11-27-2016 09:15 PM
I have two ISE (ver 1.4) in a distributed deployment. I have been using one node for radius authentications and recently when it went down, the authentications were sent to the other node - but it did not return when the first node was restored.
The authentications are sent from a 5508 WLC (ver 7.6.130.0) with radius 'Fallback mode" set to off. "Active" mode seems to be the option I need but when I selected it, with a username and timeout of a probe, ISE rejects the request which results in the WLC marking the node as down. On ISE, I added the username of the probe as an internal user, but ISE expects a password. On the error log on ISE, it finds the username in “Internal users IDStore” but is the wrong password.
I have read elsewhere that a password should not be necessary as the WLC expects is a reply only, but looking at the WLC ‘show radius auth statistics’ I can see the requests being sent but no responses are seen.
Alternatively, is there another way to have the probes to be processed by ISE?
Solved! Go to Solution.
12-01-2016 03:27 PM
The WLC expects the username and password to be the same. Unlike IOS switches which accept Access-Reject as a valid response, Aire-OS expects an Access-Accept. Be sure to config the authorization rule to match specific use case (probe request from WLC) and return authorization that limits access, such as 'deny ip any any' to prevent unaithorized users from attempting to use these same credentials for network access.
Craig
11-28-2016 10:05 AM
It may be ISE ended up putting the WLC in suppression due to repeated failed attempts. If that’s the case, disable anomalous client suppression for the WLCs. You will probably also want to enable log suppression so those attempts aren’t littering your livelog. Also, I’d consider Passive Mode Fallback if it meets your needs.
George
11-28-2016 04:17 PM
Hi George, thanks for your reply. I might try passive mode as it doesn't send the probe that ISE rejects.
12-01-2016 03:27 PM
The WLC expects the username and password to be the same. Unlike IOS switches which accept Access-Reject as a valid response, Aire-OS expects an Access-Accept. Be sure to config the authorization rule to match specific use case (probe request from WLC) and return authorization that limits access, such as 'deny ip any any' to prevent unaithorized users from attempting to use these same credentials for network access.
Craig
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide