Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1053
Views
0
Helpful
1
Replies

Cisco ISE problem with Wireless/RADIUS Authentication

5bswan
Visitor

‎10-02-2016 08:56 AM - edited ‎03-11-2019 12:07 AM

Hi all,

I'm trying to help some folks with an issue they seem to be having with ISE in conjunction with a Cisco WLC.  They're using ISE to perform MAC-based authentication and authorization (for VLAN assignment) as well as using the guest-portal functionality.  All user management, etc. happens from within ISE, it doesn't link to Active Directory or anything else.  Unfortunately, I'm not very familiar with ISE, all the implementation of 802.1x I've done in the past have been with the RADIUS server on Windows.  

What I see happening is that sometimes users attempt to authenticate and it seems like the ISE isn't processing the Authorization rules correctly (or at all), but then if you shut the device off and give it an hour or so without making any other changes ISE seems to process correctly and pass the vlan tag to the WLC and things proceed correctly.  In the RADIUS Livelong I, see the attached.  Note how the attempted authentication at 10:36 failed, and then the one that succeeded was at 11:36.  The change from an Intel-Device to an Apple-Device was me changing the endpoint profile to see if that made a difference at all (it didn't).  The thing I find interesting is the 3 failed attempts that don't show an endpoint profile, and authentication policy, or an authorization policy.  Since I'm not familiar with ISE I don't know where to look and start troubleshooting.  I feel like there's some service that's crashing, or that data is being cached somewhere.  What would cause this to happen?

Thanks,

Brian

Labels:
Preview file
294 KB
0 Helpful
1 Reply 1

Bobby Stojceski
Level 4
Level 4

‎10-06-2016 11:36 PM

Might need to click on the little magnifying glass on the failures and look at a bit more detail. It 'should' show you how to comes to assess the suitability or matching against the authentication or authorization rules.

I know I had a bunch of initial issues setting up my WLC and ISE with guest network, mostly from learning the ISE. What version of ISE is running on it? Might need to see both the WLC (WLAN SSID) settings, RADIUS server settings including timeouts on the WLC, and some of the detailed info from the livelog.

0 Helpful
Customers Also Viewed These Support Documents