License of ISE to WLC

Hello Experts

I LSE with advanced for 1500 user license and I WLC 2504, and I need to integrate the WLC with the ISE in obtaining the ISE features for wireless as posture, restoring users and authentication as well.

My question: is the advanced license is sufficient, or will I install the license wireless to the LSE to have integration...

your comments and input appreciated...

Lydie

Here is some information about the different types of licenses-

http://www.Cisco.com/en/us/docs/security/ISE/1.2/user_guide/ise_man_license.html#wp1074395

Essentially licensed wireless is a little like the basic license if your deployment is 100% wireless, wireless upgrade is equivalent to the license advanced once more for just a wireless deployment.

Basic and advanced covers all (wired, wireless, vpn, etc). There is no restriction for the deployment model.

Thank you

Tarik Admani
* Please note the useful messages *.

Tags: Cisco Security

Similar Questions

ISE Airespace WLC ACL problem

Hello

I have configured ISE and WLC for use with CWA guestportal but there is a problem with the CoA - he won't apply airespace alc after auth to guestportal.

1. on page authC, I configured a MAB wireless to continue if not found user and use an internal users as an identity store.

2. on page authZ I configured a WEBAUTH as a default rule with the following:

Access type = ACCESS_ACCEPT

Cisco-av-pair = url-redirect-acl = ACL-WEBAUTH-REDIRECT

Cisco-av-pair = redirect url =https://ip:port/guestportal/gateway? sessionId = SessionIdValue & action = cwa

3. I've also configured this ACL to WLC to allow

permit any - any icmp and dns

allow all-to-the-ise-8443

ise-to-any license

This part works very well because I could redirect to guestportal and use my guest connection & pw to allow myself. The guest account has been previously generated by portal sponsor and it works too.

4. on page authC, I use a dot1x wireless to use internal users

5. in the authZ page I use a "if internal users: Guest can leave COMMENTS" rule

6 rule PROMPT resembles the following:

Access type = ACCESS_ACCEPT

Airespace-ACL-Name = GUEST_INTERNET_ONLY

7. this ACL is configured on the WLC allowing all unless private networks (ISE is also permitted)

After authentication Portal comments, I see a success message and I was able to ping internet but I don't have web access. It looks like CoA and Airespace acl are not working and I continue to use my access ACL-WEBAUTH-REDIRECT-list and I see a strange error messages in newspapers WLC:

* apfReceiveTask: 17:32:27.317 12 Nov: % ENTRY_DONOT_EXIST-3-ACL: acl.c:369 cannot find an ACL by name.

I swear my ACL name spelling is correct and ACL-WEBAUTH-REDIRECT and GUEST_INTERNET_ONLY are on the WLC with counters more!

I have not one point what problem could be...

Any ideas?

P.S. see attach for authentication log Live

You can try "debug client" in the CLI WLC and try to connect with the customer. It you see if the WLC applies your ACL.

Looks like this for my license - all ACLs

* apfReceiveTask: 25 Oct 11:17:05.867: c8:bc:c8:13:4e:35 172.16.10.13 WEBAUTH_REQD (8) change IPv4 ACL 'none' (ACL ID 255) ===> 'PERMIT-ALL' (ACL ID 1)-(calling apf_policy.c:1762)

It must be near the bottom.

And then after all debug disable.

Another question, you can test internet but no web access, as well as the URL? Is DNS works after applying the last ACL?

On this line in the log:

* apfReceiveTask: 17:32:27.317 12 Nov: % ENTRY_DONOT_EXIST-3-ACL: acl.c:369 cannot find an ACL by name.

I get that with CWA to work so I don't know which is linked. (for my setup)

Concerning
Mikael

Sent by Cisco Support technique iPad App

Post edited by: Mikael Gustafsson

ISE with WLC AND switches

Hello

We run 3xWLC controller with 800 AP using ISE 1.2 for authentication wireless 802. 1 x. I was looking in the config of the ISE and notice of 400 edge cheating only 2x2960s are configured with 802. 1 x (ISE RADIUS config) and SNMP and only 2 of the port is 2 ap tie with swtich remaining ports.and the 3XWLC in network devices.

