cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5544
Views
5
Helpful
9
Replies

Cisco ISE integration with Cisco WLC - Not Working

swaeltjie23
Level 1
Level 1

Cisco WLC Software Version: 8.5.140.0

Cisco ISE Version: 2.4.0.357 with Patches 5 & 6

Documentation followed: https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html#anc12

 

After following the above documentation, I'm still unable to successfully connect a client to the SSID. It keeps on saying that it's Obtaining an IP Address and nothing happens. I can confirm that radius is fine between WLC and ISE. When I disable MAC-Filtering on SSID, all works perfectly fine when connecting to SSID. As soon as I enable it, I can't connect. I can also confirm that Cisco-AV-Pair of portal and ACL is being sent back from ISE to WLC. 

 

Any ideas? 

1 Accepted Solution

Accepted Solutions

Is the client getting an IP address?  If not, then it smells a bit like ACL is blocking it.

 

If you look at the Result Profile that ISE sends to the WLC, is the Redirect-URL valid, in terms of a URL that a client on the Guest VLAN could resolve?   e.g. https://ise.mycompany.com:8443/portal...blah - the client VLAN needs to be able to resolve ise.mycompany.com to the IP address of the PSN that processed the MAB request.

 

Maybe the WLC settings are suspect.  If you get stuck, just share your WLAN profile for a sneak peek.

 

View solution in original post

9 Replies 9

pan
Cisco Employee
Cisco Employee

What do you see in ISE logs?

What does show client detail <mac address of client> show?

What does show client detail <mac address of client> show?

(Cisco Controller) >show client detail xx:xx:xx:d4:fa:6f
Invalid client MAC address provided.

As the client never actually connects successfully to the SSID, the output doesn't show anything

What do you see in ISE logs?

ISE logs indicate that all is well. Authorization was successful and returned back to WLC. 

Arne Bier
VIP
VIP

The Web redirect ACL is pretty important - has to allow the client to get DNS, DHCP and talk to ISE PSN's

If the WLC is stuck on DHCP_REQ mode (for example) then it means the client cannot get its DHCP request through.  I would look at the ACL carefully.  Maybe start with a permit all (to rule out the ACL being the culprit) and then work your way down the list 

Currently the access list is exactly configured as in the documentation (IP addresses are different of course). I also tried with a permit all rule but that still made no difference

Is the client getting an IP address?  If not, then it smells a bit like ACL is blocking it.

 

If you look at the Result Profile that ISE sends to the WLC, is the Redirect-URL valid, in terms of a URL that a client on the Guest VLAN could resolve?   e.g. https://ise.mycompany.com:8443/portal...blah - the client VLAN needs to be able to resolve ise.mycompany.com to the IP address of the PSN that processed the MAB request.

 

Maybe the WLC settings are suspect.  If you get stuck, just share your WLAN profile for a sneak peek.

 

Client never gets an IP address. We have double checked and it's not the DHCP server. When you test with a physical host on the vlan, the host obtains an IP without issues.

 

Regarding the portal, I modified it so that we don't send a DNS name but instead a IP address - "AAA Override Url-Redirect 'https://10.10.10.10:8443/portal....blah". 

 

I have changed vlan ID, SSID Names and IP's for the purposes of pasting the configuration here of the WLAN profile:

 

WLAN Identifier.................................. 99
Profile Name..................................... The Test
Network Name (SSID).............................. The Test
Status........................................... Enabled
MAC Filtering.................................... Enabled
Broadcast SSID................................... Enabled
AAA Policy Override.............................. Enabled
Network Admission Control
Client Profiling Status
Radius Profiling ............................ Enabled
DHCP ....................................... Enabled
HTTP ....................................... Enabled
Local Profiling ............................. Disabled
DHCP ....................................... Disabled
HTTP ....................................... Disabled
Radius-NAC State............................... Enabled
SNMP-NAC State................................. Disabled
Quarantine VLAN................................ 0
Maximum Clients Allowed.......................... Unlimited
Security Group Tag............................... Unknown(0)

--More-- or (q)uit
Maximum number of Clients per AP Radio........... 200
ATF Policy....................................... 0
Number of Active Clients......................... 0
Exclusionlist Timeout............................ 60 seconds
Session Timeout.................................. 1800 seconds
User Idle Timeout................................ Disabled
Sleep Client..................................... disable
Sleep Client Timeout............................. 720 minutes
Web Auth Captive Bypass Mode..................... None
User Idle Threshold.............................. 0 Bytes
NAS-identifier................................... none
CHD per WLAN..................................... Enabled
Webauth DHCP exclusion........................... Disabled
Interface........................................ the_test
Multicast Interface.............................. Not Configured
WLAN IPv4 ACL.................................... unconfigured
WLAN IPv6 ACL.................................... unconfigured
WLAN Layer2 ACL.................................. unconfigured
mDNS Status...................................... Disabled
mDNS Profile Name................................ unconfigured
DHCP Server...................................... Default
Central NAT Peer-Peer Blocking................... Unknown
DHCP Address Assignment Required................. Enabled

