ISE CWA Wireless FQDN resolution

I can't get my head round how the URL redirect works based on resolving the name in the certificate.
Going off my basic diagram I have an ISE (10.1.1.100) with an identity certificate of CN=ise.company.local.  According to Cisco documentation and some of the Cisco Live 2014 guidelines, it suggests using SAN fields and having the alternative names in there.  So I can have SAN=ise.company.local, ise.company.co.uk, guest.company.co.uk and even 10.1.1.100.
However recent articles about how public CAs will issue certificates state that they will no longer support SANs with private IP addresses or internal domain names.
So if a wireless guest user tries to connect to the Internet (www.google.co.uk), DNS resolution to a public DNS is done, then the browser tries a HTTP get to x.x.x.x of google then ISE redirects to either FQDN or IP address.  If its the FQDN and the name is ise.company.local the client will have to use DNS to resolve that name which it cant as its using public DNS.  If its the internal IP then certificates being issued now will not allow that so the secure connection warning will appear.
If its a public FQDN - how does the client traffic get routed appropriately?  What I mean is for example if we had guest.company.co.uk within a SAN of a public cert then surely we need to have a public address that resolves to that name?  If its a public address, then when the client uses DNS to resolve guest.company.co.uk and gets back 86.1.1.1 (for example) then the client will try to contact that address.  That address doesn't exist internally so the traffic will be forwarded out the firewall to the Internet.
I can't quite understand this crucial bit of the redirect.  Can anyone enlighten me please?

Hi,
Typically you would setup what is known as split DNS on your internal DNS servers.  
For example, your internal domain DNS zone is ise.company.local, but you own the company.com external domain. You would create a forward lookup zone in Active Directory that matches the hostname for the ISE nodes/alias exactly - so create a zone called "ise.company.com" or "guest.company.com" and then create a new host (A) record, with the hostname blank, and put in the internal IP address of your ISE nodes. Then, configure your wireless clients to use your internal DNS servers to resolve domain names and it will all work nicely.
Make sense?

Similar Messages

  • ISE CWA Time Profiles

    Hi
    Trying to make ISE CWA with WLC2500 to work according to guest time profiles.
    - When suspend guest users in ISE they still can connect and it seems that there is no communications between WLC and ISE (i suspect that ISE will communicate to WLC regarding this)
    - Then creating a guest user with "OnlyFirstLogin".... the user is still connected after shutdown/restart..
    I'm aware of the WLC timeout settings, but not sure if there are in play with CWA
    Any who knows about these time profiles in ISE regards to WLC
    Thx
    Kasper

    Please review the below links which might be helpful:
    http://www.cisco.com/en/US/docs/solutions/Enterprise/Borderless_Networks/Smart_Business_Architecture/February2012/SBA_Ent_BN_BYOD-GuestWirelessAccessDeploymentGuide-February2012.pdf
    http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_guest_pol.html
    http://www.cisco.com/en/US/docs/security/ise/1.0.4/user_guide/ise10_guest_pol.pdf

  • ISE 1.2 Redirect using CWA Wireless

    Once a wireless user is authenticated to a WLAN using CWA and ISE, what are the parameters that can cause the user to be deauthenticated and redirected to the web portal?  The session timeout and user idle timeout in this scenario are set to 24 hours.  What else could cause the user to be redirected to the portal?

    Its a wireless controller bug.  You will have to get an engineering build from Cisco to resolve.
    CSCul43158
    Description
    Symptom:Wireless devices are randomly disconnected every 5-10 minutes with unknown policy timeout message in debug client - example:
    *apfReceiveTask: Nov 07 14:27:32.113: 00:11:33:d2:ef:0c 192.168.25.165 RUN (20) Unknown Policy timeout
    *apfReceiveTask: Nov 07 14:27:32.113: 00:11:33:d2:ef:0c 192.168.25.165 RUN (20) Pem timed out, Try to delete client in 10 secs.
    Conditions:Clients using Central Web Authentication (CWA).
    Workaround:none