I do not understand how an access point is to do this work (802.1 x) because it is location on different site and people are connecting to various different locations. ISE almost run/do 11 876 profiled ends.

version 12.2
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$ fokm$ lesIWAaceFFs.SpNdJi7t.
!
Test-RADIUS username password 7 07233544471A1C5445415F
AAA new-model
Group AAA dot1x default authentication RADIUS
Group AAA authorization network default RADIUS
Group AAA authorization auth-proxy default RADIUS
start-stop radius group AAA accounting dot1x default
start-stop radius group AAA accounting system by default
!
!
!
!
AAA server RADIUS Dynamics-author
Client 10.178.5.152 server-key 7 151E1F040D392E
Client 10.178.5.153 server-key 7 060A1B29455D0C
!
AAA - the id of the joint session
switch 1 supply ws-c2960s-48 i/s-l
cooldown critical authentication 1000
!
!
IP dhcp snooping vlan 29,320,401
no ip dhcp snooping option information
IP dhcp snooping
no ip domain-lookup
analysis of IP device
!
logging of the EMP
!
Crypto pki trustpoint TP-self-signed-364377856
enrollment selfsigned
name of the object cn = IOS - Self - signed - certificate - 364377856
revocation checking no
rsakeypair TP-self-signed-364377856
!
!
TP-self-signed-364377856 crypto pki certificate chain
certificate self-signed 01
30820247 308201B 0 A0030201 02020101 300 D 0609 2A 864886 F70D0101 04050030
2 060355 04031325 494F532D 53656 C 66 2 AND 536967 6E65642D 43657274 30312E30
69666963 33363433 37373835 36301E17 393330 33303130 30303331 0D 6174652D
305A170D 2E302C06 1325494F 03550403 32303031 30313030 30303030 5A 303031
532D 5365 6C662D53 69676E65 642D 4365 72746966 69636174 652 3336 34333737
06092A 86 4886F70D 01010105 38353630 819F300D 00308189 02818100 0003818D
B09F8205 9DD44616 858B1F49 A27F94E4 9E9C3504 F56E18EB 6D1A1309 15C20A3D
31FCE168 5A8C610B 7F77E7FC D9AD3856 E4BABDD1 DFB28F54 6C24229D 97756ED4
975E2222 939CF878 48D7F894 618279CF 2F9C4AD5 4008AFBB 19733DDB 92BDF73E
B43E0071 C7DC51C6 B9A43C6A FF035C63 B53E26E2 C0522D40 3F850F0B 734DADED
02030100 01A 37130 03551 D 13 6F300F06 0101FF04 05300301 01FF301C 0603551D
11041530 13821150 5F494D2B 545F5374 61636B5F 322D312E 301F0603 551D 2304
18301680 1456F3D9 23759254 57BA0966 7C6C3A71 FFF07CE0 A2301D06 03551D0E
04160414 56F3D923 75925457 BA09667C 6C3A71FF F07CE0A2 2A 864886 300 D 0609
F70D0101 5B1CA52E B38AC231 E45F3AF6 12764661 04050003 81810062 819657B 5
F08D258E EAA2762F F90FBB7F F6E3AA8C 3EE98DB0 842E82E2 F88E60E0 80C1CF27
DE9D9AC7 04649AEA 51C49BD7 7BCE9C5A 67093FB5 09495971 926542 4 5A7C7022
8D9A8C2B 794D99B2 3B92B936 526216E0 79 D 80425 12B 33847 30F9A3F6 9CAC4D3C
7C96AA15 CC4CC1C0 5FAD3B
quit smoking
control-dot1x system-auth
dot1x critical eapol
!
pvst spanning-tree mode
spanning tree extend id-system
No vlan spanning tree 294-312,314-319,321-335,337-345,400,480,484-493,499,950
!
!
!
errdisable recovery cause Uni-directional
errdisable recovery cause bpduguard
errdisable recovery cause of security breach
errdisable recovery cause channel-misconfig (STP)
errdisable recovery cause pagp-flap
errdisable recovery cause dtp-flap
errdisable recovery cause link-flap
errdisable recovery cause FPS-config-incompatibility
errdisable recovery cause gbic-invalid
errdisable recovery cause psecure-violation
errdisable cause of port-mode-failure recovery
errdisable recovery cause dhcp-rate-limit
errdisable recovery cause pppoe-AI-rate-limit
errdisable recovery cause mac-limit
errdisable recovery cause vmps
errdisable recovery cause storm-control
errdisable recovery cause inline-power
errdisable recovery cause arp-inspection
errdisable recovery cause loopback
errdisable recovery cause small-frame
errdisable recovery cause psp
!
internal allocation policy of VLAN ascendant
!
!
interface GigabitEthernet1/0/10
switchport access vlan 320
switchport mode access
IP access-group ACL-LEAVE in
authentication event fail following action method
action of death server to authenticate the event permit
living action of the server reset the authentication event
multi-domain of host-mode authentication
open authentication
authentication order dot1x mab
authentication priority dot1x mab
Auto control of the port of authentication
periodic authentication
authentication violation replace
MAB
dot1x EAP authenticator
dot1x tx-time 10
spanning tree portfast
spanning tree enable bpduguard

