WLC 5500 and ISE

Hello,
I am going to deploy Cisco ISE with WLC 5500. I have two kinds of users one for which I want to deploy just open access Wi-Fi network, without working with Cisco ISE and Second group of Users for which I want to deploy Cisco ISE services like advanced authentication, posture and profiling. For both users I have just one WLC. Is there any problem to just deploy two SSID one for open access (without Cisco ISE) and second Secure with Cisco ISE ?

Thank you for helping.
I have read your proposed document, but didn't understand details beside SNMP probes.
The reason I don't want to enable ISE authentication/profiling and posture for guest is that I don't have enough licenses for all guests. I am planning to create separate SSID for guest which will have just open “authentication” without any key or ISE. In this case why ISE will profile guest users, it even doesn’t be associated with this WLAN profile?

Similar Messages

  • CWA with WLC Firmware 7.0.228 and ISE 1.1.1

    Hi,
    Does Cisco ISE central web authentication supports on WLC version 7.0.228 ?
    My customer has many access points which are support only for firmware code 7.0.228.
    Cisco ISE version 1.1.1
    WLC 5500 Series but the existing access point is cannot support to 7.3
    Thanks,
    Pongsatorn Maneesud

    Tarik is correct, you need 7.2.x and later to use CWA with ISE. Here is a general summary of features supported on ISE on 7.0 and 7.2 versions of code:
    Scenarios                                                          WLC 7.0                                             7.2 
    802.1X Auth                                                     Yes                                                      Yes
    802.1X + Posture                                            Yes                                                      Yes
    802.1X + Profiling                                           Yes                                                      Yes
    Web Auth + Posture                                       No *                                                   Yes
    Web Auth + Profiling                                      Inventory only *                         Yes
    Central Web Auth(CWA)                               No *                                                   Yes
    Local Web Auth(LWA)                                   Yes                                                      Yes

  • WLC and ISE

    Hello,
    I need to know what are the features I will lose for the wireless users, if I did not use a WLC deployment (Using autonomous AP), knowing that I'm using last code of ISE1.1.1.
    Also in case of no WLC, can I use Inline posture node or I have to use WLC in this case ?
    Thanks.

    So I understand from that COA is supported on the Cisco Switch and it provides this to the wired client, while this is not supported on the AP (although it is connected after that to a switch) and we will need WLC or inline posture, but I believe that the inline posture will be added after the switch so setup will be AP-----Switch---Inline posture---Core and ISE, so why the Inline posture can provide the CoA to the wireless clients while the switch can't do that ?
    Note : I assumed a lot of facts in the above statement so please correct me if any is wrong
    Fact 1: COA is supported on the Cisco Switch and it provides this to the wired client.
    Fact 2: but I believe that the inline posture will be added after the switch so setup will be AP-----Switch---Inline posture---Core and ISE.
    Also assuming that CoA is not supported and as I know it is important for the Posture and profiling, but can we use normal AAA authentication and Guest life mangamnet with ISE and without WLC or inline posture ?
    Thanks 

  • WLC 4400 and WLC 5500

    We have a site with a WLC 4400 and we would like to setup a Controller failover. The WLC 4400 is EOS/EOL and the replacement available is WLC 5508. Can someone advice me on how to configure these units in Primary /Secondary mode so that if any of the Controllers fail, the other one can take over?
    Thanks,

    Hi Akil,
    You are most welcome
    Yes, you can configure 4400's and 5500's in a redundant configuration, but both should be runningthe
    same code version. I believe the latest version that is compatible for both is 7.0.220.0. 
    this is the last version that supports the 4400 series.
    Here's a note that reflects the support;
    Note
    Controllers  do not have to be of the same model to be a member of a mobility group.  Mobility groups can be comprised of any combination of controller  platforms.
    http://www.cisco.com/en/US/docs/wireless/controller/7.0/configuration/guide/c70mobil.html
    Cheers!
    Rob
    "Show a little faith, there's magic in the night" - Springsteen

  • Can we create Mobility group between WISM2 and WLC 5500

    Dears,
    I need your feedback urgent please,
    Can we create Mobility Group between WISM2 and WLC 5500
    Firmware for WISM2 > 7.4.121.0
    Firmware for WLC5500 > 6.0.196.0
    I created Mobility Group with (IP address , MAC Address and Mobility group name) for Foreign Controller. if any configuration required from my side.
    Wait your feedback urgent please
    Regards,

    Hi,
    Controllers do not have to be of the same model to be a member of a mobility group. Mobility groups can be comprised of any combination of controller platforms.
    Thats enough :)
    Regards
    Dont forget to rate helpful posts

  • Preventive maintenance WLC 4400 and 5500?

