ISE & WLC

Quick question:
If I deploy ISE+WLC and wlc is in HREAP / Flexconnect mode, the Access-Lists do not work, how am I supposed to posture clients at remote locations?
[cuz I was gonna put an ACL to block everything but dns/etc untill they get pastured)
Can I change VLAN as per user/device once they hit the AP? I am always talking about remote locations?

Tarik,
First thanks for your prompt reply, I haven't deployed it yet but here is what I my plans are:
Software Version 7.0.220.0, ISE 1.1.1, AP 3500, with local switching (it's called flexconnect now, HREAP legacy whatever)
No DACL, Redirect ACLs defined in the controller and in ISE I plan to use AIRSPACE ACL attribute (I've labbed this - but not in flexconnect) ---> This is all for pasturing.
If there is any other way of doing this (having clients denied any access and redirected to posture url) would be great.
Here is a cisco HREAP/FlexConnect Limitation.
Other H REAP Limitations
If you have configured a locally switched WLAN, then Access Control Lists (ACLs) do not work and are not supported. On a centrally switched WLAN, ACLs are supported.
Now, CoA is also a concern - if I have an AP<====TRUNK====>SWITCH----vlan/2/3/4, I want to be able to swap clients to different VLAN based on their user/device they are connecting, I am not sure if this will work on HREAP/Flexconnect mode and there is a slight change on the wording in the authorization policiy attribute in ISE 1.1.x, before it used to be just the vlan u want to set the clients to, now it has TAG ID which i am not sure what it is.
Thanks for your help, I hope my question is clear.

Similar Messages

ISE, WLC Device Profiling

Hi, I hope someone can provide some advice/assistance. I am currently trialling ISE 1.1.1 on VM with a Cisco 5500 WLC 7.2.110.0. I have configured this setup so clients authenticate to the WLC via 802.1x and use the ISE as a AAA Server. I have setup this configuration so VLAN ID's can be pushed to clients based on their login credentials(from AD), this all works fine. I'd like to take this on a step further and differentiate users and their devices based on their device type, iPhone, iPad etc. I have enabled DHCP profiling on the WLC. I only seem to be able to identify a device based on their DHCP hostname, should it contain iPhone etc, is there another way I can get more information from the clients or their initial 802.1x communication? I want to use 802.1x as given the nature of the users connecting the VLAN push based on credentials is key to my possible deployment.
My second query is relating to VLAN pushing on a Flex Auth AP. I've got a remote site with some AP's, it is over a L3 connection. I have my WAP at this site registered to the WLC. Over my sites I have standard VLAN numbers and IP address ranges, site 1 is x.1.a.x, x.1.b.x etc, site 2 is x.2.a.x, x.2.b.x etc. What I would ideally like to do is push VLAN's to the Flex Auth WAP's so that users in site 2 get a site 2 IP address and can use local switching for printing and other local activities. Is this supported? I know it wasn't in H-REAP when I trialled ISE/WLC 4400 last year. I tried to configure this and it looks like users always get IP addresses from site 1.
Thanks for any advice/assistance.
Kenny.

Kenny,
For the first part of your question there is no more information you can get outside of the dhcp hostname (which will get you the info you are looking for) and the mac address (which only gets you to the Apple Device policy). If you do not want to perform any redirection, then your best bet is to use a span to span all the traffic over to the ISE node in order to span the http traffic in order to profile the devices using the http user agent string.
As far as your 2nd question- the flex auth aps do not support COA and arent a "supported network access device" from Cisco's webpage.
http://www.cisco.com/en/US/docs/security/ise/1.1.1/compatibility/ise_sdt.html#wp55038
However the APs do support dynamic vlan assignment. So once an endpoint connects to these APs you can set them on the vlan once, however if you are performing posturing and need coa to place them in another rule once a decision has been made then this is where the deployment will break.
http://www.cisco.com/en/US/products/ps11635/products_tech_note09186a0080b7f141.shtml
thanks,
Tarik Admani
*Please rate helpful posts*