interface GigabitEthernet1/0/16
switchport access vlan 320
switchport mode access
IP access-group ACL-LEAVE in
authentication event fail following action method
action of death server to authenticate the event permit
living action of the server reset the authentication event
multi-domain of host-mode authentication
open authentication
authentication order dot1x mab
authentication priority dot1x mab
Auto control of the port of authentication
periodic authentication
authentication violation replace
MAB
dot1x EAP authenticator
dot1x tx-time 10
spanning tree portfast
spanning tree enable bpduguard

interface GigabitEthernet1/0/24
switchport access vlan 320
switchport mode access
IP access-group ACL-LEAVE in
authentication event fail following action method
action of death server to authenticate the event permit
living action of the server reset the authentication event
multi-domain of host-mode authentication
open authentication
authentication order dot1x mab
authentication priority dot1x mab
Auto control of the port of authentication
periodic authentication
authentication violation replace
MAB
dot1x EAP authenticator
dot1x tx-time 10
spanning tree portfast
spanning tree enable bpduguard

!
interface GigabitEthernet1/0/33
switchport access vlan 320
switchport mode access
IP access-group ACL-LEAVE in
authentication event fail following action method
action of death server to authenticate the event permit
living action of the server reset the authentication event
multi-domain of host-mode authentication
open authentication
authentication order dot1x mab
authentication priority dot1x mab
Auto control of the port of authentication
periodic authentication
authentication violation replace
MAB
dot1x EAP authenticator
dot1x tx-time 10
spanning tree portfast
spanning tree enable bpduguard

interface GigabitEthernet1/0/34
switchport access vlan 320
switchport mode access
IP access-group ACL-LEAVE in
authentication event fail following action method
action of death server to authenticate the event permit
living action of the server reset the authentication event
multi-domain of host-mode authentication
open authentication
authentication order dot1x mab
authentication priority dot1x mab
Auto control of the port of authentication
periodic authentication
authentication violation replace
MAB
dot1x EAP authenticator
dot1x tx-time 10
spanning tree portfast
spanning tree enable bpduguard
!
interface GigabitEthernet1/0/44
switchport access vlan 320
switchport mode access
IP access-group ACL-LEAVE in
authentication event fail following action method
action of death server to authenticate the event permit
living action of the server reset the authentication event
multi-domain of host-mode authentication
open authentication
authentication order dot1x mab
authentication priority dot1x mab
Auto control of the port of authentication
periodic authentication
authentication violation replace
MAB
dot1x EAP authenticator
dot1x tx-time 10
spanning tree portfast
spanning tree enable bpduguard

!
interface GigabitEthernet1/0/46
switchport access vlan 320
switchport mode access
IP access-group ACL-LEAVE in
authentication event fail following action method
action of death server to authenticate the event permit
living action of the server reset the authentication event
multi-domain of host-mode authentication
open authentication
authentication order dot1x mab
authentication priority dot1x mab
Auto control of the port of authentication
periodic authentication
authentication violation replace
MAB
dot1x EAP authenticator
dot1x tx-time 10
spanning tree portfast
spanning tree enable bpduguard

interface GigabitEthernet1/0/48
switchport access vlan 320
switchport mode access
IP access-group ACL-LEAVE in
authentication event fail following action method
action of death server to authenticate the event permit
living action of the server reset the authentication event
multi-domain of host-mode authentication
open authentication
authentication order dot1x mab
authentication priority dot1x mab
Auto control of the port of authentication
periodic authentication
authentication violation replace
MAB
dot1x EAP authenticator
dot1x tx-time 10
spanning tree portfast
spanning tree enable bpduguard
!
interface GigabitEthernet1/0/49
Description link GH
switchport trunk allowed vlan 1,2,320,350,351,401
switchport mode trunk
MLS qos trust dscp
IP dhcp snooping trust
!