    Hi good morning,
    i asking for help in order to make a preventive maintenance for WLC 4000 and 5500.
    the main problem is: can i open the WLC´s and clean all the circuits they have inside? or must i only cleaning out the WLC?
    And i would like to know if there are documentation about this topic.
    thanks.

    thanks
    I thought of opening the WLC, and use compressed air to remove dust only.
    but like you mention would be better not open it.
    Greetings

  • Best practices for network design on WLC 2504 and 5508

    Dear all:
    I'm looking for some recommendations on WLC 2504 and 5508 about the the following:
    Maximum amount of AP per port
    The scenario when to use all ports in both WLC
    Maximum number of clients(users) per port
    Bandwidth comsumption of  management vs data in order to assign one port for management
    I've just found this:
    Cisco 5508 controllers have eight Gigabit Ethernet distribution system ports, through which the controller can manage multiple access points. The 5508-12, 5508-25, 5508-50, 5508-100, and 5508-250 models allow a total of 12, 25, 50, 100, or 250 access points to join the controller. Cisco 5508 controllers have no restrictions on the number of access points per port. However, Cisco recommends using link aggregation (LAG) or configuring dynamic AP-manager interfaces on each Gigabit Ethernet port to automatically balance the load. If more than 100 access points are connected to the 5500 series controller, make sure that more than one gigabit Ethernet interface is connected to the upstream switch.
    http://www.cisco.com/c/en/us/td/docs/wireless/controller/6-0/configuration/guide/Controller60CG/c60mint.html
    Thanks for your help.

    The 5508-12, 5508-25, 5508-50, 5508-100, and 5508-250 models allow a total of 12, 25, 50, 100, or 250 access points to join the controller.
    This is an old document.  5508 can now support up to 500 APs if you run firmware 7.X.  2504 can support up to 75 APs if you run firmware 7.4.X.
    I'm looking for some recommendations on WLC 2504 and 5508 about the the following:
    Best practice and recommendation is to LAG all ports so you will be able to form a link redundancy.  If one link goes down, you have other link to push traffic. 

  • WPA2 Auth on WLC 5760 using ISE 1.2

    Hello there,
    I am trying to configure WPA2 802.1x authentication on my WLC that should use ISE as radius server which is set to authenticate AD users.
    The issue is that when I try to connect the SSID, it does not forward the authentication request to ISE. Therefore, I dont see any authentication request on ISE coming from the client.
    I am using the following cli config for the SSID.
    wlan TESTSTAFF 70 TESTSTAFF
    aaa-override
    client vlan Floor_WL
    security dot1x authentication-list WPA-Auth
    session-timeout 1800
    no shutdown      
    aaa authentication dot1x WPA-Auth group ISE_Group
    aaa group server radius ISE_Group
    server name ISE
    radius server ISE
    address ipv4 <ise_ip> auth-port 1812 acct-port 1813
    key <key>
    On ISE, I have added the WLC as network device. CWA authentication is working fine it is just Layer2 WPA 802.1x authentication which is not forwarding requests to ISE.
    Can you please suggest?
    Thanks in advance.

    is ur wlc and iSE is connected???
    is ur Radius Shared secret is correct or same on both side?
    Please check these: http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bead09.shtml
    Regards

  • Wireless Guest Access with 802.1X (PEAP/MSCHAPv2) and ISE?

    Hi,
    I have a setup based on WLC 5508, Catalyst 3750-X and AP3600i.
    The WLCs are running 7.3 and ISE is 1.1.1
    I'm trying to setup wireless guest access, where the guests connect to a SSID with 802.1X using PEAP/MSCHAPv2.
    They should receive their username/password either from a sponsor directly (corporate AD user which prints the credentials) or through a SMS.
    The credentials will be created by the sponsor, using the sponsor portal on the ISE.
    Now to the questions:
    Is it correct that the foreign WLC (i.e. the WLC within the internal corporate network), should be set to no L2 and L3 security on the guest WLAN, to avoid having the foreign WLC contact the ISE and all traffic be forwarded directly to the anchor WLC?
    Is it correct that the anchor WLC (i.e. the WLC in the DMZ), should be configured with 802.1X/WPA2 L2 security and the ISE servers as the RADIUS servers on the guest WLAN, to ensure that the client is correctly authenticated/authorized by the ISE?
    When a guest logs on, how can I ensure that only one device (MAC address) is allowed per user?
    As it is now, a guest is able to log on with (I assume) an unlimited number of devices, using the credentials they have received.
    Thankyou very much :-)
    Best Regards,
    Niels J. Larsen

