ISE and WLC SRE module compatibilty matrix

Hi all,
We are running SRE module on router with code of 6.x release .Is there any compatibilty matrix available for ISE and WLC code to support CWA . because as of now , the wireless clients are not redirecting to the ISE login page.
Kindly suggest.
Thanks,
Regards,
Vijay

The doc is for wireless guest using CWA. For wired guest, I don't know since you can do wired guest from a WLC that supports it or from a switch.
Sent from Cisco Technical Support iPhone App

Similar Messages

  • ISE and WLC

    Dear friends,
    We are using ISE and WLC integrity in our network, we have Corporate and Guest SSID, we configured it but client cant connect to this ssid and cant be authenticated, please see attached files and tell me if i done something wrong in configuration of WLC
    10.10.17.201 is ISE
    Thank you for attention

    Hi,
    After viewing the Trap logs it seems you have checked on validate machine.
    On the client side, make sure you don't check validate machine and then try.

  • Ask the Expert: Cisco BYOD Wireless Solution: ISE and WLC Integration

    With Jacob Ideji, Richard Hamby  and Raphael Ohaemenyi   
    Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about  the new Identity Solutions Engine (ISE) and Wireless LAN Controller (WLC) hardware/software, integration, features, specifications, client details, or just questions about  Cisco's Bring-your-own device (BYOD) solution with cisco Experts Richard Hamby, Jacob Ideji, and Raphael Ohaemenyi. The interest in BYOD (Bring You Own Device) solutions in the enterprise has grown exponentially as guests and company users increasingly desire to use personal devices to access .  Cisco BYOD enhances user experience and productivity while providing security, ease-of-administration, and performance. The heart of the Cisco wireless BYOD solution is Identity Solutions Engine (ISE) utilizing the Cisco Unified Wireless portfolio.  Starting with ISE v1.1.1MR and WLC (Wireless LAN Controller) code v7.2.110.0 and higher, end-to-end wireless BYOD integration is reality. 
    Jacob Ideji is the technical team lead in the Cisco authentication, authorization and accounting (AAA) security team in Richardson, Texas. During his four years of experience at Cisco he has worked with Cisco VPN products, Cisco Network Admission Control (NAC) Appliance, Cisco Secure Access Control Server, and Dot1x technology as well as the current Cisco Identity Services Engine. He has a total of more than 12 years experience in the networking industry. Ideji holds CCNA, CCNP, CCSP, CCDA, CCDP, and CISM certifications from Cisco plus other industry certifications.
    Richard Hamby  works on the Cisco BYOD Plan, Design, Implement (PDI) Help Desk for Borderless Networks, where he is the subject matter expert on wireless, supporting partners in the deployment of Cisco Unified Wireless and Identity Services Engine solutions. Prior to his current position, Hamby was a customer support engineer with the Cisco Technical Assistance Center for 3 years on the authentication, authorization, accounting (AAA) and wireless technology teams. 
    Raphael Ohaemenyi  Raphael Ohaemenyi is a customer support engineer with the authentication, authorization and accounting (AAA) team in the Technical Assistance Center in Richardson, Texas, where he supports Cisco customers in identity management technologies. His areas of expertise include Cisco Access Control Server, Cisco Network Admission Control (NAC) Appliance, Cisco Identity Services Engine, and IEEE 802.1X technologies. He has been at Cisco for more than 2 years and has worked in the networking industry for 8 years. He holds CCNP, CCDP, and CCSP certification.
    Remember to use the rating system to let Jacob, Richard and Raphael know if you have received an adequate response.  
    Jacob, Richard and Raphael might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the wireless mobility sub community forum shortly after the event. This event lasts through Oct 5th, 2012. Visit this forum often to view responses to your questions and the questions of other community members.