  • ISE and wireless CWA

    Need some help on this one.
    This is ISE 1.1.1 and WLC 7.2
    I want to use CWA and Webauth for guest users, and I have configured that on the ISE and WLC.
    This is working but I need some clarification :-)
    First I tried to use AuthC policy with
    allowed protocolls= PAP-ASCII + Host lookup
    Result of that was that for Mac OS X an MS PC it's no problem, I get redirected, logon, press yes on the AUP and I can go on surfing the web.
    But on the iOS devices I get redirected to the guest logon page, put in my credentials and insted of the AUP page I get a network error, could not connect.
    If I change AuthC to
    allowed protocolls=  Default Network Access
    All is working fine for all endpoints.
    Im looking at the RADIUS Authentication Details but I dont understand what iPhone/iPad do diffrent?
    An other question here, can I get a redirect after successfull logon instead of 'Please retry your orginal URL request'?
    Thanks!

    I did solv this (sort of) using html redirect on a custom portal, going to the customers web page.
    http://www.cisco.com/">
    It would be nice to have a redirect to the page the user wanted to view prior to login but this is good enough

  • Cisco ISE - Not use FQDN in url-redirect parameter

    Hi,
    I am using Cisco ISE Central Web Authentication for Guest Wireless. Clients are redirected for web authentication to: https://ip:port/guestportal/gateway?sessionId=SessionIdValue&action=cwa as it is specified by the url-redirect parameter in the Authorization Profile.
    The “ip” field in the url is now replaced by the FQDN of the Cisco ISE, but I want to use the IP address instead of the FQDN. Is there any way to do that?
    As far as I know in version 1.2 you can use the “ip host/no ip host” command to indicate what you want to use in the URL. However my Cisco ISE is running version 1.1.1.268.
    Thank you very much.
    Joana.

    Available in 1.2, and available as a "bit of a bodge" in 1.1.x  (read "a lot of a bodge")
    If you only have one PSN then you may be able to get it to work, but after that you lose the ability to get the session to be pointed automatically at whichever PSN they hit initially so it would break.
    Copy the settings that are applied when you use CWA, then create your own based on the same settings but using the ip address pasted in there instead.

  • [ISE + CWA] Redundant Guestportal

    Hello Community,
    I try to configure a redundant guest access with 2 ISE und 2 guests anchors. ISE Management and the sponsor portal are connected to eth0 (gig0) with hostname ise1.mydomain.com (ise2.mydomain.com for 2nd ISE). Eth0 is reachable from company network. The web authentication, where guests must enter their login credentials, is only reachable via eth1 (gig1) with hostname ise1-pub.mydomain.com (ise2-pub.mydomain.com for 2nd ISE). 
    The main problem is, that ISE always redirects to ise1.mydomain.com, which is on eth0 and therefore not reachable for wireless guests. I can configure a static hostname for redirection (which is cluster wide), but then I have no redundancy (there is no balancer reachable). So ISE must chose the correct hostname for the redirection URL depending on the ISE who authenticates the guest.
    I tried to define an alias for both ISE on CLI:
    ip host 10.1.1.1 ise1-pub ise1-pub.mydomain.com on primary ISE and
    ip host 10.1.1.2 ise2-pub ise2-pub.mydomain.com on secondary ISE
    and deleted the static ip/host entry in my authorization profile. But ISE always redirects to ise1.mydomain.com (or ise2.mydomain.com). My understanding was, that if I configure an alias, ISE will redirect to the alias IP. 
    Any hints?
    ISE is version 1.2.1 Patch 4
    Guest Anchors are 5760 with 3.6.1

    Instead of having just one authz rule for the cwa redirect as normal, you can create one for each of the servers (still configured on the primary of course).
    What you do is create one rule where your authz profile has the static host redirect set to ise1-pub.mydomain.com and the condition : server : ise1
    Then create a copy of that rule, where you redirect to ise2-pub.mydoamin.com, and use the condition server : ise2
    This will redirect to different names, depending on which of the ise servers the radius request was received by.
    I attached a screenshot of the rules.

