Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2834
Views
1
Helpful
3
Replies

Configure ISE for WLC Radius fallback

Go to solution
kymratsch
Level 1
Level 1

‎11-27-2016 09:15 PM

I have two ISE (ver 1.4) in a distributed deployment.  I have been using one node for radius authentications and recently when it went down, the authentications were sent to the other node - but it did not return when the first node was restored. 

The authentications are sent from a 5508 WLC (ver 7.6.130.0) with radius 'Fallback mode" set to off. "Active" mode seems to be the option I need but when I selected it, with a username and timeout of a probe, ISE rejects the request which results in the WLC marking the node as down. On ISE, I added the username of the probe as an internal user, but ISE expects a password.   On the error log on ISE, it finds the username in “Internal users IDStore” but is the wrong password.

I have read elsewhere that a password should not be necessary as the WLC expects is a reply only, but looking at the WLC ‘show radius auth statistics’  I can see the requests being sent but no responses are seen.

Alternatively, is there another way to have the probes to be processed by ISE?

   

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Craig Hyps
Level 10
Level 10
In response to kymratsch

‎12-01-2016 03:27 PM

The WLC expects the username and password to be the same.  Unlike IOS switches which accept Access-Reject as a valid response, Aire-OS expects an Access-Accept.  Be sure to config the authorization rule to match specific use case (probe request from WLC) and return authorization that limits access, such as 'deny ip any any' to prevent unaithorized users from attempting to use these same credentials for network access.

Craig

View solution in original post

0 Helpful
3 Replies 3

Go to solution
gbekmezi-DD
Level 5
Level 5

‎11-28-2016 10:05 AM

It may be ISE ended up putting the WLC in suppression due to repeated failed attempts. If that’s the case, disable anomalous client suppression for the WLCs. You will probably also want to enable log suppression so those attempts aren’t littering your livelog. Also, I’d consider Passive Mode Fallback if it meets your needs.

George

Go to solution
kymratsch
Level 1
Level 1
In response to gbekmezi-DD

‎11-28-2016 04:17 PM

Hi George, thanks for your reply.  I might try passive mode as it doesn't send the probe that ISE rejects.

0 Helpful

Go to solution
Craig Hyps
Level 10
Level 10
In response to kymratsch

‎12-01-2016 03:27 PM

The WLC expects the username and password to be the same.  Unlike IOS switches which accept Access-Reject as a valid response, Aire-OS expects an Access-Accept.  Be sure to config the authorization rule to match specific use case (probe request from WLC) and return authorization that limits access, such as 'deny ip any any' to prevent unaithorized users from attempting to use these same credentials for network access.

Craig

0 Helpful
Customers Also Viewed These Support Documents