0 L2AUTHCOMPLETE (4) Change state to DHCP_REQD (7) last state L2AUTHCOMPLETE (4)
  *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 apfMsAssoStateInc
  *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 apfPemAddUser2 (apf_policy.c:333) Changing state for mobile 00:1e:c2:c0:96:05 on AP 0c:d9:96:ba:7d:20 from AAA Pending to Associated
  *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 apfPemAddUser2:session timeout forstation 00:1e:c2:c0:96:05 - Session Tout 1800, apfMsTimeOut '1800' and sessionTimerRunning flag is  0
  *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 Scheduling deletion of Mobile Station:  (callerId: 49) in 1800 seconds
  *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 Func: apfPemAddUser2, Ms Timeout = 1800, Session Timeout = 1800
  *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 Sending Assoc Response to station on BSSID 0c:d9:96:ba:7d:2f (status 0) ApVapId 1 Slot 1
  *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 apfProcessRadiusAssocResp (apf_80211.c:3066) Changing state for mobile 00:1e:c2:c0:96:05 on AP 0c:d9:96:ba:7d:20 from Associated to Associated
  *DHCP Socket Task: Jan 28 23:04:59.567: 00:1e:c2:c0:96:05 DHCP received op BOOTREQUEST (1) (len 308,vlan 84, port 13, encap 0xec03)
  *DHCP Socket Task: Jan 28 23:04:59.567: 00:1e:c2:c0:96:05 DHCP (encap type 0xec03) mstype 0ff:ff:ff:ff:ff:ff
  *DHCP Socket Task: Jan 28 23:04:59.567: 00:1e:c2:c0:96:05 DHCP dropping packet due to ongoing mobility handshake exchange, (siaddr 0.0.0.0,  mobility state = 'apfMsMmQueryRequested'
  *DHCP Socket Task: Jan 28 23:05:01.523: 00:1e:c2:c0:96:05 DHCP received op BOOTREQUEST (1) (len 308,vlan 84, port 13, encap 0xec03)
  *DHCP Socket Task: Jan 28 23:05:01.523: 00:1e:c2:c0:96:05 DHCP (encap type 0xec03) mstype 0ff:ff:ff:ff:ff:ff
  *DHCP Socket Task: Jan 28 23:05:01.523: 00:1e:c2:c0:96:05 DHCP dropping packet due to ongoing mobility handshake exchange, (siaddr 0.0.0.0,  mobility state = 'apfMsMmQueryRequested'
  *mmMaListen: Jan 28 23:05:02.362: 00:1e:c2:c0:96:05 0.0.0.0 DHCP_REQD (7) State Update from Mobility-Incomplete to Mobility-Complete, mobility role=ExpForeign, client state=APF_MS_STATE_ASSOCIATED
  *mmMaListen: Jan 28 23:05:02.362: 00:1e:c2:c0:96:05 apfMsRunStateInc
  *mmMaListen: Jan 28 23:05:02.362: 00:1e:c2:c0:96:05 0.0.0.0 DHCP_REQD (7) Change state to RUN (20) last state DHCP_REQD (7)
  *mmMaListen: Jan 28 23:05:02.362: 00:1e:c2:c0:96:05 0.0.0.0 RUN (20) Reached PLUMBFASTPATH: from line 5793
  *mmMaListen: Jan 28 23:05:02.362: 00:1e:c2:c0:96:05 0.0.0.0 RUN (20) Adding Fast Path rule
    type = Airespace AP Client
    on AP 0c:d9:96:ba:7d:20, slot 1, interface = 13, QOS = 0
    IPv4 ACL ID = 255, IPv6 ACL ID = 255,
  *mmMaListen: Jan 28 23:05:02.362: 00:1e:c2:c0:96:05 0.0.0.0 RUN (20) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 15206  Local Bridging Vlan = 84, Local Bridging intf id = 0
  *mmMaListen: Jan 28 23:05:02.363: 00:1e:c2:c0:96:05 0.0.0.0 RUN (20) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255, L2 ACL ID 255)
  *pemReceiveTask: Jan 28 23:05:02.364: 00:1e:c2:c0:96:05 Set bi-dir guest tunnel for 00:1e:c2:c0:96:05 as in Export Foreign role
  *pemReceiveTask: Jan 28 23:05:02.364: 00:1e:c2:c0:96:05 0.0.0.0 Added NPU entry of type 1, dtlFlags 0x4
  *pemReceiveTask: Jan 28 23:05:02.364: 00:1e:c2:c0:96:05 Skip Foreign / Export Foreign Client IP 0.0.0.0 plumbing in FP SCB
  *DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP received op BOOTREQUEST (1) (len 308,vlan 84, port 13, encap 0xec03)
  *DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP (encap type 0xec03) mstype 0ff:ff:ff:ff:ff:ff
  *DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP processing DHCP REQUEST (3)
  *DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP   op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 0
  *DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP   xid: 0xafea6bc9 (2951375817), secs: 5, flags: 0
  *DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP   chaddr: 00:1e:c2:c0:96:05
  *DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP   ciaddr: 0.0.0.0,  yiaddr: 0.0.0.0
  *DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP   siaddr: 0.0.0.0,  giaddr: 0.0.0.0
  *DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP   requested ip: 10.130.98.8
  *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP received op BOOTREPLY (2) (len 320,vlan 84, port 13, encap 0xec07)
  *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP processing DHCP ACK (5)
  *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP   op: BOOTREPLY, htype: Ethernet, hlen: 6, hops: 0
  *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP   xid: 0xafea6bc9 (2951375817), secs: 0, flags: 0
  *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP   chaddr: 00:1e:c2:c0:96:05
  *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP   ciaddr: 0.0.0.0,  yiaddr: 10.130.98.8
  *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP   siaddr: 10.30.4.173,  giaddr: 0.0.0.0
  *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP   server id: 1.1.1.2  rcvd server id: 1.1.1.2