interface GigabitEthernet1/0/52
Description link CORE1
switchport trunk allowed vlan 1,2,29,277,278,314,320,401
switchport mode trunk
MLS qos trust dscp
IP dhcp snooping trust
!
!
interface Vlan320
IP 10.178.61.5 255.255.255.128
no ip-cache cef route
no ip route cache
!
default IP gateway - 10.178.61.1
IP http server
IP http secure server
IP http secure-active-session-modules no
active session modules IP http no
!
!
Access IP extended ACL-AGENT-REDIRECT list
deny udp any any domain eq bootps
permit tcp any any eq www
permit any any eq 443 tcp
IP extended ACL-ALLOW access list
allow an ip
IP access-list extended by DEFAULT ACL
allow udp any eq bootpc any eq bootps
allow udp any any eq field
allow icmp a whole
allow any host 10.178.5.152 eq 8443 tcp
permit tcp any host 10.178.5.152 eq 8905
allow any host 10.178.5.152 eq 8905 udp
permit tcp any host 10.178.5.152 eq 8906
allow any host 10.178.5.152 eq 8906 udp
allow any host 10.178.5.152 eq 8909 tcp
allow any host 10.178.5.152 eq 8909 udp
allow any host 10.178.5.153 eq 8443 tcp
permit tcp any host 10.178.5.153 eq 8905
allow any host 10.178.5.153 eq 8905 udp
permit tcp any host 10.178.5.153 eq 8906
allow any host 10.178.5.153 eq 8906 udp
allow any host 10.178.5.153 eq 8909 tcp
allow any host 10.178.5.153 eq 8909 udp
refuse an entire ip
Access IP extended ACL-WEBAUTH-REDIRECT list
deny ip any host 10.178.5.152
deny ip any host 10.178.5.153
permit tcp any any eq www
permit any any eq 443 tcp

radius of the IP source-interface Vlan320
exploitation forest esm config
logging trap alerts
logging Source ip id
connection interface-source Vlan320
record 192.168.6.31
host 10.178.5.150 record transport udp port 20514
host 10.178.5.151 record transport udp port 20514
access-list 10 permit 10.178.5.117
access-list 10 permit 10.178.61.100
Server SNMP engineID local 800000090300000A8AF5F181
SNMP - server RO W143L355 community
w143l355 RW SNMP-server community
SNMP-Server RO community lthpublic
SNMP-Server RO community lthise
Server SNMP trap-source Vlan320
Server SNMP informed source-interface Vlan320
Server enable SNMP traps snmp authentication linkdown, linkup cold start
SNMP-Server enable traps cluster
config SNMP-server enable traps
entity of traps activate SNMP Server
Server enable SNMP traps ipsla
Server enable SNMP traps syslog
Server enable SNMP traps vtp
SNMP Server enable traps mac-notification change move threshold
Server SNMP enable traps belonging to a vlan
SNMP-server host 10.178.5.152 version 2 c lthise mac-notification
SNMP-server host 10.178.5.153 version 2 c lthise mac-notification
!
RADIUS attribute 6 sur-pour-login-auth server
Server RADIUS attribute 8 include-in-access-req
RADIUS attribute 25-application access server include
dead-criteria 5 tent 3 times RADIUS server
test the server RADIUS host 10.178.5.152 auth-port 1812 acct-port 1813 username test-RADIUS 7 key 03084F030F1C24
test the server RADIUS host 10.178.5.153 auth-port 1812 acct-port 1813 username test-RADIUS 7 key 141B060305172F
RADIUS vsa server send accounting
RADIUS vsa server send authentication

any help would be really appreciated.

I'm not sure that completely understand the question; But if LSE is only political wireless, then none of the wired switches need any configuration of ISE.

Access points tunnel all wireless traffic to the WLC on CAPWAP (unless you use FlexConnect). This is the configuration 802. 1 x on the WLC that implements policies defined in ISE.

Switches wired never need to act as an access network (n) device and so do not need to be defined in ISE unless or until you want to apply policies of ISE for wired devices...