    OOPS !!
    I will repost the whole messaqge with the correct external URL's:
    In  general, the Trustsec design and deployment guides address the specific  support for the various features of the 'whole' Cisco TS (and other  security) solution frameworks.  And then a drill-down (usually the  proper links are embedded) to the specifc feature, and then that feature  on a given device.  TS 2.1 defines the use of ISE or ACS5 as the policy  server, and confiugration examples for the platforms will include and  refer to them.
    TrustSec Home Page
    http://www.cisco.com/en/US/netsol/ns1051/index.html
    http://www.cisco.com/en/US/solutions/collateral/ns170/ns896/ns1051/product_bulletin_c25-712066.html
    http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5712/ps11637/ps11195/at_a_glance_c45-654884.pdf
    I find this page very helpful as a top-level start to what features and capabilities exist per device:
    http://www.cisco.com/en/US/solutions/ns170/ns896/ns1051/trustsec_matrix.html
    The TS 2.1 Design Guides
    http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns744/landing_DesignZone_TrustSec.html
    DesignZone has some updated docs as well
    http://www.cisco.com/en/US/netsol/ns982/networking_solutions_program_home.html#~bng
    As  the SGT functionality (at this point) is really more of a  router/LAN/client solution, the most detailed information will be in the  IOS TS guides like :
    http://www.cisco.com/en/US/docs/switches/datacenter/sw/6_x/nx-os/security/configuration/guide/b_Cisco_Nexus_7000_NX-OS_Security_Configuration_Guide__Release_6.x.html
    http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_cts/configuration/xe-3s/asr1000/sec-usr-cts-xe-3s-asr1000-book.html
    http://www.cisco.com/en/US/docs/switches/lan/trustsec/configuration/guide/trustsec.html

  • ISE and WLC for posture remediation

    Please can anybody clarify a few things in relation to ISE and wireless posture.
    1) Is the ACL-POSTURE-REDIRECT used for remediation, or is it just an ACL to redirect only some traffic to kickoff posture checking?
    2) Can/Should a dACL/wACL be specified as a remediation ACL?
    3) Do the WLC ACLs have to be written in long format (manually specifying source and dest ports/doesny direction any work?)
    4) Does anybody have working example ACLs for posture redirect (cpp) and remediation (dACL)?
    5) Any other advice or pointers would be helpful too as no docs i have found so far, be it TrustSec2, CiscoLive or anything else, dont seem to help me understand WLC posture and remediation
    thanks
    Nick

    Nick,
    Answers are inline:
    1) Is the ACL-POSTURE-REDIRECT used for remediation, or is it just an  ACL to redirect only some traffic to kickoff posture checking? This is for both (if ports 8905..are included) then this is for initial redirection, and remediation
    2) Can/Should a dACL/wACL be specified as a remediation ACL? Wireless does not support DACL, you will have to reference another ACL in the the authorization policy, the new versions have the Airespace ACL field, where you will have the ACL defined locally on the wlc.
    3) Do the WLC ACLs have to be written in long format (manually specifying source and dest ports/doesny direction any work?) Yes you have to add two entries, for example for all traffic redirection to ise...source = any, destination=iseipadd, source port=any, destination port=any direction=any action=permit
    source=iseipaddr, destination ip = any, source port=any, destination port=any, direction=any action permit. Its not the easiest but I will attach a screenshot that will show you my example.
    4) Does anybody have working example ACLs for posture redirect (cpp) and remediation (dACL)? ISE doesnt support DACLs so when you build your authorization profile in ISE you select the web authentication type (Posture Discovery) after that the ACL field will come up, there you will "call" the posture ACL which is defined on your controller.
    5)  Any other advice or pointers would be helpful too as no docs i have  found so far, be it TrustSec2, CiscoLive or anything else, dont seem to  help me understand WLC posture and remediation Keep in mind that you have to have radius NAC and AAA override enabled under the advanced settings for COA to work.
    You have to turn on COA under the global settings in ISE (Administration > Profiling > Coa Type > Reauth)
    Then you have to build your policies so that when a user connects to the network they are redirected to the download the nac agent (this is where the Posture Discovery and redirect ACL work in tandem).
    Once the client download the nac agent and is compliant the report is forwarded to ISE where a COA event is triggered.
    Then the client will reauthenticate and will hit another policy that will give them access once their machine is compliant, you can set the ACLs for restricted access, use dynamic vlan assignment, or just send the access-accept.
    Thanks,
    Tarik Admani
    *Please rate helpful posts*