Dynamic Authorization Failed - Posture with Guest Portal - ISE - WLC

Hello everybody,
I'm implementing a NAC solution based on Cisco ISE. Unfortunately, I'm facing a problem related to the CoA (Change of Authorization).
The guest can authenticate successfully via portal and then he is redirected to the page of client provisioning.
When he is compliant with the policy he gets access without any problem and this means that CoA works perfectly. The issue occurs when he has to remediate (download the file from ISE and install it). In this case, we need a change of authorization profile.
The authentication logs show that the posture status changed from non-compliant to compliant but the users doesn't obtain access .
Here are details :
Authentication Details
Source Timestamp
2015-04-30 18:43:13.179
Received Timestamp
2015-04-30 18:43:13.18
Policy Server
ISE-CISCO
Event
5417 Dynamic Authorization failed
Failure Reason
11213 No response received from Network Access Device after sending a Dynamic Authorization request
Resolution
Check the connectivity between ISE and Network Access Device. Ensure that ISE is defined as Dynamic Authorization Client on Network Access Device and that CoA is supported on device.
Root cause
No response received from Network Access Device after sending a Dynamic Authorization request
Username
User Type
Endpoint Id
E0:9D:31:07:**:**
Endpoint Profile
IP Address
Identity Store
Identity Group
Audit Session Id
ca0019ac00000003ae674255
Authentication Method
Authentication Protocol
Service Type
Network Device
WLC-1
Device Type
Location
NAS IP Address
172.25.0.202
NAS Port Id
NAS Port Type
Authorization Profile
Posture Status
Compliant
Security Group
Response Time
15002
Other Attributes
ConfigVersionId
4
RadiusPacketType
CoARequest
Event-Timestamp
1430415778
AcsSessionID
50149c2f-08fb-4f9d-b1b5-f655e71d039f
StepLatency
3=15001
Device IP Address
172.25.0.202
CiscoAVPair
subscriber:command=reauthenticate
audit-session-id
ca0019ac00000003ae674255
Session Events
2015-04-30 18:43:13.18
Dynamic Authorization failed
2015-04-30 18:41:44.159
Dynamic Authorization failed
2015-04-30 18:35:42.64
Guest Authentication Passed
2015-04-30 18:34:39.214
RADIUS Accounting start request

You can use LWA for this . he WLC redirects the HTTP traffic to an internal or external server where the user is prompted to authenticate. The WLC then fetches the credentials (sent back via an HTTP GET request in the case of external server) and makes a RADIUS authentication. In the case of a guest user, an external server (such as Identity Service Engine (ISE) or NAC Guest Server (NGS)) is required as the portal provides features such as device registering and self-provisioning.
Refer to the following link for configuration example
http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bead09.shtml

ISE WLC Integration issues

We are in the process of integrating ISE into our WLC and are planning on implementing HReap (Flexconnect) local switching. We have setup the ISE server as a Radius entry in the WLC and added WLC to ISE, same shared secret. We have a test SSID configured on the WLC and it is using the entry to ISE for AAA. We have used "none" for layer 2 security as well as WPA.......but we never see any activity on the ISE server. Also from the WLC if we do a show radius auth stat there doesn't appear to be any traffic sent from the WLC to ISE.
(Cisco Controller) >show radius auth sta
Authentication Servers:
<Output Ommited>
Server Index..................................... 4
Server Address................................... IP ADDRESS OF ISE
Msg Round Trip Time.............................. 0 (msec)
First Requests................................... 0
Retry Requests................................... 0
Accept Responses................................. 0
Reject Responses................................. 0
Challenge Responses.............................. 0
Malformed Msgs................................... 0
Bad Authenticator Msgs........................... 0
Pending Requests................................. 0
Timeout Requests................................. 0
Unknowntype Msgs................................. 0
Other Drops...................................... 0
We have integrated ISE with swtich and ASA and have always been able to get some activity on the ISE authentication monitor.
Thanks,
Joe

Wireless will not do dACLs with or without FlexConnect. In centrally switched networks you can use Named ACLs which are differnt than dACLs.
But you are correct with FlexConnect (pre-7.5*) you can use FlexConnect ACLs tied to the VLAN. Then you can use ISE to set the VLAN.
*As of 7.5 version of code you can now user named ACLs on Locally Switched users, but it is still a named ACL and not a dACL.
From the release notes
In the earlier releases, you could have a per client access control list (ACL) in a centrally switched traffic. In this release, this feature has been enhanced to support ACL for local switching traffic with both central and local authentication. Client ACL is returned from AAA on successful client Layer 2 authentication as part of Airespace RADIUS attributes. As the Airespace RADIUS attribute is an ACL name, the ACL must be already present on the FlexConnect AP.
In downstream traffic, VLAN ACL is applied first and then the client ACL is applied. In upstream traffic, the client ACL is applied first and then the VLAN ACL is applied.
There are some other limitations when using FlexConnect that you should be aware about.
This guide will show you how to use Centrally Authenticated with Locally Switched
http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080c090eb.shtml
This document will show you the feature matrix for ISE and FlexConnect
http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080b3690b.shtml
If you are using Active Directory I would recommend against using LDAP because there are more features when using the native AD integration. If you not using AD then the issue with the Secure LDAP is probably related to the CA certificate not being installed correctly.

