cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

3229
Views
0
Helpful
7
Replies
Bransomar
Beginner

Cisco ISE - Adding Wireless AP's to ISE

I am currently in audit mode with my ISE implementation.  I have a Cisco CAPWAP 2602 AP connected to an ISE provisioned 3750.  My Auth policy is failing on the AP because it is not found in any identity store.

So, my question is, what is the best way to inventory all of my network AP's?  We have about 300.   They obviously are not in AD and I am not sure I want to bulk add the AP's to the Internal Endpoints store and have to continually manage the inventory if AP's are swapped out.

My thought was to have ISE dynamically reference my WLC's for all of my registered AP's to authenticate them, but I do not see a way to do that.

Ideas?

 

Thx

1 ACCEPTED SOLUTION

Accepted Solutions
jan.nielsen
Rising star

If you have some place where you normally provision new APs, you can use 802.1x to authenticate them, all you need to do is the WLC config for 802.1x for the APs, boot them on a non-dot1x port so they can get the config from your WLC first, then move them to where they should be in your building.

Otherwise you will need to revert to the less secure, and more management heavy method of doing mac address inventory.

View solution in original post

7 REPLIES 7
jan.nielsen
Rising star

If you have some place where you normally provision new APs, you can use 802.1x to authenticate them, all you need to do is the WLC config for 802.1x for the APs, boot them on a non-dot1x port so they can get the config from your WLC first, then move them to where they should be in your building.

Otherwise you will need to revert to the less secure, and more management heavy method of doing mac address inventory.

View solution in original post

Ok we did the WLC config for 802.1x for one AP and getting mixed results.  Finally the AP is trying to auth via dot1x but auth is still failing.  I'm still missing something.  ideas?  What does your AuthC and/or AuthZ policy look like to allow them?  thx.

I am not running it myself, but i have seen the settings in the WLC to configure dot1x for the AP. I believe it will use eap-md5 with a username/password configured. Really shouldn't be to difficult to get working, just create a authentication rule that looks in some user database (ise internal ex or ad or whatever), then do an ise authz rule that checks for the specific radius-username you have used in the wlc config of your ap, or the group that the user is a member of, and return an acl or vlan to give the ap access to the network.

What errors are you getting from ise?

I came in this morning and the AP had successfully authenticated overnight.  I reviewed the auth details and came across something I had not seen before for previous endpoint authentications. Not sure if this is unique to Cisco WLC dot1x, but the event for the authentication was 5206 PAC provisioned.   I have not setup PAC and am really not familiar with PAC yet.  I had to Google it to get an idea of what I was dealing with.  However once the AP was PAC provisioned it authenticated and was authorized. So I guess I need more clarity on how PAC is used, and is it required for CAPWAP AP's?

 

Edit.  Ignore the item below.  The next two events were:

Also, I don't understand the last 3 lines of the detail below... Why is ISE sending an Access-Reject because of a successful in-band PAC provisioning...? 

 

 

I'm getting there but I don't think I have this solved yet?  Any help is appreciated.

 

Sounds like the AP is trying to use EAP-FAST with CHAP user/pass inside. The PAC is sort of comparable to a certificate trust when doing PEAP authentication. I don't know why it's actually rejecting the AP, since it looks like its been authenticated properly, maybe you are checking for something in the Wireless Access Points authz rule thats not possible?

Hi Bransomar
Have you resolved the issue? i have the same issue with you.Please tell me how to fix it if you have resolved it.
Thanks a lot!

Was there a solution? I face the same issues. Thanks

 

regards

Philipp

Content for Community-Ad