--More-- or (q)uit
Static IP client tunneling....................... Disabled
Tunnel Profile................................... Unconfigured
Quality of Service............................... Silver
Per-SSID Rate Limits............................. Upstream Downstream
Average Data Rate................................ 0 0
Average Realtime Data Rate....................... 0 0
Burst Data Rate.................................. 0 0
Burst Realtime Data Rate......................... 0 0
Per-Client Rate Limits........................... Upstream Downstream
Average Data Rate................................ 0 0
Average Realtime Data Rate....................... 0 0
Burst Data Rate.................................. 0 0
Burst Realtime Data Rate......................... 0 0
Scan Defer Priority.............................. 4,5,6
Scan Defer Time.................................. 100 milliseconds
WMM.............................................. Allowed
WMM UAPSD Compliant Client Support............... Disabled
Media Stream Multicast-direct.................... Disabled
CCX - AironetIe Support.......................... Enabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled
CCX - Diagnostics Channel Capability............. Disabled
Dot11-Phone Mode (7920).......................... Disabled
Wired Protocol................................... 802.1P (Tag=0)

--More-- or (q)uit
Passive Client Feature........................... Disabled
Peer-to-Peer Blocking Action..................... Disabled
Radio Policy..................................... All
DTIM period for 802.11a radio.................... 1
DTIM period for 802.11b radio.................... 1
Radius Servers
Authentication................................ 10.10.10.5 1812 *
Accounting.................................... 10.10.10.5 1813 *
Interim Update............................. Disabled
Interim Update Interval.................... 0
Framed IPv6 Acct AVP ...................... Prefix
Dynamic Interface............................. Disabled
Dynamic Interface Priority.................... wlan
Local EAP Authentication......................... Disabled
Radius NAI-Realm................................. Disabled
Mu-Mimo.......................................... Enabled
Security

802.11 Authentication:........................ Open System
FT Support.................................... Disabled
Static WEP Keys............................... Disabled
802.1X........................................ Disabled
Wi-Fi Protected Access (WPA/WPA2)............. Disabled

--More-- or (q)uit
Wi-Fi Direct policy configured................ Disabled
EAP-Passthrough............................... Disabled
CKIP ......................................... Disabled
Web Based Authentication...................... Disabled
Web Authentication Timeout.................... 300
Web-Passthrough............................... Disabled
Mac-auth-server............................... 0.0.0.0
Web-portal-server............................. 0.0.0.0
qrscan-des-key................................
Conditional Web Redirect...................... Disabled
Splash-Page Web Redirect...................... Disabled
Auto Anchor................................... Disabled
FlexConnect Local Switching................... Disabled
FlexConnect Central Association............... Disabled
flexconnect Central Dhcp Flag................. Disabled
flexconnect nat-pat Flag...................... Disabled
flexconnect Dns Override Flag................. Disabled
flexconnect PPPoE pass-through................ Disabled
flexconnect local-switching IP-source-guar.... Disabled
FlexConnect Vlan based Central Switching ..... Disabled
FlexConnect Local Authentication.............. Disabled
FlexConnect Learn IP Address.................. Enabled
Client MFP.................................... Optional but inactive (WPA2 not configured)

--More-- or (q)uit
PMF........................................... Disabled
PMF Association Comeback Time................. 1
PMF SA Query RetryTimeout..................... 200
Tkip MIC Countermeasure Hold-down Timer....... 60
Eap-params.................................... Not Applicable
Flex Avc Profile Name............................ None
Flow Monitor Name................................ None
Split Tunnel Configuration
Split Tunnel................................. Disabled
Call Snooping.................................... Disabled
Roamed Call Re-Anchor Policy..................... Disabled
SIP CAC Fail Send-486-Busy Policy................ Enabled
SIP CAC Fail Send Dis-Association Policy......... Disabled
KTS based CAC Policy............................. Disabled
Assisted Roaming Prediction Optimization......... Disabled
802.11k Neighbor List............................ Disabled
802.11k Neighbor List Dual Band.................. Disabled
802.11v Directed Multicast Service............... Disabled
802.11v BSS Max Idle Service..................... Enabled
802.11v BSS Transition Service................... Disabled
802.11v BSS Transition Disassoc Imminent......... Disabled
802.11v BSS Transition Disassoc Timer............ 200
802.11v BSS Transition OpRoam Disassoc Timer..... 40

--More-- or (q)uit
DMS DB is empty
Band Select...................................... Disabled
Load Balancing................................... Disabled
Multicast Buffer................................. Disabled
Universal Ap Admin............................... Disabled
Broadcast Tagging................................ Disabled
PRP.............................................. Disabled

Mobility Anchor List
WLAN ID IP Address Status Priority
------- --------------- ------ --------

802.11u........................................ Disabled

MSAP Services.................................. Disabled

Local Policy
----------------
Priority Policy Name
-------- ---------------

QoS Fastlane Status.............................. Disable
Selective Reanchoring Status..................... Disable

--More-- or (q)uit
Lobby Admin Access............................... Disabled

Fabric Status
--------------

Fabric status.................................... Disable
Vnid Name........................................
Vnid............................................. 0
Applied SGT Tag.................................. 0
Peer Ip Address.................................. 0.0.0.0
Flex Acl Name....................................
Flex Avc Policy Name.............................

U3-Interface................................... Disable

U3-Reporting Interval.......................... 30

We ran across similar issue. I dont guarantee this the fix, but we disabled DHCP Address Assignment Required on WLC. Clients connected no problem.

alfonso.cornejo
Level 3
Level 3

Hi,

What did you do in order to fix it?

I'm having the same issue with an ISE 2.4 Patch 9 and a vWLC with an AP in flex connect using an SSID for MAB, if I have mac filtering in the wlan configuration the user never gets an ip address from the DHCP server.

Regards,

We disabled 'DHCP Addr. Assignment' advanced setting for WLAN. Doesn't seem
like the logical fix, however, reproduced errors when enabled. Hope that
helps you.