    Hi,
    I have a setup based on WLC 5508, Catalyst 3750-X and AP3600i.
    The WLCs are running 7.3 and ISE is 1.1.1
    I'm trying to setup wireless guest access, where the guests connect to a SSID with 802.1X using PEAP/MSCHAPv2.
    They should receive their username/password either from a sponsor directly (corporate AD user which prints the credentials) or through a SMS.
    The credentials will be created by the sponsor, using the sponsor portal on the ISE.
    Now to the questions:
    Is it correct that the foreign WLC (i.e. the WLC within the internal corporate network), should be set to no L2 and L3 security on the guest WLAN, to avoid having the foreign WLC contact the ISE and all traffic be forwarded directly to the anchor WLC?
    Is it correct that the anchor WLC (i.e. the WLC in the DMZ), should be configured with 802.1X/WPA2 L2 security and the ISE servers as the RADIUS servers on the guest WLAN, to ensure that the client is correctly authenticated/authorized by the ISE?
    When a guest logs on, how can I ensure that only one device (MAC address) is allowed per user?
    As it is now, a guest is able to log on with (I assume) an unlimited number of devices, using the credentials they have received.
    Thankyou very much :-)
    Best Regards,
    Niels J. Larsen

  • Central Web Auth with Anchor Controller and ISE

    Hi All
    I have a 5508 WLC on the corporate LAN and another 5508 sat in a DMZ as an anchor controller.
    I also have an ISE sat on the corporate LAN.
    Authenticate is working fine to the ISE and the client tries to re-direct to the ISE Portal but doesn't get there.
    DNS is working fine and the client can resolve the URL of the ISE to the correct IP address.
    I have a redirect ACL configured on the foreign controller which permits DNS, DHCP and traffic to and from the ISE.
    My questions are:
    1. Do I need to re-direct ACL to be present on both the foreign and anchor controllers?
    2. Since the Radius requests originate from the foreign controller do I need to configure the ISE server address on the WLAN on the anchor?
    3. Does the re-direct ACL need to be enabled on the advanced page of the WLAN on the foreign to over-ride the interface ACL - I don't believe it does.
    4. Is ICMP still blocked by the WLC until the web authentication is complete?
    Thanks.
    Regards
    Roger

    Hi Roger,
    Thanks for your brief explanation here are the answers for your queries.
    1. Do I need to re-direct ACL to be present on both the foreign and anchor controllers?
    The only catch is that since this web authentication method is Layer 2, you have to be aware that it will be the foreign WLC that does all of the RADIUS work. Only the foreign WLC contacts the ISE, and the redirection ACL must be present also on the foreign WLC.
    2. Since the Radius requests originate from the foreign controller do I need to configure the ISE server address on the WLAN on the anchor?
    Yes, you have to configure the ISE server address on the anchor WLC.
    3. Does the re-direct ACL need to be enabled on the advanced page of the WLAN on the foreign to over-ride the interface ACL
    Yes, you should override AAA under advanced tab of WLAN as ACL will be present on the foreign WLC.
    4. Yes, ICMP will work only after the sucessful web auth is complete.
    Please do go through the link below to understand the Anchor-Foreigh Scenario.
    http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html#anc11
    Regards
    Salma

  • Wlc 5500 authentication timeout

    I have a WLC 5500 controller. I have two WLANS (OBSD-Internal and OBSD-BYOD). I have authentication setup to the WLC for the BYOD WLAN using LDAP (users connect with an AD user account). They are required to re authenticate every few minutes. This only happens on the BYOD WLAN (not Internal)                  

    Scott-
    Here are the results of the sho WLAN cmd:
    (Cisco Controller) >show wlan 3
    WLAN Identifier.................................. 3
    Profile Name..................................... OBSD BYOD
    Network Name (SSID).............................. OBSD-BYOD
    Status........................................... Enabled
    MAC Filtering.................................... Disabled
    Broadcast SSID................................... Enabled
    AAA Policy Override.............................. Disabled
    Network Admission Control
      Radius-NAC State............................... Disabled
      SNMP-NAC State................................. Disabled
      Quarantine VLAN................................ 0
    Maximum number of Associated Clients............. 0
    Number of Active Clients......................... 25
    Exclusionlist Timeout............................ 60 seconds
    Session Timeout.................................. Infinity
    CHD per WLAN..................................... Enabled
    Webauth DHCP exclusion........................... Disabled
    Interface........................................ g9c-guest
    Multicast Interface.............................. Not Configured
    --More-- or (q)uit
    WLAN ACL......................................... Guest WiFi Internet Only
    DHCP Server...................................... Default
    DHCP Address Assignment Required................. Disabled
    Static IP client tunneling....................... Disabled
    Quality of Service............................... Silver (best effort)
    Scan Defer Priority.............................. 4,5,6
    Scan Defer Time.................................. 100 milliseconds
    WMM.............................................. Allowed
    WMM UAPSD Compliant Client Support............... Disabled
    Media Stream Multicast-direct.................... Disabled
    CCX - AironetIe Support.......................... Enabled
    CCX - Gratuitous ProbeResponse (GPR)............. Disabled
    CCX - Diagnostics Channel Capability............. Disabled
    Dot11-Phone Mode (7920).......................... Disabled
    Wired Protocol................................... None
    IPv6 Support..................................... Disabled
    Passive Client Feature........................... Disabled
    Peer-to-Peer Blocking Action..................... Disabled
    Radio Policy..................................... All
    DTIM period for 802.11a radio.................... 1
    DTIM period for 802.11b radio.................... 1
    Radius Servers
       Authentication................................ Global Servers
    --More-- or (q)uit
       Accounting.................................... Global Servers
       Dynamic Interface............................. Disabled
    Local EAP Authentication......................... Disabled
    Security
       802.11 Authentication:........................ Open System
       Static WEP Keys............................... Disabled
       802.1X........................................ Disabled
       Wi-Fi Protected Access (WPA/WPA2)............. Disabled
       CKIP ......................................... Disabled
       Web Based Authentication...................... Enabled
    ACL............................................. Web Auth
    Web Authentication server precedence:
    1............................................... local
    2............................................... radius
    3............................................... ldap
       Web-Passthrough............................... Disabled
       Conditional Web Redirect...................... Disabled
       Splash-Page Web Redirect...................... Disabled
       Auto Anchor................................... Disabled
       H-REAP Local Switching........................ Disabled
       H-REAP Local Authentication................... Disabled
       H-REAP Learn IP Address....................... Enabled
    --More-- or (q)uit
       Client MFP.................................... Optional but inactive (WPA2 not configured)
       Tkip MIC Countermeasure Hold-down Timer....... 60
    Call Snooping.................................... Disabled
    Roamed Call Re-Anchor Policy..................... Disabled
    SIP CAC Fail Send-486-Busy Policy................ Enabled
    SIP CAC Fail Send Dis-Association Policy......... Disabled
    Band Select...................................... Disabled
    Load Balancing................................... Disabled
    Mobility Anchor List
    WLAN ID     IP Address            Status

  • WLC 5500 802.1x problems

    So here is the problem that i have.
    I have a WLC 5500 in site A ( let´s say city A too ) with its own set of wlans ( wlan 1 , wlan 2 ... ) that are used to differentiate different types of users ( teachers, students, etc )  using a RADIUS server and a AD for this client and using 802.1x. Everything on site A is working fine.
    Now i´m trying so set an access point in site B ( in city B ) with its own set of wlans ( wlan X, wlan Y ... ) that is also used to differentiate clients, site B as its own DHCP, its own RADIUS and its own AD. I´ve managed to connect the access point to the WLC and set wlans for site B. My problem now is that when a user tries to connect to wlan X and he is suppose to be in wlan Y, he is not forwarded to wlan Y and is left in wlan X. I´ve also configured HREAP.
    Does anyone as any idea why the clients aren't being assigned to the correct wlan??
    I´ve checked in the Radius server and its sending the correct wlan to the user.
    I now that the text is probably a little bit confusing, but i hope that someone can help me.
    Thanks in advanced.

    You are right, it is not supported:
    Note: If the APs are in H-REAP mode and locally switched at the remote site, the dynamic assignment of users to a specific VLAN based on the RADIUS server configuration is not supported. 
    Since you can't do dynamic vlan, why not have two policies, one for teachers and the other for students.  You will need to have then in seperate groups in AD also.  Then filter on the ssid and the AD group, so if students try to access the teachers ssid using their credentials, they get rejected and vice versa.
    I don't know what you mean by connecting two site without h-reap.  The only other way is switching the AP to local mode, which you better have some good bandwidth.
    Scott