  *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) DHCP Address Re-established
  *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Reached PLUMBFASTPATH: from line 6978
  *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Replacing Fast Path rule
    type = Airespace AP Client
    on AP 0c:d9:96:ba:7d:20, slot 1, interface = 13, QOS = 0
    IPv4 ACL ID = 255, IPv6 ACL ID
  *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 15206  Local Bridging Vlan = 84, Local Bridging intf id = 0
  *DHCP Socket Task: Jan 28 23:05:03.888: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255, L2 ACL ID 255)
  *DHCP Socket Task: Jan 28 23:05:03.888: 00:1e:c2:c0:96:05 Assigning Address 10.130.98.8 to mobile
  *DHCP Socket Task: Jan 28 23:05:03.888: 00:1e:c2:c0:96:05 DHCP success event for client. Clearing dhcp failure count for interface management.
  *DHCP Socket Task: Jan 28 23:05:03.888: 00:1e:c2:c0:96:05 DHCP success event for client. Clearing dhcp failure count for interface management.
  *DHCP Socket Task: Jan 28 23:05:03.888: 00:1e:c2:c0:96:05 DHCP successfully bridged packet to STA
  *pemReceiveTask: Jan 28 23:05:03.889: 00:1e:c2:c0:96:05 Set bi-dir guest tunnel for 00:1e:c2:c0:96:05 as in Export Foreign role
  *pemReceiveTask: Jan 28 23:05:03.889: 00:1e:c2:c0:96:05 10.130.98.8 Added NPU entry of type 1, dtlFlags 0x4
  *pemReceiveTask: Jan 28 23:05:03.890: 00:1e:c2:c0:96:05 Skip Foreign / Export Foreign Client IP 10.130.98.8 plumbing in FP SCB
  *apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 Received SGT for this Client.
  *apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 Resetting web IPv4 acl from 0 to 255
  *apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 Resetting web IPv4 Flex acl from 65535 to 65535
  *apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 AAA redirect is NULL. Skipping Web-auth for Radius NAC enabled WLAN.
  *apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 apfApplyWlanPolicy: Retaining the ACL recieved in AAA attributes 255 on mobile
  *apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 apfApplyWlanPolicy: Apply WLAN Policy over PMIPv6 Client Mobility Type
  *apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 Inserting AAA Override struct for mobile
  MAC: 00:1e:c2:c0:96:05, source 2
  *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Setting session timeout 3600 on mobile 00:1e:c2:c0:96:05
  *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Session Timeout is 3600 - starting session timer for the mobile
  *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Applying cached RADIUS Override values for mobile 00:1e:c2:c0:96:05 (caller pem_api.c:2307)
  *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Setting session timeout 3600 on mobile 00:1e:c2:c0:96:05
  *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Session Timeout is 3600 - starting session timer for the mobile
  *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Applied RADIUS override policy
  *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Replacing Fast Path rule
    type = Airespace AP Client
    on AP 0c:d9:96:ba:7d:20, slot 1, interface = 13, QOS = 0
    IPv4 ACL ID = 255, IPv6 ACL ID
  *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 15206  Local Bridging Vlan = 84, Local Bridging intf id = 0
  *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255, L2 ACL ID 255)
  *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Not Using WMM Compliance code qosCap 00
  *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Plumbed mobile LWAPP rule on AP 0c:d9:96:ba:7d:20 vapId 1 apVapId 1 flex-acl-name:
  *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Change state to RUN (20) last state RUN (20)
  *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 apfMsAssoStateInc
  *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 apfPemAddUser2 (apf_policy.c:333) Changing state for mobile 00:1e:c2:c0:96:05 on AP 0c:d9:96:ba:7d:20 from AAA Pending to Associated
  *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 apfPemAddUser2:session timeout forstation 00:1e:c2:c0:96:05 - Session Tout 3600, apfMsTimeOut '1800' and sessionTimerRunning flag is  1
  *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Scheduling deletion of Mobile Station:  (callerId: 49) in 3600 seconds
  *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Func: apfPemAddUser2, Ms Timeout = 1800, Session Timeout = 3600
  *apfReceiveTask: Jan 28 23:05:18.718: 00:1e:c2:c0:96:05 Sending Assoc Response to station on BSSID 0c:d9:96:ba:7d:2f (status 0) ApVapId 1 Slot 1
  *apfReceiveTask: Jan 28 23:05:18.718: 00:1e:c2:c0:96:05 apfProcessRadiusAssocResp (apf_80211.c:3066) Changing state for mobile 00:1e:c2:c0:96:05 on AP 0c:d9:96:ba:7d:20 from Associated to Associated
  *pemReceiveTask: Jan 28 23:05:18.720: 00:1e:c2:c0:96:05 Set bi-dir guest tunnel for 00:1e:c2:c0:96:05 as in Export Foreign role
  *pemReceiveTask: Jan 28 23:05:18.720: 00:1e:c2:c0:96:05 10.130.98.8 Added NPU entry of type 1, dtlFlags 0x4

