https://community.cisco.com/t5/network-access-control/wlc-management-access-via-ise-2-2-radius/m-p/3004445#M23196 <P>For read/write access you need this attribute in addition to the ACCESS_ACCEPT access-type:</P> <P>Radius:Service-Type = Administrative</P> Fri, 07 Apr 2017 14:14:47 GMT M. Wisely 2017-04-07T14:14:47Z https://community.cisco.com/t5/network-access-control/wlc-management-access-via-ise-2-2-radius/m-p/3004443#M23194 <P>We recently upgraded ISE from 2.1 to 2.2 and have radius configured to authenticate management sessions to our network devices. After the upgrade we can login to our WLC via GUI or SSH, but when a change is made an Authorization Failed. No sufficient privileges pops up. From the CLI no changes can be made, but we can login.</P> <P></P> <P>Here is my Results&gt;Authorization&gt;Authorization Profiles. This is then used in a policy set shared with our switches and routers.</P> <P>Web Authentication (Local Web Auth) - is checked</P> <P>Attribute settings are:</P> <P>Radius:Service-Type = Administrative</P> <P>Cisco:cisco-av-pair = shell:priv-lvl=15</P> <P></P> <P>Any help from the forum experts would be greatly appreciated.</P> <P></P> <P>Thanks,</P> <P>BW</P> Mon, 11 Mar 2019 07:37:03 GMT https://community.cisco.com/t5/network-access-control/wlc-management-access-via-ise-2-2-radius/m-p/3004443#M23194 bret 2019-03-11T07:37:03Z https://community.cisco.com/t5/network-access-control/wlc-management-access-via-ise-2-2-radius/m-p/3004444#M23195 <P>Hi</P> <P></P> <P>Could you paste screenshots of your config please?</P> <P>Then can you have a try and paste here the result of your ISE servers and output of your WLC debug (<B>debug aaa events enable</B>)</P> <P></P> <P>thanks&nbsp;</P> <P>PS: Please don't forget to rate and mark as correct answer if this answered your question</P> Fri, 07 Apr 2017 14:02:34 GMT https://community.cisco.com/t5/network-access-control/wlc-management-access-via-ise-2-2-radius/m-p/3004444#M23195 Francesco Molino 2017-04-07T14:02:34Z https://community.cisco.com/t5/network-access-control/wlc-management-access-via-ise-2-2-radius/m-p/3004445#M23196 <P>For read/write access you need this attribute in addition to the ACCESS_ACCEPT access-type:</P> <P>Radius:Service-Type = Administrative</P> Fri, 07 Apr 2017 14:14:47 GMT https://community.cisco.com/t5/network-access-control/wlc-management-access-via-ise-2-2-radius/m-p/3004445#M23196 M. Wisely 2017-04-07T14:14:47Z https://community.cisco.com/t5/network-access-control/wlc-management-access-via-ise-2-2-radius/m-p/3004446#M23197 <P>Thanks for chiming in so quickly guys. I have a case opened, but the response is terrible.</P> <P>Attached are the debugs from the WLC and my authorization profile. This profile is used by our switches and routers and there are no problems. Also attached is my Policy Set.</P> <P></P> <P></P> <P></P> <P></P> Fri, 07 Apr 2017 14:37:33 GMT https://community.cisco.com/t5/network-access-control/wlc-management-access-via-ise-2-2-radius/m-p/3004446#M23197 bret 2017-04-07T14:37:33Z https://community.cisco.com/t5/network-access-control/wlc-management-access-via-ise-2-2-radius/m-p/3004447#M23198 <P>Something to note. I have another controller on a different ISE server ver 1.2 using the same policy set and results with no issues. So something changed with ISE 2.2 to make this stop working.</P> Fri, 07 Apr 2017 14:44:50 GMT https://community.cisco.com/t5/network-access-control/wlc-management-access-via-ise-2-2-radius/m-p/3004447#M23198 bret 2017-04-07T14:44:50Z https://community.cisco.com/t5/network-access-control/wlc-management-access-via-ise-2-2-radius/m-p/3004448#M23199 <P>Hi,</P> <P></P> <P>The policy is to authenticate a user to manage your WLC. Why have you checked Local Webauth?