  • LWA Guest Access with ISE and WLC

    Hi guys,
    Our Company try to implement Guest Access with ISE dan WLC with Local Web Auth Method. But there is problem that comes up with the certificate. This is the scenario :
    1. Guests try to connect wifi with SSID Guest
    2. Once it connect, guests open the browser and try to open a webpage (example: cisco.com)
    3. Because, guests didn't login, so it redirect to "ISE Guest Login Page" (url became :
    https://ise-hostname:8443/guestportal/Login.action?switch_url=https://1.1.1.1/login.html&wlan=Guest&redirect=www.cisco.com/
    4. If there is no ISE Guest Login Page installed, message Untrusted Connection message will appear, but it will be fine if they "Add Exception and install the certificate"
    5. After that the Guest Login Page will appear, and guests input their username and password.
    6. Login success and they will be redirected to www.cisco.com and there is pop up from 1.1.1.1 (WLC Virtual Interface IP) with logout button.
    The problem happen in scenario 6, after login success, the webpage with ISE IP address and message certificate error for 1.1.1.1 is appear.
    I know it happened when guests didn't have the WLC Login Page Certificate...
    My Question is, is there a way to tunneling WLC Certificate on ISE ? Or what can we do to make ISE validate WLC Certificate, so guests doesn't need to install WLC Certificate/ Root Certificate before connect to Wifi ?
    Thx 4 your answer and sorry for my bad English....

    Thx for your reply Peter, your solution is right,
    i don't choose CWA, because their DNS is not stable...
    i've found the problem...
    the third-party CA is revoked, so there is no way it will success until it fixed...
    and there is no guarantee, they will fix it soon..
    so solution that we choose is by disable "HTTPS" on WLC...
    "config network web-auth secureweb disable".
    "config network web-auth secureweb disable".
    "config network web-auth secureweb disable".
    "config network web-auth secureweb disable".
    "config network web-auth secureweb disable"
    thank you all...

  • Cisco ISE and WLC Access-List Design/Scalability

    Hi,
    I have a scenario whereby wireless clients are authenticated by the ISE and different ACLs are applied to it based on the rules on ISE. The problem I seems to be seeing is due to the limitation on the Cisco WLC which limit only 64 access-list entries. As the setup has only a few SVI/interfaces and multiple different access-lists are applied to the same interface base on the user groups; I was wondering if there may be a scalable design/approach whereby the access-list entries may scale beside creating a vlan for each user group and applying the access-list on the layer 3 interface instead? I have illustrated the setup below for reference:
    User group 1 -- Apply ACL 1 --On Vlan 1 
    User group 2 -- Apply ACL 2 -- On Vlan 1
    User group 3 -- Apply ACL 3 -- On Vlan 1
    The problem is only seen for wireless users, it is not seen on wired users as the ACLs may be applied successfully without any limitation to the switches.
    Any suggestion is appreciated.
    Thanks.

    Actually, you have limitations on the switch side as well. Lengthy ACLs can deplete the switch's TCAM resources. Take a look at this link:
    http://www.cisco.com/c/en/us/support/docs/switches/catalyst-3750-series-switches/68461-high-cpu-utilization-cat3750.html
    The new WLCs that are based on IOS XE and not the old Wireless/Aironet OS will provide the a better experience when it comes to such issues. 
    Overall, I see three ways to overcome your current issue:
    1. Shrink the ACLs by making them less specific
    2. Utilize the L3 interfaces on a L3 switch or FW and apply ACLs there
    3. Use SGT/SGA
    Hope this helps!
    Thank you for rating helpful posts!

  • ISE and WLC 5508 IP and MAc address

    Hi!
    Is it possible that we recibe IP address and Mac address Client at the same time in ISE ?
    The wlc permits choose radius Call station ip type MAC or IP, but not both.
    Thanks you,

    If you are using dot1x then no, the mac address is sent since the client does not receive an ip address till authetication succeeds.
    Sent from Cisco Technical Support Android App

  • Cisco ISE and WLC Timeout Best Practices

    I am fairly new to ISE. Our Cisco WLC is using 802.1x and ISE is configured for PEAP with all inner methods enabled.
    I am looking for some guidance around where I should be configuring timeouts. There is a PEAP Session timeout in ISE, a session timeout on the WLC and a RADIUS reauthentication timeout that can be set in the Authorization profile results object in ISE.
    Currently I have the WLC configured for its default 1800 second timeout and ISE PEAP timeout at the default 7,200 value.

    I ended up answering my own question. The authorization session timeouts should be set in ISE if at all.
    Once I removed the session timeout value from the WLC and used the re-auth value in the ISE policy I had less complaints about disconnects.
    The session timeout on the PEAP settings has not caused any ill affects at it's default. The session resume has taken a huge load off of AAA though. Its worth turning on.

  • ISE and WLC for CWA (Central Web Auth)

    Hello All,
    As we know that WLC (i.e. 5508) does not support MAB (MAC Auth Bypass) and it supports CWA in 7.2.x.
    CWA is a result of successfull MAB. So how CWA work for wireless? So it means WLC support MAB?