ISE, WLC: web auth, blocking user account

Hello!
We are implementing BYOD concept with ISE (1.1.4) and WLC 5508 (7.4.100).
On WLC there is SSID(WLAN) with MAC filtering without L2 security. For authentication user is redirected to the ISE Guest Portal.
Credentials are created at the ISE sponsor portal.
We create user account in ISE sponsor portal with one hour lease.
In 10 minutes we delete (or block) user credentials.
In spite of it the user is still able to work. Even if we manually disconnect client and reconnect it again, client opens the browser and there is no redirection to the ISE web auth page.
This happens because WLC thinks, that client is still associated.
There are session and idle timeout timers in WLC WLAN, but they can't solve the problem of automatic client session removing.
From my point of you, ISE must send some kind of reauth request to the user after account deletion, to make user authentication impossible .
In practice, ISE doesn't tell wlc or user, that client sesssion is blocked.
How the user account blocking process can be automated without manually deleting the client session from WLC client database?

It seems that there is some bug about CoA when deleting Guest accounts
CSCuc82135
Guests need to be removed from the network on Suspend/Delete/Expiration
When a guest user is deleted from the system, the RADIUS sessions associated with that guest user still exists.
Workaround Reissue the Change of Authorization using the session information from Monitoring reports for the sessions associated with that guest user.
http://www.cisco.com/en/US/docs/security/ise/1.1.1/release_notes/ise111_rn.html#wp411891
from BUG Toolkit there is Release-Pending in "Fixed-in" option.

ISE - WLC 7.2 VLAN assignment

Good evening,
The Wireless_Employees authorization profile,assign vlan 666 for wireless employees.
ISE is passing VLAN 666 to the WLC - see attachement Radius Auth-VLAN666.jpg
When I look on the WLC at a wireless employee who has successuflly connected to the network, WLC is still placing him in the pre-configured VLAN 7.
1. can VLAN be pushed from ISE to the WLC (code 7.2.103) for specific user session?
2. if so, any suggestions why it's not working for me.
Thank you.
Cath.

Cath,
Here is a guide that will help with dynamic vlan assignment on a WLC -
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml#WLC
Thanks,
Tarik Admani
*Please rate helpful posts*

CWA/ISE/WLC - client timeout when redirected to portal.

Problem: When connecting to the CWA ssid, the client gets redirected to: https://lab-ise01.lab.local:8443/guestportal/gateway?sessionId=3c02a8c00000000878430a51&action=cwa
but the link times out.
I'm currently following this guide: https://supportforums.cisco.com/docs/DOC-26442
Any thoughts or suggestions are appreciated.
Info: ISE 1.1.1 and vWLC 7.3.101.0 is installed on vmware. Identity Source: Internal Users. AP is in FlexConnect mode. MAC filtering enable, no layer 3 security. Allow AAA Override enabled. Radius NAC enabled.
Topology:
Win7/iPad - - - AP----labswitch-----switch-----switch-----VMware
(Traffic does not pass through FW and there are no ACL on the switches.)
ACL on WLC:
Client on WLC

Hi all.
Accoding with this behaviour, I have a similar problem with the renew of the IP address. In a similar scenario (ISE1.1.2 + vWLC 7.3.101. + CWA + DVLAN assigment); for test purposses I need to use the AP in flexconnect mode with central control and traffic data due to vWLC does not support APs in a local mode.
Applying WCA in a SSID with a "non-routed" interface and two interfaces for both different profiles. Client passes CWA profile in "non route" subnet when redirected; after a successful web authetication ISE sends to WLC the new attributes including the new VLAN, new ACL and the access-accept, but the client is not trying to change the IP address through DHCP.
I use two rules for authentication
First: Guest Redirection; condition "Wireless MAB" then "WLC-CWA" (central authentication - ACL-POSTURE-REDIRECT)
Second (This rule above the first) Guest Traffic; Condition "Network access: UseCase EQUALS GuestFlow) then "Guest Permit Access"(with includes new vlan assigment in function of the role based - new ACL asigment - Termination-Action=0)
WLC shows me the data correctly, it changes the interface, the ACL and changes the client status to RUN but maintains the IP address belonging to the old VLAN (non-routed vlan)
Could be possible that this bug will be hitting me?
Are there any Radius Attribute to force a DHCP IP procces for this devices?
Thanks in advanced.
Best Regards.

