topic Re: WLC 9800 AAA issue in Wireless

WLC 9800 AAA issue

malkovich072 — Sun, 21 Aug 2022 19:32:51 GMT

Hi everybody.
I have WLC 9800 (17.3.3, 17.3.5b, 17.6.3) and ISE 2.7 and WIndows clients.
Authorization in the ISE occurs using PEAP-TLS. (eap-tls + ms-chap v2)
There are 2 different rules configured on the ISE side.
When connected, the computer is subject to Rule No. 1 with a specific ACL. After entering the username and password, the user should get a different ACL list according to a different rule, but this does not happen. On the ISE side, I see the correct identification, but the second policy does not apply. Everything works correctly on the WLC 8540. Has anyone encountered a similar problem?

Re: WLC 9800 AAA issue

balaji.bandi — Sun, 21 Aug 2022 22:13:42 GMT

When connected, the computer is subject to Rule No. 1 with a specific ACL. After entering the username and password, the user should get a different ACL list according to a different rule, but this does not happen. On the ISE side, I see the correct identification, but the second policy does not apply.

what rule the user get applied ? (or user not at all applied any policies ?

what client device ?

what you see the Logs in ISE ?

Re: WLC 9800 AAA issue

Ambuj M — Mon, 22 Aug 2022 01:32:15 GMT

Your description is not very clear, remember “problem well stated is problem half solved”, so try again.
Let me rephrase what I understood. You are using PEAP-EAP-TLS instead of just EAP-TLS or PEAP, your authentication is successful, but during authorization correct dynamic ACL is not getting enforced by ISE on clients, because of which client do not get correct permission, is this correct problem statement ?

since it’s wireless, the ACL name is pushed through ISE but the ACL itself exist on the controller with exact same name, so share your policy details and ACL details and failed ISE log details. If your authentication is successful, I can rule out client (supplicant) misconfiguration.

Re: WLC 9800 AAA issue

Arshad Safrulla — Mon, 22 Aug 2022 05:28:35 GMT

Sounds like a COA issue.

Do you have the ACL defined on 9800 WLC? It has to match what ISE is sending.

Also it is mandatory that you enable AAA overide and NAC state in the policy profile. Refer the below document for more info.

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213920-central-web-authentication-cwa-on-cata.html

Re: WLC 9800 AAA issue

Mark Elsen — Mon, 22 Aug 2022 06:40:41 GMT

- FYI : https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvv16183