• Cisco ISE and SecurID Integration Questions

  I'm looking for some clarity trying to understand something conceptually. I want to integrate Cisco ISE with RSA SecurID, the idea being that if the user authenticates with RSA SecurID they end up on one VLAN, however, if they don't authenticate with (or don't use, or don't have) SecurID they'll end up on another VLAN. Note that I'm not using SecurID for wireless access...all PCs are wired to Ethernet.
  We have been using RSA SecurID for a while and are currently on version 8.0. Our users are authenticating via the RSA Agent typically on Windows 8.1. Instead of the usual Windows login prompt, the RSA Agent first prompts for the username and passcode (they use an app on their smartphones to get the passcode), then after a moment or two, it prompts for their Windows domain password.
  We have recently installed Cisco ISE version 1.3. With the help of a local Cisco engineer and going through the "Cisco Identity Services Engine User Guide", I have it set up and running along with a few 'test' ports on our Cisco 6809 switch, it basically works...as a test it's simply set up that if they authenticate they're on one VLAN, if not, they end up on another (this is currently without using RSA...just out-of-the-box Windows authentication).
  The Cisco engineer was unable to help me with RSA SecurID, so pressing on without him, out of the same user guide I have followed the directions for "RSA Identity Sources" under the "Managing Users and External Identity Sources", and that went well as far as ISE is concerned; I am now ready to get serious about getting ISE and SecurID working together.
  My mistake in this design so far was assuming that the RSA agent on the Windows client PCs would communicate with Cisco ISE...there doesn't seem to be a way to have them point to a non-RSA SecurID server for authentication. The concept I'm missing is what, or how, the end-user machine is supposed to authenticate taking advantage of both ISE and SecurID.
  I have dug deeper into the Cisco ISE documentation but it seems heavily biased towards Wi-Fi and BYOD implementations and it's not clear to me what applies to wired vs wireless. Perhaps it's a case that I'm not seeing the forest for the trees, but I'm not understanding what the end-user authentication looks like. It apears that as I learn more about ISE, it should become the primary SSO source, that SecurID becomes just an identity source and the PC clients would no-longer directly communicate with the SecurID servers. That being the case, do I need to replace the SecurID client on the PCs and something else Cisco-ish fills this role? An agent for ISE? How do they continue to use their passcode without the RSA agent?
  Thanks!