  • ISE CWA FLEXCONNECT - No url redirect

    Hi,
    I'm setting up a LAB environment for CWA with ISE(1.2.1), vWLC(8.0.100), ASA5505(9.1.X) and a 2602 AP in flexconnect mode.
    Unfortunately I'm running into problems.
    The AP, WLC and ISE is all running in vlan 1 which terminates in the 5505 as a inside interface. 
    Vlan 2 is a guest network terminating on a separate interface in the ASA.
    The problem that I'm facing is that the url-redirect from the ISE dosent' work. If i check the client summery on the vWLC I can see that the client get applyes the redirect flexconnect ACL and that the URL is present. I've verified that it's not a DNS issue and I'm able to manually connect to ISE so there is no ACL blocking me. The client just dosen't get the redirect. I've tired with multiple devices (windows,ios,android) and it's all the same.
    I've followed the following guides:
    http://www.drchaos.com/flexconnect-local-switching-guestbyod/
    http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116087-configure-cwa-wlc-ise-00.html#anc11
    Currently I'm at work but I can provide some debug output later. 
    Have anyone seen this behavior before?

    It is possible that you are hitting the following bug:
    https://tools.cisco.com/bugsearch/bug/CSCue68065
    One thing this bug does not mention is that there is another resolution outside of disabling local switching. The alternative is:
    1. Create a standar ACL on the controller that is named exactly as the FlexConnect ACLs
    2. The standard ACL does not have to have any ACE in it
    I have ran into this issue before and the above workaround has worked for me. The issue was supposed be addressed in version 8.x of the WLC but I think it is still worth giving it a try. 
    Thank you for rating helpful posts!

  • ISE CWA redirect redundancy

    Hi
    If in a CWA authorization profile the IP address option is used for the redirection, how will this impact on redundancy ? For instance in my implementation with 2 ISE appliances, on the Primary Admin Node the CWA profile is configured with an IP address of x.x.x.110 which is the address of the Primary ISE appliance. When the primary appliance fails how will the secondary appliance handle the above cause the x.x.x.110 ip address will then be unavailable and the new ip should be x.x.x.109....? 

    If you check that box and set an IP address manually then all CWA requests will go to that IP/Host Name. If you want to have redundancy then you should leave that box unchecked. Doing that will allow ISE to use the FQDN of the Radius server that is currently serving that SSID. 
    I hope this helps!
    Thank you for rating helpful posts!

  • ISE CWA redirection problem for Apple devices

    Hi,
    I'm testing some guest scenarios (CWA) in my lab using ISE1.3 and WLC2504 (7.6.130).
    I have noticed that redirection to ISE portal doesn't work for apple devices (iOS 7 and later).All other devices like laptops,androids etc work fine.
    Seems that the workaround on WLC that bypasses the CNA on iDevices doesn't work in my case.The device tries to open the ISE portal and shows just a blank page (attached photo)
    The problem doesn't appear for devices with iOS 6 but only for newer versions.
    I've also tried with version 8.0 on WLC without success.
    Any advise?
    Regards. 

    Captive portal/wispr support for apple ios7
    CSCuj18674
    Description
    Symptom:
    When attempting to access the Guest Portal with an Apple iOS 7 device while the WLC "Captive Portal Bypass" feature is enabled, the web sheet on the device still appears, preventing the user from continuing the flow.
    Conditions:
    The Apple device is running Apple iOS 7.
    Workaround:
    In the ACL on the WLC used for captive portal redirection and exemption of special traffic for the Guest Portal, add exemptions for the IP resources that resolve from "www.appleiphonecell.com" and "captive.apple.com" FQDNs.
    IMPORTANT NOTE: These IP addresses are associated with the FQDNs of "www.appleiphonecell.com" and "captive.apple.com" and are subject to change by the entities hosting those domains. If the IP addresses do change, the ACL would need to reflect that.