ISE WLC Port bounce with NAC

Im having trouble renewing the IP address after a VLAN change after NAC Agent finishes its posture, the flow is as follows:
1. Wireless client access into the network, is 802.1x
2. NAC Agent succesfully validates posture and Coa is issued
3. I see the new Vlan for that client on the WLC, however my captures indicate that no dhcp renewal is issued from the PC to the DHCP Server
This is no guest access so the option for renew the VLAN dhcp is not a feasible one
any comments will be gladly received.
Thanks!

Hello,
I went through your query and for the same I have found the link below which may help in solving it:-
http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_client_prov.html

ISE WLC 4400 configuration

Up until now, my experience has been with 5500 controllers and ISE.
My customer is using 4400 controller, on 7.0.240 code.
I cannot locate any documents referencing 4400 controller configuration for webauth, named ACLs, posturing, etc...
Does anyone know of any documents, or have experience that can assist with this configuration?

Michael,
Depending on the version of ISE software you are running, you may be in luck. The information below is for 1.1.x. If you are using v 1.2, you may have to tweak a bit.
In this first document, you can see the WLC 4400 is supported and Local Web Auth is supported, with the following caveat: “Wireless (An ISE Inline Posture node is required if the WLC does not support CoA as discussed in Footnote #4. WLCs with the code specified in this table do support CoA without an ISE Inline Posture node)”
http://www.cisco.com/en/US/docs/security/ise/1.1/compatibility/ise_sdt.html#wp55038
Of course, with an IPN, your posturing (and CoA) is handled here.
DACLs are also supported on the WLC 4400.
Per User ACLs are covered in the following document:
http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a00808b041e.shtml
I think you will find that if you substitute the ACS pages with the corresponding ISE interface pages, this can be done.
Please feel free to ask any additional or follow-up questions.
Also, please let me know if this fixes your issue. If it does, please rate this answer and mark your question as Answered.
Charles Moreton

ISE WLC DACL Flex

ISE 1.2 Patch 2
VWLC 7.4.100.0
Specifically flex connect APs
We have successfully built the first self registration MAB'ed Z policy which authorizes all MACs to hit the CWA and a redirect. WIth Flex you must have an IPV4 and a Flex ACL on the controller that is referenced in the Z result policy. We have this in and it is working to here. Upon completion of the Guest Portal signup, we also reauth, which then combs the Zs for the Guest flow, which is being hit and resulting in a Guest Z Result. Our dilemma is that upon the successful secondary Z, the client will receive the successful completion and the logs also show the successful Z and Z result, but the client can not go anywhere and soon reauths. On the controller, the client has the Guest IPV4 acl. Our big question, is the client supposed to have a cloned flex connect acl also applied, and if so, how do I tweak the Z result to do so as all of the documentation that I could find references are for the redirect only, and that is for a bug workaround until we're on 7.5.
Again, specifically flex APs

Ben,
Look at this doc. It appears you need to be on 7.5 for per user radius acl's to work on Flexconnect.
http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080b3690b.shtml

ISE 1.2 With WLC and AD

Hi everyone,
What is the steps and Procedure implement Wired and wireless authentication with ISE, WLC and AD for a LAB environment. currently the following are done.
The wireless network is configured with 2 SSID (Staff and Guest)
Active Directory, DNS, DHCP, and NTP configured & synced.
ISE and AD running on C220 VMs, and WLC is 5760 Appliance.
Please provide your thoughts and assistance.
Regards