    I've been playing around with this and have it working on 7.3.101 on the WLC 5508, however, I don't seem to be receiving the web redirect correctly.  When I look under the client connections on the WLC I see that the URL is received on the WLC from ISE, but it appears to be truncated, unless that's just a limitation of the display.  I see hits on the ACL-WEBAUTH-REDIRECT ACL on the controller, but it doesn't seem to be redirecting.  I have this similar configuration on the wired side of the house and it works fine.  ISE just shows pending webauth, as it should.
    Security Policy Completed      No
    Policy Type        N/A
    Encryption Cipher       None
    EAP Type        N/A
    SNMP NAC State       Access
    Radius NAC State       CENTRAL_WEB_AUTH
    CTS Security Group Tag      Not Applicable
    AAA Override ACL Name      ACL-WEBAUTH-REDIRECT
    AAA Override ACL Applied Status     Yes
    AAA Override Flex ACL      none
    AAA Override Flex ACL Applied Status     Unavailable
    Redirect URL       
    https://.com:8443/guestportal/gateway
    IPV4 ACL Name     none
    IPv4 ACL Applied Status      Unavailable
    IPv6 ACL Name       none
    IPv6 ACL Applied Status     Unavailable

  • Guest WebAuth with ISE and WLC

    I have a couple of issues with this solution:
    a) Each time a user logs in, the untrusted certificate message appears twice. The first one with the WLC IP address, the second one with the ISE IP address. Is this a bug or some kind of mistake configuration?
    b) In the Guest Accounting report every guest session is reported twice. One with the correct log in and log out times, the second indicates the user is still on network even after several days he/she had been disconnected.
    I think the second issue is in some way related with the first one.
    Thanks in advance
    Daniel Escalante

    I am trying to figure out the protocol sequence:
    1) The PC client gets IP address from the DHCP (anchor WLC in this case)
    2) When the browser is open and a HTML request is send, the WLC intercepts it and redirect to ISE
    3) Before the Guest Authentication Portal is displayed in the browser PC, an untrusted certicate message coming from the ISE should be displayed.
    4) Once the untrusted certificate message is accepted (continue), the guest authentication portal is displayed
    5) The user type in its credentials
    6) the Successful Login message is received with the WLC IP address
    7) the user is able to browse the internet
    The problem appears in steps 3 and 4. The untrusted certificate message is first showed with the WLC Virtual IP address and then with the ISE IP address.
    I think the message with the WLC address should not be sent, only the ISE message.
    In Step 6 the successful login message should indicate the ISE IP address, no the WLC IP Virtual address.
    I will appreciate your assistance to clarify the event sequence and proper functionality
    Thanks in advance.
    Daniel Escalante.

  • ISE and WLC dynamic interface group assignment ?

    I have a somewhat large deployment coming up with several WLC dynamic interfaces assigned to an interface group, replicated across for multiple sites.  I understand that ISE can return the VLAN ID to the WLC to place the client in, but if I'm using interface groups, this seems to negate the usefulness of the interface group to load clients across multiple VLANs.  Not only that, but with the number of dynamic interfaces (VLAN ID's), multiplied by the number of sites, would seem to be overwhelming on the ISE side policy configuration.
    Is it possible for ISE to return an Interface name/group to the WLC instead of just a VLAN ID ?
    TIA

    I understand that WLC 7.2 code can now accept the interface group name as a AAA override, which is great, but it doesn't specify the AAA source (ISE vs. ACS).
    This is the example I'm questioning: (they use the VLAN ID only, instead of an interface name)
    http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080bba10d.shtml#topic17
    Edit:
    Found the correct Attribute Under "Adv. Attribute Settings" in the Airspace Authorization Profiles (Airespace:Airespace-Interface-Name).

  • Web Redirection Problem on Cisco ISE 1.2 and WLC 7.5

    Hello,
    We are at initial phase of deploying ISE 1.2 in our environment for Wireless Guest Users.
    I have configured ISE and WLC to talk to each other which is working fine. An SSID with MAC-Filtering is also configured on WLC and ACL only allowing ISE and DNS traffice.
    I have configured proper authentication and authorization policies on ISE. Now, when I try to connect my device (laptop and android mobile), I see my device gets associated with the SSID (Demo) and gets the right IP Address from DHCP and right VLAN from WLC. The log process on ISE is as follows.
    11001
    Received RADIUS Access-Request
    11017
    RADIUS created a new session
    11027
    Detected Host Lookup UseCase (Service-Type = Call Check (10))
    15049
    Evaluating Policy Group
    15008
    Evaluating Service Selection Policy
    15048
    Queried PIP
    15048
    Queried PIP
    15004
    Matched rule
    15041
    Evaluating Identity Policy
    15006
    Matched Default Rule
    15013
    Selected Identity Source - Internal Endpoints
    24210
    Looking up User in Internal Users IDStore - B8:B4:2E:A6:7D:75
    24216
    The user is not found in the internal users identity store
    24209
    Looking up Endpoint in Internal Endpoints IDStore - B8:B4:2E:A6:7D:75
    24211
    Found Endpoint in Internal Endpoints IDStore
    22037
    Authentication Passed
    15036
    Evaluating Authorization Policy
    15048
    Queried PIP
    15048
    Queried PIP
    15048
    Queried PIP
    15004
    Matched rule - Guest Redirection
    15016
    Selected Authorization Profile - Test_Profile
    11002
    Returned RADIUS Access-Accept
    I also see a redirect url in the detailed authentication logs. But the problem is that when I open my browser on my device, it doesn't get redirected to the guest portal url. Now since I can't get there, I can't continue with the rest of the process of authentication, COA and final ACL for internet access.
    Can some one please either guide me the correct steps that I need to follow, if I have mis configured something or advise if this is a bug.
    Thanks in advance.
    Jay

    The ACL is definitely used to define what traffic is re-directed to ISE and what traffic is not redirected. Having the permit-all statement at the end will break redirection. If you are using flex-connect then you will need to use flex-connect ACLs and apply those to the flex-connect APs. The links below should give you an idea of what needs to be done:
    http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-000.html
    http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116087-configure-cwa-wlc-ise-00.html
    Thank you for rating helpful posts! 

  • ISE and wireless CWA

    Need some help on this one.
    This is ISE 1.1.1 and WLC 7.2
    I want to use CWA and Webauth for guest users, and I have configured that on the ISE and WLC.
    This is working but I need some clarification :-)
    First I tried to use AuthC policy with
    allowed protocolls= PAP-ASCII + Host lookup
    Result of that was that for Mac OS X an MS PC it's no problem, I get redirected, logon, press yes on the AUP and I can go on surfing the web.
    But on the iOS devices I get redirected to the guest logon page, put in my credentials and insted of the AUP page I get a network error, could not connect.
    If I change AuthC to
    allowed protocolls=  Default Network Access
    All is working fine for all endpoints.
    Im looking at the RADIUS Authentication Details but I dont understand what iPhone/iPad do diffrent?
    An other question here, can I get a redirect after successfull logon instead of 'Please retry your orginal URL request'?
    Thanks!

    I did solv this (sort of) using html redirect on a custom portal, going to the customers web page.
    http://www.cisco.com/">
    It would be nice to have a redirect to the page the user wanted to view prior to login but this is good enough

  • How to Sync clock on WLC ISE and AD

    Hi there,
    I am stuck in NTP, deployed WLC CWA using ISE that is integrated with AD. I tried using AD as NTP source but no luck(universal fact that Cisco uses NTP where as Microsoft uses SNTP).
    The issue is, if time is not synced between WLC, ISE and AD; web redirection stopped working and no authentication takes place.
    I tried installting Meinbergglobal NTP software to distribute time to my Cisco devices. It does work with Cisco devices but it acts as master and do not sync its own time with AD.
    I am trying to figure out a way to sync Cisco with Microsoft, is there any way in this world to do so???
    Please help..
    Thanks in advance           

    You mean I should sync AD and all my cisco devices with global NTP server?
    Yes and no.  If you know your network well, doing this is a pain in the proverbial backside because you have to open firewall rules to everyone going out to the global NTP server.
    The smart thing to do is what George has described.  You select a few (between two to four) to go out to the internet to synchronize.  Normally I would nominate our core routers do this.  Next, all our distribution switches and core switches synchronize to our core routers.  All our servers, PCs, printers, WLC, switches  sychronize to our distro switches. 

  • WLC 7.5 Sleeping clients with ISE and Central WEB Auth(CWA)

    Hi there,
    Is it possibe to use sleeping clients when using ISE and CWA?
    I was thinking of enabling layer3 auth with web auth on mac auth failure, but will that work with CWA?
    Or is the only solution to use LWA?

    Controller-> General-> User Idle Timeout (seconds) = 50 000 sec.
    And your users will be connected all this time even if they going in sleepmode
    be carefull with CPU loading

Maybe you are looking for