  • Cisco ISE - CWA AD Authentication

    Hello,
    I'm using a Cisco ISE on 1.3 and have a CWA portal setup for AD Auth. When a user connects to a particular SSID (from a WLC) that is setup for mac filtering, it redirects to a CWA via the Auth Policy. the CWA is disabled, they login, the device registers, etc.. and all is well. The next policy checks to see if the device is registered, and if so, bypasses the Auth. Which also works. However, any AD account can authenticate against the CWA, not the particular AD account I want. I don't know where to put the Auth Policy or what it looks like. Any help would be appreciated. I've tried a few combinations to no avail.
    Below are my current Auth Policies, as I mention above. They work, but the CWA validates any AD credential, not the group I want. Should a NetworkAccess:UseCase=GuestFlow go between the 2 policies perhaps?

    Hi Marc, what I meant by "desired_permissions" is what your environment/situation calls for. With that being said, returning back only "access_accept" with your "authorization profile" would work but at the same time it will give the authorized users/devices full access. So unless you have an ACL to Firewall off the guest users, you would need to return some additional attributes when trying to restrict/limit guest users/devices. 
    For instance, I like to use Policy Sets and dedicate a policy set per SSID and then either a general Policy Set for Wired or one Policy Set for Corporate Wired and one for Guest Wired. If  you don't use policy sets, then you should create one "authorization rule for Guest_Wired and one for Guest_Wireless. 
    For the Guest_Wired, you will need to return "access_accept" and then a "DACL Name" that you can create locally in ISE.
    For the Guest_Wireless, you will need to return "access_accept" and then a "Airspace ACL Name" That ACL is not a DACL (WLCs do not support DACLs). Instead, that is an ACL that you configure locally on the WLC, thus, the name must match on both ends and it is case sensitive! 
    Both the DACL and the "Airspace ACL" would contain rules that fit your environment/security requirements. Typically though you would have:
    1. Permit DNS- Needed for DNS resolution
    2. Permit access to ISE - Needed for the guest pages to properly load) 
    3. Deny any private/RFC 1918 addresses - Blocks guests from accessing internal hosts
    4. Permit everything else - Needed for general internet browsing
    I hope this helps!
    Thank you for rating helpful posts!

  • ISE CWA with COA not work on 3750X.