You have to implement dot1x and radius between your NAD and ISE device.
Using the switch 3850, that are the steps:
username RADIUS-HEALTH password radiusKey1 privilege 15
aaa new-model
aaa authentication login default local
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa authorization auth-proxy default group radius
aaa accounting update periodic 5
aaa accounting auth-proxy default start-stop group radius
aaa accounting dot1x default start-stop group radius
!this password will be used to communicate with ISE and to verify reachability
!between ISE and Switch
aaa server radius dynamic-author
client 172.16.1.18 server-key 7 radiuskey
client 172.16.1.20 server-key 7 radiuskey
ip domain-name lab.local
ip name-server 172.16.1.1
dot1x system-auth-control
interface GigabitEthernet1/0/3
switchport mode access
switchport voice vlan 50
switchport access vlan 10
ip access-group ACL-ALLOW in
authentication event fail action next-method
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
ip access-list extended ACL-ALLOW
permit ip any any
!the comm between radius and ise will occur on these Port
ip radius source-interface Vlan100
logging origin-id ip
logging source-interface Vlan100
logging host 172.16.1.20 transport udp port 20514
logging host 172.16.1.18 transport udp port 20514
ip radius source-interface Vlan100
logging origin-id ip
logging source-interface Vlan100
logging host 172.16.1.20 transport udp port 20514
logging host 172.16.1.18 transport udp port 20514
snmp-server community ciscoro RO
snmp-server community public RO
snmp-server trap-source Vlan100
snmp-server source-interface informs Vlan100
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 10 tries 3
radius-server vsa send accounting
radius-server vsa send authentication
!defining ISE servers
radius server ISE-RADIUS-1
address ipv4 172.16.1.20 auth-port 1812 acct-port 1813
automate-tester username RADIUS-HEALTH idle-time 15
key radiusKey
Please be sure that NTP servers and time are synchronized.
enable dot1X on windows machine, or using cisco NAM.
you can enable debugging on aaa authentication to see the events.
you have to create this user on ISE (RADIUS-HEALTH).
3850#test aaa group radius username password new-code
and observe the result. You are supposed to have user authenticated successfully.
You Must also have define these device in ISE on the radius interface.
ip radius source-interface ..... use this interface ip address to define Ip address of the NAD device in ISE.
administration-->network resources -->Network Devices-->Add
input the name
input the Ip address for radius communication
select the authentication settings and field the corresponding shared secret radius key
select snmp settings and select version 2c.
snmp community : ciscoro
you can customize the polling interval if you want and that all.
you are supposed to received message communication between your NAD and ISE.
After you can do the procedure for WLC device.
I will fill it after you have passed the first steps (3850 authentication).

Automatic Cisco AP registration on Cisco ISE

We are testing a scenario where using MAC address of Cisco AP as username / password on Cisco ISE given for Automatic AP authentication. Need suggestion how to configure ISE & WLC to achieve the result

Please check the below guide for step by step configuration:
http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bead09.shtml

ISE Guest Account Lockout

Hi,
I would like to disable account lockout for ISE Guest accounts resulting from login failures. In the ISE, there is a setting for Maximum Number of Login Attempts (with values from 1-9) in:
        Administration>Guest Management>Settings>Guest>Portal Policy
Can someone tell me where or how account lockout can be turned off for Guest accounts in the local database of the ISE/WLC.
Many thanks.
Sankung

Answer: No, yet there is not way to completely desable this feature in Cisco ISE
ref: http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_guest_pol.html#wp1070066

ISE - DHCP SPAN and DHCP Profiling

Hi everyone,
We're embarking on an evaluation of ISE and trying to clarify my thoughts around the DHCP based profiling probes.
If we are using DHCP SPAN and have all DHCP traffic mirrored to ISE, should we still use IP helpers and the DHCP probe?
I would expect if we're using DHCP SPAN and mirroring all the traffic then using the DHCP probe with IP helpers on floor switches is a little redundant.
Thanks,
Mark

Hi,
Just to add from my experience;
I am deploying ISE for the first time, I have around 100 sites ( I only use ISE+WLC 7.3, NO WIRED).
It's good to forward all dhcp request to ISE with IP-HELPERS before deploying.
This is what I did with one of my sites and I had no problem when they switched over as 90% of devices were already profiles using dhcp probe
Hope to help.
P.s note that WLC 7.3 does send first http packet to ISE but only if you opened up safari first after authentication, if you opened any other application that uses http protocol it will send weird strings to ise, ie VIBER and so on.
Look around i've posted a thread about it

Corportae laptop and mobile device access

Hello All,
I have ISE, WLC and Cisco APs.
I have a wlan which provides access to corporate laptops(EAP-TLS).Now a requirement is there is to provide access to corporate mobile devices(windows, androids, Apple).
Question:
What kind of sloution i can implement so that if Corporate mobile device connects to wlan then ISE pass them in direction to INternet and all other external mobile must not get access.
Thanks

Hello ,
You can refer this design for white-listing /on-boarding corporate devices, you can ignore the Security Tags , from the authorization rules, just use access-accept/ deny access
http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Borderless_Networks/Unified_Access/BYOD_Design_Guide/BYOD_Limited_Use_Case.pdf

ISE & WLC

Similar Messages

Maybe you are looking for