  The external db not operation indicates that there is no communication between ACS and RSA. Did you fetch the package.cab file to analyse the auth.log file?
  Have you already gone through the below listed link?
  http://www.security-solutions.co.za/cisco-CSACS-1113-SE-4.2-RSA-Authentication-Manager-Integration-Configuration-Example.html
  Regards,
  Jatin Katyal
  - Do rate helpful posts -

• CWA with ISE and 5760

  Hi,
  we have an ISE 1.2 (Patch 5), two 5760 Controllers (3.3), one acting as Primary Controller (named WC7) for the APs and the other as Guest Anchor (named WC5).
  I have trouble with the CWA. The Guest is redirected and enters the correct credentials. After that, the CoA fails with error-cause(272) 4 Session Context Not Found. I have no idea why....
  aaa authentication login Webauth_ISE group ISE
  aaa authorization network cwa_macfilter group ISE
  aaa authorization network Webauth_ISE group ISE
  aaa accounting network ISE start-stop group ISE
  aaa server radius dynamic-author
  client 10.232.127.13 server-key 0 blabla
  auth-type any
  radius-server attribute 6 on-for-login-auth
  radius-server attribute 31 send nas-port-detail mac-only
  wlan test4guests 18 test4guests
  aaa-override
  accounting-list ISE
  client vlan 1605
  no exclusionlist
  mac-filtering cwa_macfilter
  mobility anchor
  nac
  no security wpa
  no security wpa akm dot1x
  no security wpa wpa2
  no security wpa wpa2 ciphers aes
  security dot1x authentication-list Webauth_ISE
  no shutdown
  wc5# debug aaa coa
  Feb 27 12:19:08.444: COA: 10.232.127.13 request queued
  Feb 27 12:19:08.444: RADIUS:  authenticator CC 33 26 77 56 96 30 58 - BC 99 F3 1A 3C 61 DC F4
  Feb 27 12:19:08.444: RADIUS:  NAS-IP-Address      [4]   6   10.232.127.11
  Feb 27 12:19:08.444: RADIUS:  Calling-Station-Id  [31]  14  "40f308c3c53d"
  Feb 27 12:19:08.444: RADIUS:  Event-Timestamp     [55]  6   1393503547
  Feb 27 12:19:08.444: RADIUS:  Message-Authenticato[80]  18
  Feb 27 12:19:08.444: RADIUS:   22 F8 CF 1C 61 F3 F9 42 01 E4 36 77 9C 9B CC 56            [ "aB6wV]
  Feb 27 12:19:08.444: RADIUS:  Vendor, Cisco       [26]  41
  Feb 27 12:19:08.444: RADIUS:   Cisco AVpair       [1]   35  "subscriber:command=reauthenticate"
  Feb 27 12:19:08.444: RADIUS:  Vendor, Cisco       [26]  43
  Feb 27 12:19:08.444: RADIUS:   Cisco AVpair       [1]   37  "subscriber:reauthenticate-type=last"
  Feb 27 12:19:08.444: RADIUS:  Vendor, Cisco       [26]  49
  Feb 27 12:19:08.444: RADIUS:   Cisco AVpair       [1]   43  "audit-session-id=0aea2001530f2e1e000003c6"
  Feb 27 12:19:08.444: COA: Message Authenticator decode passed
  Feb 27 12:19:08.444:  ++++++ CoA Attribute List ++++++
  Feb 27 12:19:08.444: 92FB84A0 0 00000001 nas-ip-address(600) 4 10.232.127.11
  Feb 27 12:19:08.444: 92FB87EC 0 00000081 formatted-clid(37) 12 40f308c3c53d
  Feb 27 12:19:08.444: 92FB8820 0 00000001 Event-Timestamp(445) 4 1393503547(530F2D3B)
  Feb 27 12:19:08.444: 92FB8854 0 00000001 reauthenticate-type(756) 4 last
  Feb 27 12:19:08.444: 92FB8888 0 00000081 audit-session-id(819) 24 0aea2001530f2e1e000003c6
  Feb 27 12:19:08.444: 92FB88BC 0 00000081 ssg-command-code(490) 1 32
  Feb 27 12:19:08.444:
  Feb 27 12:19:08.444:  ++++++ Received CoA response Attribute List ++++++
  Feb 27 12:19:08.444: 92FB84A0 0 00000001 nas-ip-address(600) 4 10.232.127.11
  Feb 27 12:19:08.444: 92FB87EC 0 00000081 formatted-clid(37) 12 40f308c3c53d
  Feb 27 12:19:08.444: 92FB8820 0 00000001 Event-Timestamp(445) 4 1393503547(530F2D3B)
  Feb 27 12:19:08.444: 92FB8854 0 00000001 reauthenticate-type(756) 4 last
  Feb 27 12:19:08.444: 92FB8888 0 00000081 audit-session-id(819) 24 0aea2001530f2e1e000003c6
  Feb 27 12:19:08.444: 92FB88BC 0 00000081 ssg-command-code(490) 1 32
  Feb 27 12:19:08.444: 92FB88F0 0 00000002 error-cause(272) 4 Session Context Not Found
  Feb 27 12:19:08.444:
  wc5#

  Reason for this are two bugs which prevent this from working:
  https://tools.cisco.com/bugsearch/bug/CSCul83594
  https://tools.cisco.com/bugsearch/bug/CSCun38344
  This is embarrassing because this is a really common scenario. QA anyone?
  So, with ISE and 5760 CWA is not working at this time. 

• Ask the Expert: Cisco BYOD Wireless Solution: ISE and WLC Integration

  With Jacob Ideji, Richard Hamby  and Raphael Ohaemenyi   
  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about  the new Identity Solutions Engine (ISE) and Wireless LAN Controller (WLC) hardware/software, integration, features, specifications, client details, or just questions about  Cisco's Bring-your-own device (BYOD) solution with cisco Experts Richard Hamby, Jacob Ideji, and Raphael Ohaemenyi. The interest in BYOD (Bring You Own Device) solutions in the enterprise has grown exponentially as guests and company users increasingly desire to use personal devices to access .  Cisco BYOD enhances user experience and productivity while providing security, ease-of-administration, and performance. The heart of the Cisco wireless BYOD solution is Identity Solutions Engine (ISE) utilizing the Cisco Unified Wireless portfolio.  Starting with ISE v1.1.1MR and WLC (Wireless LAN Controller) code v7.2.110.0 and higher, end-to-end wireless BYOD integration is reality. 
  Jacob Ideji is the technical team lead in the Cisco authentication, authorization and accounting (AAA) security team in Richardson, Texas. During his four years of experience at Cisco he has worked with Cisco VPN products, Cisco Network Admission Control (NAC) Appliance, Cisco Secure Access Control Server, and Dot1x technology as well as the current Cisco Identity Services Engine. He has a total of more than 12 years experience in the networking industry. Ideji holds CCNA, CCNP, CCSP, CCDA, CCDP, and CISM certifications from Cisco plus other industry certifications.
  Richard Hamby  works on the Cisco BYOD Plan, Design, Implement (PDI) Help Desk for Borderless Networks, where he is the subject matter expert on wireless, supporting partners in the deployment of Cisco Unified Wireless and Identity Services Engine solutions. Prior to his current position, Hamby was a customer support engineer with the Cisco Technical Assistance Center for 3 years on the authentication, authorization, accounting (AAA) and wireless technology teams. 
  Raphael Ohaemenyi  Raphael Ohaemenyi is a customer support engineer with the authentication, authorization and accounting (AAA) team in the Technical Assistance Center in Richardson, Texas, where he supports Cisco customers in identity management technologies. His areas of expertise include Cisco Access Control Server, Cisco Network Admission Control (NAC) Appliance, Cisco Identity Services Engine, and IEEE 802.1X technologies. He has been at Cisco for more than 2 years and has worked in the networking industry for 8 years. He holds CCNP, CCDP, and CCSP certification.
  Remember to use the rating system to let Jacob, Richard and Raphael know if you have received an adequate response.  
  Jacob, Richard and Raphael might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the wireless mobility sub community forum shortly after the event. This event lasts through Oct 5th, 2012. Visit this forum often to view responses to your questions and the questions of other community members.

  OOPS !!
  I will repost the whole messaqge with the correct external URL's:
  In  general, the Trustsec design and deployment guides address the specific  support for the various features of the 'whole' Cisco TS (and other  security) solution frameworks.  And then a drill-down (usually the  proper links are embedded) to the specifc feature, and then that feature  on a given device.  TS 2.1 defines the use of ISE or ACS5 as the policy  server, and confiugration examples for the platforms will include and  refer to them.
  TrustSec Home Page
  http://www.cisco.com/en/US/netsol/ns1051/index.html
  http://www.cisco.com/en/US/solutions/collateral/ns170/ns896/ns1051/product_bulletin_c25-712066.html
  http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5712/ps11637/ps11195/at_a_glance_c45-654884.pdf
  I find this page very helpful as a top-level start to what features and capabilities exist per device:
  http://www.cisco.com/en/US/solutions/ns170/ns896/ns1051/trustsec_matrix.html
  The TS 2.1 Design Guides
  http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns744/landing_DesignZone_TrustSec.html
  DesignZone has some updated docs as well
  http://www.cisco.com/en/US/netsol/ns982/networking_solutions_program_home.html#~bng
  As  the SGT functionality (at this point) is really more of a  router/LAN/client solution, the most detailed information will be in the  IOS TS guides like :
  http://www.cisco.com/en/US/docs/switches/datacenter/sw/6_x/nx-os/security/configuration/guide/b_Cisco_Nexus_7000_NX-OS_Security_Configuration_Guide__Release_6.x.html
  http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_cts/configuration/xe-3s/asr1000/sec-usr-cts-xe-3s-asr1000-book.html
  http://www.cisco.com/en/US/docs/switches/lan/trustsec/configuration/guide/trustsec.html

• ISE 1.3 Sponsored Guest Portal Login Failure

  Hello Team,
  Ive created a guest account in the sponsor portal for a test guest user, however the state remains in "created" state.
  Now when the user tries to log on via the sponsored guest portal the error back is "invalid username or password".
  In ISE logs it says :
  Overview
  Event
  5418 Guest Authentication Failed
  Username
  bnawaz01 
  Endpoint Id
  Endpoint Profile
  Authorization Result
  Actions
  Troubleshoot Authentication
  View Diagnostic Messages
  Audit Network Device Configuration
  View Network Device Configuration
  View Server Configuration Changes
  -->Authentication Details
  Source Timestamp
  2014-12-24 08:49:05.551
  Received Timestamp
  2014-12-24 08:49:05.553
  Policy Server
  DC1-ISE-DMZ01
  Event
  5418 Guest Authentication Failed
  Failure Reason
  Account is not yet active.
  Resolution
  Root cause
  Username
  bnawaz01
  User Type
  GuestUser
  Endpoint Id
  Endpoint Profile
  IP Address
  Authentication Identity Store
  Guest Users
  Identity Group
  GuestType_Contractor (default)
  Audit Session Id
  Authentication Method
  PAP_ASCII
  Authentication Protocol
  PAP_ASCII
  Service Type
  Network Device
  Device Type
  Location
  NAS IP Address
  NAS Port Id
  NAS Port Type
  Authorization Profile
  Posture Status
  Security Group
  Response Time 
  Any ideas why this might be, if im doing something wrong and how to fix?
  Thank you
  Bilal

  I have had the same issue, the fault is caused by the time zone in the sponsor groups being set by default to UTC, so if you are in London the accounts wont become available until UTC time. The best practice is to add a local time zone and remove UTC at initial configuration
  To resolve this create a new local time zone in Guest Access>Settings>Guest Locations and SSIDs then under Guest Access>Configure>Sponsor Groups amend the time zone properties in each sponsor group
  One other problem is if you do not remove this at initial configuration you don't seem to be able to get rid of UTC, not really an issue unless you forget when creating new sponsor groups

• CoA issues between ISE and 3750x

  We are having an issue using the cisco ise 1.1.2 and a 3750x (Version 12.2(58)SE2)
  When the radius sends a reauthentication CoA message to the switch, the switch responds with a 'session contect not found' reply. I have upgraded the code to the latest levels on both the ise and switch and still have the same resultts.
  This reauthenticate is needed after the NAC profiler determines the pc is complient. I am receiving the complient message from the pc and switch, but becuase the switch never reauthentices the client after the CoA request, the client is never granted full access.
  I am not sure if the radius server is sending the wrong session id, or if the switch is looking at it wrong.
  Please Help...!!!!!
  -Debug --
  Log Buffer (10000 bytes):
  Feb 28 19:34:21.940 UTC: RADIUS: COA  received from id 38 10.122.1.82:40171, CoA Request, len 140
  Feb 28 19:34:21.940 UTC: COA: 10.122.1.82 request queued
  Feb 28 19:34:21.940 UTC: RADIUS:  authenticator 62 6B 15 C9 C7 A5 CA 88 - 4F B2 EE 4C A0 3D 9F 50
  Feb 28 19:34:21.948 UTC: RADIUS:  NAS-IP-Address      [4]   6   10.122.1.66
  Feb 28 19:34:21.948 UTC: RADIUS:  Event-Timestamp     [55]  6   1362080061
  Feb 28 19:34:21.948 UTC: RADIUS:  Message-Authenticato[80]  18
  Feb 28 19:34:21.948 UTC: RADIUS:   BC B3 BA 2A 11 BD 63 0B 22 7E 82 AA C2 A5 F7 C4              [ *c"~]
  Feb 28 19:34:21.948 UTC: RADIUS:  Vendor, Cisco       [26]  41
  Feb 28 19:34:21.948 UTC: RADIUS:   Cisco AVpair       [1]   35  "subscriber:command=reauthenticate"
  Feb 28 19:34:21.948 UTC: RADIUS:  Vendor, Cisco       [26]  49
  Feb 28 19:34:21.948 UTC: RADIUS:   Cisco AVpair       [1]   43  "audit-session-id=0A7A014200000272048AF0F1"
  Feb 28 19:34:21.948 UTC: COA: Message Authenticator decode passed
  Feb 28 19:34:21.948 UTC:  ++++++ CoA Attribute List ++++++
  Feb 28 19:34:21.948 UTC: 07353140 0 00000001 nas-ip-address(585) 4 10.122.1.66
  Feb 28 19:34:21.948 UTC: 0735375C 0 00000001 Event-Timestamp(430) 4 1362080061(512FB13D)
  Feb 28 19:34:21.948 UTC: 0735376C 0 00000009 audit-session-id(794) 24 0A7A014200000272048AF0F1
  Feb 28 19:34:21.948 UTC: 0735377C 0 00000009 ssg-command-code(475) 1 32
  Feb 28 19:34:21.948 UTC:
  Feb 28 19:34:21.957 UTC: AUTH-EVENT: auth_mgr_ch_search_record - Search record in IDC db failed
  Feb 28 19:34:21.957 UTC: RADIUS/ENCODE(00000000):Orig. component type = Invalid
  Feb 28 19:34:21.957 UTC: RADIUS(00000000): sending
  Feb 28 19:34:21.957 UTC: RADIUS(00000000): Send CoA Nack Response to 10.122.1.82:40171 id 38, len 62
  Feb 28 19:34:21.957 UTC: RADIUS:  authenticator DF 18 2F 59 21 4F 84 E1 - 61 B8 43 B8 01 C5 58 B4
  Feb 28 19:34:21.957 UTC: RADIUS:  Reply-Message       [18]  18
  Feb 28 19:34:21.957 UTC: RADIUS:   4E 6F 20 76 61 6C 69 64 20 53 65 73 73 69 6F 6E  [ No valid Session]
  Feb 28 19:34:21.957 UTC: RADIUS:  Dynamic-Author-Error[101] 6   Session Context Not Found [503]
  Feb 28 19:34:21.957 UTC: RADIUS:  Message-Authenticato[80]  18
  Feb 28 19:34:21.957 UTC: RADIUS:   30 C9 AE 52 80 2E A2 54 FF F3 4B C7 28 31 A9 61          [ 0R.TK(1a]
  ESWHQFL02-S#
  ESWHQFL02-S#
  -- Switch Config -
  aaa authentication login default group tacacs+ local-case
  aaa authentication login local_login local
  aaa authentication enable default group tacacs+ enable
  aaa authentication dot1x default group radius
  aaa authorization exec default group tacacs+ local
  aaa authorization commands 5 default group tacacs+ local
  aaa authorization commands 15 default group tacacs+ local
  aaa authorization network default group radius
  aaa authorization network auth-list group DOT1X
  aaa accounting dot1x default start-stop group radius
  aaa accounting exec default start-stop group tacacs+
  aaa accounting commands 5 default start-stop group tacacs+
  aaa accounting commands 15 default start-stop group tacacs+
  aaa accounting network default start-stop group tacacs+
  aaa server radius dynamic-author
  client 10.122.1.82 server-key 7 14141B180F0B
  client 10.122.1.80 server-key 7 045802150C2E
  aaa session-id common
  radius-server attribute 6 on-for-login-auth
  radius-server attribute 6 support-multiple
  radius-server attribute 8 include-in-access-req
  radius-server host 10.122.1.82 auth-port 1812 acct-port 1813 key 7 13061E010803
  radius-server host 10.122.1.80 auth-port 1812 acct-port 1813 key 7 104D000A0618
  radius-server deadtime 5
  radius-server key 7 030752180500
  radius-server vsa send accounting
  radius-server vsa send authentication