Cisco ISE and WLC Access-List Design/scalability

Hello

I have a scenario that wireless clients are authenticated by the ISE and different ACL is applied depending on the rules in the ISE. The problem I have seen is due to the limitation on the Cisco WLC that limit only 64 input access list. As the installer has only a few IVR/interfaces and several different access lists are applied to the same base on user groups interface; I was wondering if there may be an evolutionary design / approach according to which the access list entries can evolve next to create a vlan for each group of users and apply the access list on the interface of layer 3 instead? I illustrated the configuration below for reference:

Group of users 1 - apply ACL 1 - on Vlan 1

User 2 group - apply ACL 2 - on the Vlan 1

3 user group - apply ACL 3 - on the Vlan 1

The problem appears only for wireless users, he does not see on wired users as the ACLs can be applied successfully without restriction as to the switches.

Any suggestion is appreciated.

Thank you.

In fact, you have limitations on the side of the switch as well. Long ACL can deplete resources AAGR of the switch. Take a look at this link:

http://www.Cisco.com/c/en/us/support/docs/switches/Catalyst-3750-series-switches/68461-high-CPU-utilization-cat3750.html

The new WLCs based on IOS XE and not the old OS Wireless/Aironet will provide the best experience in these matters.

Overall, I see three ways to overcome your current number:

1. reduce the ACL by making them less specific

2 use L3 interfaces on a switch L3 or FW and the ACL is applied to them

3. use the SGT/SGA

I hope this helps!

Thank you for evaluating useful messages!

Trial license of ISE for wireless devices

Hello

We currently have a project underway for a deployment BYOD, but focuses mainly on smartphones and tablets.

For this I want to evaluate the ISE. I know that there is a 90 days trial license, but according to the reference of the function guide is the basic and advanced.

As far as I know there is also a specifically for authentication of wireless devices.

My question is now, if there is also an evaluation license available for the authentication of wireless devices.

Thank you!

Kind regards

Patrick

Patrick,

It still works with the eval base licenses and advanced that come with the software.

To ensure that radius account management is configured correctly for endpoint devices reports you correctly.

Wireless license is only for wireless users, while the base allows wired and wireless.

Thank you

Tarik Admani

ISE and WLC for sanitation of the posture

Please can someone clarify a few things regarding the ISE and posture wireless.

(1) is the ACL-POSTURE-REDIRECT used for conversion, or is it just an ACL to redirect some of the posture of the kickoff checking traffic?

(2) can / a dACL/wACL list must be specified as a sanitation ACL?

(3) the WLC ACL should be written in long format (manually specify source and dest ports/doesny direction any job?)

(4) does anyone have working example ACL for redirect (CPC) posture and sanitation (dACL)?

(5) any other advice or pointers would be as useful as any docs I have found so far, what he TrustSec2, CiscoLive or anything else, do not seem to help me understand sanitation and WLC posture

Thank you

Nick

Yes,

This means that strategy available to your customer does not have a rule that will correspond to an entrepreneur who joined the network. Can you post a screenshot of the provisioning of customer policy?

Thank you

Tarik Admani
* Please note the useful messages *.

Guest access with ISE and WLC LWA

Hi guys,.

Our company try to implement access as guest with dan ISE WLC with the local Web authentication method. But there is problem that comes with the certificate. This is the scenario:

1. the clients are trying to connect wifi with guest SSID

2. once it connects, you can open the browser and try to open a Web page (example: cisco.com)

3, because guests didn't connect, so this link redirect to "ISE Guest Login Page" (become): url

https://ISE-hostname:8443/guestportal/login.action?switch_url= https://1.1.1.1/login.html&wlan=Guest&redirect=www.cisco.com/

)

4. If there is no Login to ISE not installed comments Page, no reliable connection of message message, but it will be fine is they "Add Exception and install the certificate".

5. once the Guest Login Page will appear and you can enter their username and password.

6 connection success and they will be redirected to www.cisco.com and there pop-up 1.1.1.1 (IP of the Virtual Interface WLC) with the logout button.

The problem occur in scenario 6, after the success of the opening session, the Web page with the address and the error of certificate ISE IP to 1.1.1.1 is appear.

I know that it happened when you can has no Page of Login of WLC certificate...

My Question is, is there a way of tunneling WLC certificate to EHT? Or what we can do for ISE validate certificate WLC, invited didn't need to install the certificate WLC / root certificate before you connect to the Wifi?

THX 4 your answer and sorry for my bad English...

Do not mix WLC with ISE comments Portal local Web authentication. Choose one or the other. I suggest the portal + WLC CWA.