  • WLC 5508 And Third Party SSL for Web Authenticaiton

    Hello,
    We are using WLC 5508 and currently the authentication process is via Customized WebAuth. As you know that with the WebAuth the authentication process won't work unless you launch Web Browser and you will be redirected to the Authentication Page where you type your username and password. This is a bit fuzzy for most of the users and what I'm thinking is to use different authentication mechanism where the user will automatically be prompted upon connecting to any SSID. I have read that Public/Thrid Party certificate will do this and any client can accept the public certificate.
    Anyone can elaborate on this approach?
    Regards, 

    With machines that are not part of the domain, typicall if you still want to secure them usin 802.1x, you would leverage a radius server and users would be told of the SSID to connect to and enter their AD credentials.  Of course, if you use AD credentials, users will now join all their other devices to that SSID. This is where ISE comes in and you can profile devices. Even though the WLC with v7.6 can profile, it's not a full fledge profiler.  Depending on how well you know radius, you can leverage a portal page also and depending on the AD group a user is a member of, you can out them is a specific Vlan or if you leverage interface groups.  You can do many things, but you need to really know radius and client types to figure out what can and work well in your environment. Radius alone to someone who hasn't played with it, can take days to setup without help. 
    Every client I setup radius for is different and it comes down to how their users are setup in AD, what devices they have and the requirements. 
    Scott

  • WLC management and monitoring.

    Hello
    we are looking forward to monitoring the cpu, environment variables and the memory of a wireless lan controller via snmp. but we are not able to find in the mibs the right oid to manage this.
    can the exact oid be given in order to monitor these three elements on a cisco WLC 5500 series.
    thank you in advance
    Mario

    You'll probably find the objects in the CISCO-SYSTEM-EXT-MIB useful...
    cseSysCPUUtilization OBJECT-TYPE
        SYNTAX          Gauge32 (0..100 )
        UNITS           "%"
        MAX-ACCESS      read-only
        STATUS          current
        DESCRIPTION
            "The average utilization of CPU on the active
            supervisor."
        ::= { ciscoSysInfoGroup 1 }
    = 1.3.6.1.4.1.9.9.305.1.1.1
    cseSysMemoryUtilization OBJECT-TYPE
        SYNTAX          Gauge32 (0..100 )
        UNITS           "%"
        MAX-ACCESS      read-only
        STATUS          current
        DESCRIPTION
            "The average utilization of memory on the active
            supervisor."
        ::= { ciscoSysInfoGroup 2 }
    = 1.3.6.1.4.1.9.9.305.1.1.2
    You can browse other objects on the MIB here:
    http://tools.cisco.com/Support/SNMP/do/BrowseOID.do?objectInput=1.3.6.1.4.1.9.9.305.1.1&translate=Translate&submitValue=SUBMIT&submitClicked=true

  • WLC 5500

    Dear All,
    i have WLC 5500 with 50 AP Base license with LAP 3500i APs,
    so, do i need license for the WLC to work with the cleanair technology even it software ver 7  ?????
    and also i have WCS with base license so do i need a license also for the WCS to work with clean air technology????
    thanks
    Ahmed

    You do not need extra license for either WLC or WCS to work with cleanair. But if you buy 10 AP pack 3500 APs, you will get WCS Plus upgrade license (for 100 APs) for free.
    More info can be found here:
    http://www.cisco.com/en/US/prod/collateral/wireless/ps5678/ps10981/qa_c67-604158.html
    zhenning

Maybe you are looking for

  • Windows 7 and internet connection issue

    I am having a problem connecting to internet on Windows 7 OS. I have a Macbook that installed Windows 7 on Bootcamp. When I connect the DSL wire to my computer in dormitory it connects automatically. But when I go to somewhere else it doesn't connect

  • PhotoShop CS2 with Windows - via Bootcamp / Parallels

    Hi All, Hope you can help ! I am thinking of upgrading from G4 powerbook to an Intel MacBook. My main question is this: I have a full copy of Photoshop CS2 for windows, will this run sufficently well under either bootcamp / parallels on a MacBook or

  • My ipad screen somehow has flipped to a negative format vs color

    How can I chancge the colr setting of thedisplay back to color. Somehow it has switched to a B&W negative format.

  • Signed applet changed(source code) no dialog box to say code tampered

    dear friends, i have signed an applet ,i also get the default dialog box asking me the permission to grant rights or not.now i have changed the source code,compiled the file and converted into same jar file name which it was used to sign it earlier.w

  • Text maddaging issue

    Hello everyone i hav iphone 5 and i had an issue with imassage so ive been told dat i shod ubdate to ios 6.1 so i did as well and the imassage is sending nw bt i cant send text massages