  As per the cisco recommendation IOSv12.2(52)SE is suitable for Catalyst 3750-X which will support all  the features without any issues like  MAB,802.1X,CWA,LWA,COA,VLAN,DACL,SAG as mentioned in the link below:
  http://www.cisco.com/en/US/docs/security/ise/1.1.1/compatibility/ise_sdt.html.
  I see you are using IOSv12.2(58)SE2,which is not recommended.So you can  downgrade to IOSv12.2(52)SE which will solve your issues.

• ISE and wireless CWA

  Need some help on this one.
  This is ISE 1.1.1 and WLC 7.2
  I want to use CWA and Webauth for guest users, and I have configured that on the ISE and WLC.
  This is working but I need some clarification :-)
  First I tried to use AuthC policy with
  allowed protocolls= PAP-ASCII + Host lookup
  Result of that was that for Mac OS X an MS PC it's no problem, I get redirected, logon, press yes on the AUP and I can go on surfing the web.
  But on the iOS devices I get redirected to the guest logon page, put in my credentials and insted of the AUP page I get a network error, could not connect.
  If I change AuthC to
  allowed protocolls=  Default Network Access
  All is working fine for all endpoints.
  Im looking at the RADIUS Authentication Details but I dont understand what iPhone/iPad do diffrent?
  An other question here, can I get a redirect after successfull logon instead of 'Please retry your orginal URL request'?
  Thanks!

  I did solv this (sort of) using html redirect on a custom portal, going to the customers web page.
  http://www.cisco.com/">
  It would be nice to have a redirect to the page the user wanted to view prior to login but this is good enough