first time CoA - Page 3

edondurguti · ‎08-15-2012

I have this problem where first time users hit default reject profile because they are not being profiled. They remain unknown until i reconnect. Can this be because of the access point is 1231 converted to lightweight. (it does support change of vlan though). I have CoA set to ReAuth. Still not sure if this is a packet of disconnect issue with that AP. if someone faced this id appreciate the help

Sent from Cisco Technical Support iPhone App

Tarik Admani · ‎08-17-2012

Yeah I saw some message regarding the identity group not being able to be deleted also. Did you try deleting these endpoints and trying again?

I think you found an issue where an authorization policy may be left in the database, for that issue I suggest opening a TAC case to get this removed for you.

thanks,

Tarik Admani
*Please rate helpful posts*

edondurguti · ‎08-17-2012

I understand when that profile is associated with an end point it doesn't evne let you delete, but anyway this has been from before, didnt' see timestamp, but now when i do a debug for the profiler it doesn't seem to get logs at all, I will see something else with Radius and then finally i will open a tac case if i'm stuck

I do appreciate your help

edondurguti · ‎08-17-2012

Couldn't figure out what's going on, I think of resetting ISE since it's not in production yet, do you think I should do that before opening a tac case?

Btw ISE does profile in HREAP with WLC code 7.0.x.x but doesn't change vlan in HREAP

Tarik Admani · ‎08-17-2012

You can try to issue a factory reset in order to reset the database.

However if you are running hreap (flexconnect now a days) that local switching isnt supported with ISE, the reason for this is that the initial authentication is done through the capwap tunnel but any acl or redirection wont occur since the traffic is locally switched hence the reason why flexconnect isnt supported with ISE for advanced features (coa, redirection acls...etc)

Thanks,

Tarik Admani
*Please rate helpful posts*

edondurguti · ‎08-17-2012

Hmmmm. Interesting. I thought the vlan change would be supported on 7.2 WLC with flex connect. I know WLC doesnt support flexconnect acls. U sure 7.2 doesnt support vlan

Change?

Sent from Cisco Technical Support iPhone App

Tarik Admani · ‎08-18-2012

You are correct that this will work with 7.2, I thought you were referring to 7.0 code...the documentation says that it doesnt support (1.1.1 release notes) flexconnect. However this seems to be a bug and doesnt show it is only extended to vlan assignment.

Thanks,

Tarik Admani
*Please rate helpful posts*

edondurguti · ‎08-21-2012

Just for the info if someone ever comes here:

ISE 1.1.1 and WLC 7.2.x.x do support VLAN change and there is something called FLEX CONNECT ACLs which work great :] with a little reading about them

Anyway Thanks Tarik, I did reset the ise application it didn't help the problem is that the MAC is not recognized (there is no rule to create identity group based on that OUI so no group is selected and they get denied)

there is a couple of work arounds that we came up with:

Create an isolated VLAN and set secondary ip helper address to point to ISE, once they request the dhcp, ISE will have the dhcp probe collect the dhcp-class-identifier (for microsoft) and profile as windows workstation.

Iphones are getting profiled based on their hostname, if it doesn't have a hostname well it's only identified as an APPLE DEVICE, so without some kind of SPAN or HTTP probe I don't think you can drill deeper.

You can always statically assign people to identity groups.

I've been brainstorming the profile thingy lol

Tarik Admani · ‎08-21-2012

Also keep in mind that the Cisco product line is constantly adding features more recently for example the dhcp profiling option from the WLC (hopefully it will send more attributes much like the ios device sensor feature). If you take advantage of the device registration feature or any means of redirecting users to guest portal and having them authenticate again (this will only occur once)..for example.

Users that authenticate through mschapv2 (peap) and their device isnt profiled as an apple-iphone..ipad...etc and they are stuck in the apple device identity group, you can redirect them to the guest portal. You can configure your guest identity sequence to include AD so that users can enter their credentials again, get redirected to the AUP and then be profiled as an apple iphone...this doesnt do anything for you with regards to flex connect (not able to perform coa) but its a workaround that will help you if you come across this issue. I am sure there will be feature that will help reauthenticate users through the flexconnect deployments since the coa and radius traffic is performed through the management plane, so its only a matter of time (in my opinion) before this will work in a flexconnect environment.

Tarik Admani
*Please rate helpful posts*

edondurguti · ‎08-21-2012

Thanks for your input man

So I can create an authorization for APPLE DEVICES to go to guestportal and add AD sequence there, just with me the ACL wouldn't work cuz i am on flex, and the AUTOLOGIN wouldnt popup (as for guest access) because apple has implemented it through a file that tries to download from their server:

http://www.apple.com/library/test/success.html so i can deny this with flex connect acl or routed acl on the local router, then i'm sure it will popup, once iphone cannot get that file it will open safari and then i'm redirected :]

Tarik Admani · ‎08-22-2012

The auto login is designed to detect a 302 response when the http get request is sent. If ise didn't use https then this would work a little better. It's a probe that apple designed in order to detect the captive portal and to "magically" pop up the login page in order to get access.

Thanks,

Sent from Cisco Technical Support iPad App