    Hello.
    I use ISE version 1.2.0.899 this patch number 4. I configure Central Web Auth for wired client.  In first time client open web brouser, and ISE redirect him to guest portal. User input correct credentionals, and after that switch ignor CoA packet. In ISE logs  "5417 Dynamic Authorization failed". If I use domain computer, authentification succecful whis use dot1x.  All on Port g1/0/1. I use 3750X this version IOS 15.0(2)SE2, 15.0(2)SE4, 15.0(2)SE5, 15.2(1). On all of this version ios I have this mistake.
    Config:
    3750X-ISE# sh running-configBuilding configuration...Current configuration : 9575 bytes!! No configuration change since last restart! NVRAM config last updated at 01:29:01 GMT Wed Mar 30 2011!version 15.0no service padservice timestamps debug datetime msecservice timestamps log datetime msecno service password-encryption!hostname 3750X-ISE!boot-start-markerboot-end-marker!!!username admin privilege 15 secret 5 ----username radius-test secret 5 -----aaa new-model!!aaa group server radius end!aaa group server radius ise server name ise3 server name ise4!aaa authentication login default localaaa authentication login CON noneaaa authentication enable default noneaaa authentication dot1x default group radiusaaa authorization network default group radiusaaa authorization network ise group radiusaaa accounting dot1x default start-stop group radius!!!!!aaa server radius dynamic-author client 192.168.102.53 server-key P@ssw0rd client 192.168.102.54 server-key P@ssw0rd client 192.168.102.51 server-key P@ssw0rd client 192.168.102.52 server-key P@ssw0rd server-key P@ssw0rd!aaa session-id commonclock timezone GMT 0 0switch 1 provision ws-c3750x-24psystem mtu routing 1500ip routing!!ip dhcp snooping vlan 701-710ip dhcp snoopingip domain-name com.ruip device trackingvtp mode transparent!!device-sensor filter-list dhcp list DHCP-LIST option name host-name option name default-tcp-ttl option name requested-address option name parameter-request-list option name class-identifier option name client-identifier option name client-fqdn!device-sensor filter-list cdp list CDP-LIST tlv name device-name tlv name address-type tlv name version-type tlv name platform-type tlv name power-type tlv name external-port-id-typedevice-sensor filter-spec dhcp include list DHCP-LISTdevice-sensor filter-spec cdp include list CDP-LISTdevice-sensor accountingdevice-sensor notify all-changes!license boot level ipservices!!!dot1x system-auth-control!spanning-tree mode rapid-pvstspanning-tree extend system-id!!!!!!!!!vlan internal allocation policy ascending!!vlan 102!vlan 701 name ISE-network1!!lldp run!!!!!!!!!!no macro auto monitor!interface FastEthernet0 no ip address no ip route-cache shutdown!interface GigabitEthernet1/0/1 switchport access vlan 701 switchport mode access switchport nonegotiate authentication event fail action next-method authentication open authentication order dot1x mab authentication priority dot1x mab authentication port-control auto mab snmp trap mac-notification change added snmp trap mac-notification change removed dot1x pae authenticator spanning-tree portfast!interface Vlan102 ip address 192.168.102.60 255.255.255.0!interface Vlan701 ip address 192.168.107.1 255.255.255.240 ip helper-address 192.168.102.50 ip helper-address 192.168.102.53!ip http serverip http secure-server!ip route 0.0.0.0 0.0.0.0 192.168.102.1!ip access-list extended ACL-WEBAUTH-REDIRECT deny   udp any any eq domain deny   tcp any host 192.168.102.51 deny   tcp any host 192.168.102.52 deny   tcp any host 192.168.102.53 deny   tcp any host 192.168.102.54 permit tcp any any eq www permit tcp any any eq 443!!!snmp-server community test ROsnmp-server community test2 RWsnmp-server trap-source Vlan102snmp-server source-interface informs Vlan102snmp-server enable traps snmp linkdown linkupsnmp-server enable traps mac-notification change movesnmp-server host 192.168.102.53 version 2c test2!radius-server attribute 6 on-for-login-authradius-server attribute 8 include-in-access-reqradius-server attribute 25 access-request includeradius-server dead-criteria time 5 tries 3radius-server host 192.168.102.53 auth-port 1812 acct-port 1813radius-server host 192.168.102.54 auth-port 1812 acct-port 1813radius-server host 192.168.102.54 key P@ssw0rdradius-server host 192.168.102.53 pac key P@ssw0rdradius-server key P@ssw0rd!!!line con 0 login authentication CONline vty 0 4 exec-timeout 60 0line vty 5 15 exec-timeout 60 0!ntp master 5ntp server 198.123.30.132 prefermac address-table notification changemac address-table notification mac-moveend
    Please, help me.

    Use these Cisco IOS commands to monitor and troubleshoot CoA functionality on the switch:
    •debug radius
    •debug aaa coa
    •debug aaa pod
    •debug aaa subsys
    •debug cmdhd [detail | error | events]
    •show aaa attributes protocol radius

  • ISE CWA WebAuth with WLC

    Hi all,
    I have a few questions regarding WebAuth or Guest access with ISE. I have setup a guest portal to do CWA and use ISE guest portal
    as the redirect page.
    I'm using ISE 1.1.2 and WLC version 7.3.101
    1- I have an issue authenticating with Chrome on W7 and android. I receive the splash page, i can authenticate but i always receive this error message. With IE and firefox i can accept and add an exception and authenticate successfully.

    Hi,
    Your best bet is to run true CWA and not use the redirect feature on the controller. Just allow dns and access to port 8443 in the ACL that is referenced by ISE when it sends the CWA redirect. You can use mac filtering as your L2 authentication.
    This will help in your redundant scenario so that when one ise goes down the second ise can send the CWA over to it.
    As far as certs if you are using mobile devices you may want to consider 3rd party certs.
    Let me know if that helps.
    Tarik Admani
    *Please rate helpful posts*