ISE and WLC for CWA (Web Central Auth)

Hi all

As we know that WLC (i.e. 5508) is intolerant of MAB (MAC Auth Bypass) and it supports CWA in 7.2.x.

CWA is the result of successful MAB. So, how CWA to work for the wireless? So that means WLC support MAB?

Hello

The term in the wireless world is mac filtering. When mac filtering is fired, you will return the CWA portal in the access-accept.

Don't forget to set your condition in the authentication policy to continue if the user is not found, while the device can hit the CWA default rule.

Thank you

Tarik Admani
* Please note the useful messages *.

ISE renewed licenses

Hello

We have been informed today that he was about to expiry of our licenses of ISE (expires in October, 2016). We have imported since the new license file, which essentially doubled the number. We believe that we must delete the old file. Before you do, I have a few questions:

* Is it the right thing to do?

* It will affect the system if done during production hours?

* Is there anything else that I would be concerned regarding the deletion of this file?

Characters:	Administration, monitoring, Service policy (all)
Role:	STANDALONE
The system time:	June 13, 2016 12:01:38 PST8PDT
FIPS mode:	People with disabilities
Version:	1.4.0.253
Hotfix information:	5

Thanks in advance for your help.

As long as the new license is installed and recognized, and the existing number of session does not exceed the number and type of licenses available on the subject, delete the old will have zero impact on the production services.

It would have been preferable to wait to get the new as the countdown begins on that one as soon as the PAK is issued. You missed about four months, you could have continued to run on the old license.

WLC 5508 high availability

Hello

Today I have two WLC 5508 (with license for 100 AP each of them), on a single site.

The WLC work availability (active-standby).

However, we have a new scenario, with 02 sites: A and B (attachment).

I would like to know if it is possible to work as follows:

The WLC - A as the main controller of site A. WLC - B as a backup (BDC) of WLC.-a.

The WLC - B that has the PDC site B. WLC - as a backup (BDC) to WLC - B.

For example:

If WLC - a falls, site access Points are managed by B WLC site - B and vice versa.

Is this possible?

How can I configure the new scenario? Don't forget, there is a site-to-site between Site A and Site b.

Another point:

If I add more than 50 APs on Site A. How does the license number?

Should I buy a license for the two WLC?

TKS,

>....

>.. .is it possible?

No. , high availability in terms of controller is supposed to be what is said, the backup controller is not 'full' - stby and cannot play other roles.

M.

ISE v1.2 patch PSN 5 down, deleted endpoint identity

Please refer to the diagram. I'll make it simple and clear.

Patch version 1.2 of ISE 5

3xPOL (2xVirtual devices)

1 LUN

1 Admin

Since Janauray the 8th we have problems with ISE. problem encounter were end of endpoint profiling devices like (Cisco 1140 AP) but the devices is a portable Motorola running Windows CE. Also the mac address of Motorola deleted endpoint identity, every 4 to 6 hours, and we need to put the mac address manually to start the authentication to work.

We open a cisco with TAC. and TAC advice there is a bug in the software and must be upgraded to patch 17 or be upgraded to 1.4 as EHT it more stable than version 2.

a few days later after one of the node POL3 (in the language of cisco PSN) went down. and one of our clinets SSID WiFi lost the connection that they were unable to authenticate (security WLC are on POL3 with ISE group created AD HOC Network devices with filtering MAC.) to solve the problem, we change the WLC AAA to POL1 (PSN) security to make it work. given that his work.

later the next day an another POL2 (up/down beat) other clients of SSID (DATA) are starting to declare connection drop. change us again the WLC AAA authentication ip in the direction to POL1 since his works very well.

now on 3 only 1 POL's work and three SSIDS end clinet is authenciated by the ip address of this POL.

We arrived at cisco help, they looked in this and said POL node are not syn. so EHT needs a reboot to fix this. US management decided if this requires a reboot to fix theye why do not upgrade us to version 1.4 EHT. Cisco TAC mention upgrade can take up to 3 to 4 hours, or maybe more depends on the server. Now we want to go to upgrade but our network structure is complex, we do not want to lose the ise for 3 to 4 hours. We are a hospital and all verification devices/doctor patients computers/handheld devices/records are authenticated through ISE. We using ISE mainly for the wireless.