</P> <P>2nd thing, on your wlc debugs, we see the service-type 7 (NAS-Prompt) instead of service-type 6 (Administrative):</P> <P>radiusTransportThread: Apr 07 09:49:01.801: AVP[02] ServiceType.............................0x00000007 (7) (4 bytes)</P> <P>Do you have ISE authorization logs for that specific session?</P> <P></P> <P>Thanks</P> <P><SPAN>PS: Please don't forget to rate and mark as correct answer if this answered your question</SPAN></P> Fri, 07 Apr 2017 15:30:42 GMT https://community.cisco.com/t5/network-access-control/wlc-management-access-via-ise-2-2-radius/m-p/3004448#M23199 Francesco Molino 2017-04-07T15:30:42Z https://community.cisco.com/t5/network-access-control/wlc-management-access-via-ise-2-2-radius/m-p/3004449#M23200 <P>The local webauth check may have been an oversight. It was removed and still does not allow RW access.</P> <P>I noticed the service-type was 7 as well, but the service-type in the authorization profile is set for Administrative. Now I need to figure out why that is happening.</P> <P>I do and there are no errors with event authentication succeeded. I compared to a switch and the only difference is in the result. The switch shows the result Service-Type NAS Prompt, where the WLC shows no service-type in the Result.</P> Fri, 07 Apr 2017 16:06:31 GMT https://community.cisco.com/t5/network-access-control/wlc-management-access-via-ise-2-2-radius/m-p/3004449#M23200 bret 2017-04-07T16:06:31Z https://community.cisco.com/t5/network-access-control/wlc-management-access-via-ise-2-2-radius/m-p/3004450#M23201 <P>Is the WLC taking the right rule? or is it taking another one maybe?</P> <P>are you running ISE as policy-set? If Yes, you can have a test by creating a new policy set just for that specific WLC and recreate your authz rule to validate.</P> <P>You said you have another wlc, can you validate the other one that you have service-type 6 received ? Are they taking both the exact same rule?</P> <P></P> <P>Thanks</P> <P><SPAN>PS: Please don't forget to rate and mark as correct answer if this answered your question</SPAN></P> Fri, 07 Apr 2017 18:31:22 GMT https://community.cisco.com/t5/network-access-control/wlc-management-access-via-ise-2-2-radius/m-p/3004450#M23201 Francesco Molino 2017-04-07T18:31:22Z https://community.cisco.com/t5/network-access-control/wlc-management-access-via-ise-2-2-radius/m-p/3004451#M23202 <P>Hi,</P> <P>I have the same problem. I debugged the aaa session on the WLC and Service-Type 7 showed up in the authorization result however ISE policy is configured with&nbsp;<SPAN>Service-Type Administrative.</SPAN></P> <P><SPAN></SPAN></P> <P><SPAN>This must be an ISE issue, the authorization result is configured properly but the logs show Service-Type 7.&nbsp;</SPAN></P> <P><SPAN></SPAN></P> <P><SPAN>Update 1: </SPAN></P> <P><SPAN>I found this bug.</SPAN></P> <P><A href="https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvd61189/?reffering_site=dumpcr">CSCvd61189</A></P> <P></P> <P>Update 2:</P> <P>I reverted to ISE 2.1, now the WLC debug log contains Service Type 6 however ISE log contains NAS-Prompt. So it's only a cosmetic issue on ISE 2.1.</P> Sun, 09 Apr 2017 18:25:33 GMT https://community.cisco.com/t5/network-access-control/wlc-management-access-via-ise-2-2-radius/m-p/3004451#M23202 zoltan.varga0217 2017-04-09T18:25:33Z https://community.cisco.com/t5/network-access-control/wlc-management-access-via-ise-2-2-radius/m-p/3004452#M23203 <P>Hi&nbsp;</P> <P>I've upgraded my lab ISE to 2.2 and face the same bug.&nbsp;</P> <P>However, right now there is no correction.&nbsp;</P> <P>Sorry for that.</P> <P>If you have a backup before upgrade, do a rollback..</P> <P>Thanks&nbsp;</P> <P>PS: Please don't forget to rate and mark as correct answer if this answered your question</P> Sun, 09 Apr 2017 18:25:34 GMT https://community.cisco.com/t5/network-access-control/wlc-management-access-via-ise-2-2-radius/m-p/3004452#M23203 Francesco Molino 2017-04-09T18:25:34Z