  • ISE - CWA Redirection

    HI
    i am trying to implement guest portal and i have configure the ISE and switch to redirect guests and i see the whole process goes will when i issue
    show authentication session interface GigabitEthernet1/0/11
                Interface:  GigabitEthernet1/0/11
              MAC Address:  1078.d2fc.698c
               IP Address:  192.168.0.59
                User-Name:  10-78-D2-FC-69-8C
                   Status:  Authz Success
                   Domain:  DATA
           Oper host mode:  multi-domain
         Oper control dir:  both
            Authorized By:  Authentication Server
              Vlan Policy:  81
                  ACS ACL:  xACSACLx-IP-TEST-WEBAUTH-DACL-519b76ec
         URL Redirect ACL:  ACL-WEBAUTH-REDIRECT
             URL Redirect:  https://HDOFFISEP01.mycompany.com:8443/guestportal/gateway?sessionId=0A0A6518000000010006F2B5&action=cwa
          Session timeout:  N/A
             Idle timeout:  N/A
        Common Session ID:  0A0A6518000000010006F2B5
          Acct Session ID:  0x00000003
                   Handle:  0x0D000001
    Runnable methods list:
           Method   State
           mab      Authc Success
           dot1x    Not run
    my problem that the web browser does NOT direct automtically to the portal but it does manually when i copy the URL from the switch, any idea ?
    switch configuration
    boot-start-marker
    boot-end-marker
    logging monitor informational
    enable secret 5 $1$PO2h$G1BUFwkbkA8ywc89FhBso/
    username cisco privilege 15 password 0 cisco
    username ise-rad-alive password 0 CICSOISEalive123
    aaa new-model
    aaa authentication login local local
    aaa authentication dot1x default group radius
    aaa authorization network default group radius
    aaa authorization auth-proxy default group radius
    aaa accounting auth-proxy default start-stop group radius
    aaa accounting dot1x default start-stop group radius
    aaa server radius dynamic-author
    client 10.10.20.13 server-key myshared
    client 10.10.20.14 server-key myshared
    aaa session-id common
    switch 1 provision ws-c2960s-24ps-l
    ip dhcp snooping vlan 1-2000
    no ip dhcp snooping information option
    ip dhcp snooping
    ip domain-name mycompany.com
    ip name-server 192.168.10.40
    ip device tracking probe use-svi
    ip device tracking
    ip admission name Webauth proxy http inactivity-time 60
    vtp mode transparent
    epm logging
    dot1x system-auth-control
    fallback profile Webauth
    ip access-group ACL-WEBAUTH-REDIRECT in
    ip admission Webauth
    spanning-tree mode pvst
    spanning-tree extend system-id
    interface GigabitEthernet1/0/11
    switchport mode access
    switchport voice vlan 93
    ip access-group ACL-ALLOW in
    authentication event fail action next-method
    authentication event server dead action reinitialize vlan 777
    authentication event server dead action authorize voice
    authentication host-mode multi-domain
    authentication order mab dot1x
    authentication priority dot1x mab
    authentication port-control auto
    mab
    dot1x pae authenticator
    spanning-tree portfast
    interface Vlan1
    no ip address
    shutdown
    interface Vlan80
    ip address 10.10.101.24 255.255.255.0
    ip default-gateway 10.10.101.1
    ip http server
    ip http secure-server
    ip access-list extended ACL-AGENT-REDIRECT
    remark explicitly prevent DNS from being redirected to address a bug
    deny   udp any any eq domain
    remark redirect HTTP traffic only
    permit tcp any any eq www
    remark all other traffic will be implicitly denied from the redirection
    ip access-list extended ACL-ALLOW
    permit ip any any
    ip access-list extended ACL-DEFAULT
    remark DHCP
    permit udp any eq bootpc any eq bootps
    remark DNS
    permit udp any any eq domain
    remark Ping
    permit icmp any any
    remark PXE / TFTP
    permit udp any any eq tftp
    remark Drop all the rest
    deny   ip any any log
    ip access-list extended ACL-WEBAUTH-REDIRECT
    deny   ip any host 10.10.20.13
    deny   ip any host 10.10.20.14
    deny   ip any host 192.168.10.43
    deny   ip any host 192.168.10.40
    deny   ip any host 192.168.10.41
    deny   ip any host 192.168.10.42
    remark explicitly prevent DNS from being redirected to accommodate certain switches
    deny   udp any any eq domain
    remark redirect all applicable traffic to the ISE Server
    permit tcp any any eq www
    permit tcp any any eq 443
    ip radius source-interface Vlan80
    logging origin-id ip
    logging source-interface Vlan80
    logging host 10.10.20.11 transport udp port 20514
    logging host 10.10.20.12 transport udp port 20514
    radius-server attribute 6 on-for-login-auth
    radius-server attribute 6 support-multiple
    radius-server attribute 8 include-in-access-req
    radius-server attribute 25 access-request include
    radius-server dead-criteria time 5 tries 3
    radius-server host 10.10.20.13 auth-port 1812 acct-port 1813 key myshared
    radius-server host 10.10.20.14 auth-port 1812 acct-port 1813 key myshared
    radius-server vsa send accounting
    radius-server vsa send authentication