Now, it's the background story. now, I have a question can reload us the POL nodes 1 by 1 to resolve this problem. I also noticed there is another work around, we had another node ISE from another hospital of trust in our data center. It is a virtual appliance (ise - psn.web.com) in our controller ip address SSID (WLC) one of our leading hospitals of authentication setting two AAA is POL1 and next is the ip address of the ISE - PSN. WEB.COM if we recharge our ise and wlc, we note the ip address of the ISE - PSN. WEB.COM will be this keep the SSID client remains connected.

Please let know us that we are in a desperate situation where we need advice to minumis downtime of our patient critical application that are connected wirelessly.

Hi there and sorry you are in such a crappy situation. It's no funny!

To answer your questions:

#1. I would certainly recommend the upgrade to a later version of ISE or at least get your current version on the last patch!

#2. Yes, you can reload the Ssnp one at a time with zero and without interruption of service. Your WLC detects that your first PSN is down and then move to the second that is configured under the SSID > AAA servers. It is very important that your PSN is in a node group. This way if the PSN-1 goes down, none of the sessions that have been in the middle of the AAA process will get absorbed by another node in node group. If the PSN is not in a group of clients node trying to authenticate to the network at the time of charging will have to start again.

#3. Once that clients are authenticated and authorized their rail traffic is no longer the PSN. So, reload the PSN will not affect clients that are already on the network. However, if a customer needs to re-auth (in due to inactivity, slowed down or re-auth timer) then a job THAT PSN is necessary, otherwise the AAA session will fail.

#4. Certainly, you can set up a third NHPS under your SSID and use your PSN which is in another hospital. As long as this node is located in the same deployment of ISE and is synchronized with the PAN then you should be good to go. You can quickly test it by creating a temporary SSID > do as PSN its main Radius Server > test it with a test computer.

I hope this helps!

Thank you for evaluating useful messages!

Deployment of the ISE (L

If we have a ' L-ISE-BSE - 5 K = "license of ISE, VMs how am I allowed to create for different roles?

This license allows you to authenticate users of 5K and some other basic features. You need another license to you gives the right to possess the ISE software to build virtual appliances, but there is no actual application of it.

The license is ISE-VM-K9 =. You need one per device. There are also references grouped.

Cisco vWLC and issue of ISE Central Web Authetication

Hello!

I have a problem with a central Web authentication wireless. CWA woking fine wired.

My APs woking FlexConnect mode with local switching. When I connect to the WLAN with CWA, web page with the portal asked to not open, but I see, this redirection works...

When I try to ping ISE and have an odd result:

[email protected]/ * /: ~ $ ping 10.10.2.47

PING 10.10.2.47 (10.10.2.47) 56 (84) bytes of data.

64 bytes from 10.10.2.47: icmp_seq = 5 ttl = 63 times = 1.45 ms

64 bytes from 10.10.2.47: icmp_seq = 8 ttl = 63 times = 2.22 ms

64 bytes from 10.10.2.47: icmp_seq = 10 ttl = 63 times = 1.43 ms

^ C

-10.10.2.47 - ping statistics

21 packets transmitted, received 3, 85% packet loss, time 20106ms

RTT min/avg/max/leg = 1.430/1.703/2.223/0.367 ms

When I change the WIFI open network security or any other method, ping to ISE work very well. Help, please!

Web Auth (CWA) Centre works different controllers/APs works in mode FlexConnect. Please consult this guide and check if you have a similar setup.

http://www.Cisco.com/c/en/us/support/docs/security/identity-Services-engine/116087-configure-CWA-WLC-ISE-00.html

If so, please post screenshots with your configs (ACL redirect, political in ISE and WLC SSD settings).

In addition, the version of the code you run in your controller and ISE.

Thank you for evaluating useful messages!

Hiding authentication ISE in CWA for comments

Ciao,.

do you know how I can put a guest authentication cache?

For example, a guest connect to guest SSID (open); authenticate using CWA (ISE and WLC). After each time comments logoff and login, no authentication is needed for the same days.

Thank you

With ISE 1.3, you can set the portal reviews auto register the mac address of devices when they connect for the first time as a guest. The next time that they connect, you can authenticate the mac address instead. Endpoint purge rules can be configured so that, if you wan't to reconnect again ise will remove the mac address of the specific group for this portal of comments and the user having to reconnect, e.g. once per day, or every time you wan't...

If you're on ise 1.2, the only way is to change the timers inactive on the WLC to a value greater than the value default 300 seconds, which is really not a good way to do it if you plan to have a lot of users use this, it will consume power of memory and the process on the WLC.

Authentication (Windows Server 2013) AD Cisco ISE problem

Background:

Has deployed two Cisco ISE 1.1.3. ISE will be used to authenticate users wireless access admin WLC and switches. Database backend is Microsoft running on Windows Server 2012 AD. Existing Cisco ACS 4.2 still running and authenticate users. There are two Cisco WLCs version 7.2.111.3.

Wireless users authenticates to AD, through works of GBA 4.2. Access admin WLC and switches to the announcement through ISE works. Authentication with PEAP-MSCHAPv2 access and admin PAP/ASCII wireless.

Problem:

Wireless users cannot authenticate to the announcement through ISE. This is the error message '11051 RADIUS packet contains invalid state attribute' & '24444 Active Directory failed because of an error that is not specified in the ISE'.

Conducted a detailed test of the AD of the ISE. The test was a success and the result seems fine except for the below:

xxdc01.XX.com (10.21.3.1)

Ping: 0 Mins Ago

Status: down

xxdc02.XX.com (10.21.3.2)

Ping: 0 Mins Ago

Status: down

xxdc01.XX.com

Last success: Thu Jan 1 10:00 1970

March 11 failure: read 11:18:04 2013

Success: 0

Chess: 11006

xxdc02.XX.com

Last success: Fri Mar 11 09:43:31 2013

March 11 failure: read 11:18:04 2013

Success: 25

Chess: 11006

Domain controller: xxdc02.xx.com:389

Domain controller type: unknown functional level DC: 5

Domain name: xx.COM

IsGlobalCatalogReady: TRUE

DomainFunctionality: 2 = (DS_BEHAVIOR_WIN2003)

ForestFunctionality: 2 = (DS_BEHAVIOR_WIN2003)

Action taken:

Log Cisco ISE and WLC by using the credentials of the AD. This excludes the connection AD, clock and AAA shared secret as the problem.

(2) wireless authentication tested using EAP-FAST, but same problem occurs.

(3) detailed error message shows below. This excludes any authentication and authorization policies. Even before hitting the authentication policy, the AD search fails.

12304 extract EAP-response containing PEAP stimulus / response

11808 extracted EAP-response containing EAP - MSCHAP VERSION challenge response to the internal method and accepting of EAP - MSCHAP VERSION such as negotiated

Evaluate the politics of identity

15006 set default mapping rule

15013 selected identity Store - AD1

24430 Authenticating user in Active Directory

24444 active Directory operation failed because of an error that is not specified in the ISE

(4) enabled the registration of debugging AD and had a look at the logging. Nothing significant, and no clue about the problem.

(5) wireless tested on different mobile phones with the same error and laptos

(6) delete and add new customer/features of AAA Cisco ISE and WLC

(7) ISE services restarted

(8) join domain on Cisco ISE

(9) notes of verified version of ISE 1.1.3 and WLC 7.2.111.3 for any open caveats. Find anything related to this problem.

10) there are two ISE and two deployed WLC. Tested a different combination of ISE1 to WLC1, ISE1 to WLC2, etc. This excludes a hardware problem of WLC.

Other possibilities/action:

1) test it on another version WLC. Will have to wait for approval of the failure to upgrade the WLC software.

(2) incompatibility between Cisco ISE and AD running on Microsoft Windows Server 2012

Did he experienced something similar to have ideas on why what is happening?

Thank you.

Update:

(1) built an another Cisco ISE 1.1.3 sever in another data center that uses the same domain but other domain controller. Thai domain controller running Windows Server 2008. This work and successful authentication.

(2) my colleague tested in a lab environment Cisco ISE 1.1.2 with Windows Server 2012. He has had the same problem as described.

This leads me to think that there is a compatibility issue of Cisco ISE with Windows Server 2012.

Yes, it seems that 1.1.3 doesn't support Server 2012 as of yet.

External identity Source OS/Version

Microsoft Windows Active Directory 2003 R2 32-bit and 64-bit

Active Directory Microsoft Windows 2008 32-bit and 64-bit

Microsoft Windows Active Directory 2008 R2 64-bit only

Microsoft Windows Active Directory 2003 32-bit only

http://www.Cisco.com/en/us/docs/security/ISE/1.1/compatibility/ise_sdt.PDF

License of ISE to WLC

Similar Questions

Maybe you are looking for