    Verify that the redirection URL specified in Cisco ISE via Cisco-av pair "URL Redirect" is correct
    CWA Redirection URL: https://ip:8443/guestportal/gateway?sessionId=SessionIdValue&action=cwa
    802.1X Redirection URL: url-redirect=https://ip:8443/guestportal/gateway?sessionId=SessionIdValue&action=cpp

  • ISE and Wireless compatibiity

    we are in the process of preparing to upgrade our Wireless Controllers from 7.2.110 to 7.6.130. When I check the ISE compatibility matrix, it does not specifically list 7.6 WLC code as supported on ISE 1.1.4 or ISE 1.2. I assume it is, given 7.5 is listed as supported in the 1.2 matrix. Can you verify that 7.6.130 WLC code is supported in ISE 1.1.4 AND ISE 1.2.1?

    Yes, it is. I have done several ISE deployments with WLCs running 7.6. With that being said, stay away from 7.5. It is not a good code and it is full of issues. 
    Thank you for rating helpful posts!

  • Inline Posture between Cisco ISE and Wireless LAN Controller

    Hi,
    I was looking into Cisco ISE solution for deploying NAC.
    I have a question about the network topology.
    In  the user guide documents of cisco ISE, it is written that for Wireless  LAN Controllers (WLC) and VPN devices, an additional server, Inline Posture, is needed.
    However, in the following integration document, there is not an inline posture between WLC and Cisco ISE server.
    https://supportforums.cisco.com/docs/DOC-18121
    I  want to know if Inline Posture is a requirement, if not a  requirement, what are the benefits of having it between Cisco ISE Server  and WLC.
    Thanks & Regards
    Sinan

    Hello,
    Please go through below mentioned links which might be helpful for you.
    http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_ipep_deploy.html
    http://www.cisco.com/en/US/docs/security/ise/1.2/installation_guide/ise_deploy.html
    Best Regards,

Maybe you are looking for

  • How do I use two Ipods with my Itunes?

    I just bought an additional Ipod. How can I get songs just for this ipod? When I connect it, is it going to download my music to the new one? I want to have two separate files. Please help.

  • Carriage return on the portal displays as # on the smartform

    Hi,   I am creating an invoice through the portal. In the portal I enter three lines of text for billing header text. After each line I hit a ENTER.   When I view the invoice the three lines in the header text are displayed allright however when I tr

  • My ipod wont work

    ive tried everything it plays for like a few seconds then goes on to the next song and jut keeps skipping til it goes thru the whole playlist.. i tried reinstall reset setting it to factory reset, tried it on another computer when i hook it up to itu

  • Configuration of Deffered Tax Procedure, please help?

    Hi Experts, I am working on a project. please help me to configure Deffered Tax procedure. So far I have configured regular Tax codes & replica of the same as target tax code. Please advice how to : 1. what special should i mention to in target tax c

  • Errors in log

    I get a lot of these error messages in the console logs. Does anyone know what is wrong? It seems to be related to syncing of notes but my notes have synced fine so far. 30.12.07 12.01.29 Mail[9997] * -[NSCFString objectForKey:]: unrecognized selecto