Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1196
Views
0
Helpful
2
Replies

ISE 1.2 rejects RADIUS messages from vWLC

ropeadope
Level 1
Level 1

‎11-06-2013 08:46 AM - edited ‎03-10-2019 09:04 PM

Hello,

I have an ISE appliance with the Wireless license. The Cisco vWLC is configured to send Radius traffic to the device, but is getting the error message:


11054 Request from a non-wireless device was  dropped due to installed Wireless license

The vWLC is showing up under endpoints as a VMWARE workstation, and not a WLC, and so under the licensing requirements will not allow RADIUS to be received from anything other than a WLC. I tried hard-coding the policy to match a Cisco WLC with a condition of matching its MAC address, and even disabled the VMWARE profile policy, but the endpoint then only matches the "Unknown" policy. Any ideas?

Labels:
0 Helpful
2 Replies 2

blenka
Level 3
Level 3

‎11-07-2013 05:19 PM

Check the Cisco ISE dashboard (

Operations > Authentications

) for any indication

regarding the nature of RADIUS communication loss. (Look for instances of your

specified RADIUS usernames and scan the sy

stem messages that are associated with

any error message entries.)

Log into the Cisco ISE CLI

2

and enter the following command to produce RADIUS

attribute output that may aid in debugging connection issues:

test aaa group radius

new-code

If this test command is successful, you should see the following attributes:

Connect port

Connect NAD IP address

Connect Policy Service ISE node IP address

Correct server key

Recognized username or password

Connectivity between the NAD and Policy Service ISE node

You can also use this command to help narrow the focus of the potential problem

with RADIUS communication by deliberatel

y specifying incorrect parameter values

in the command line and then returning to the administrator dashboard (

Operations

> Authentications

) to view the type and frequency

of error message entries that

result from the incorrect command line. For example, to test whether or not user

credentials may be the source

of the problem, enter a username and or password that

you

know

is incorrect, and then go look for error message entries that are pertinent

to that username in the

Operations > Authentications

page to see what Cisco ISE

is reporting.)

Note

This command does not validate whether or not the NAD is configured to use

RADIUS, nor does it verify whether th

e NAD is configured to use the new

AAA model.

0 Helpful

Nicholas Poole
Level 1
Level 1

‎04-25-2014 03:46 AM

Were you able to resolve this?

 

I have come across this problem with a 5508 WLC (HA pair) where I have setup active RADIUS fallback and ISE (which is just licensed for wireless) is giving the same message.

 

Which is a bit ironic as the WLAN users can authenticate fine, but the WLC cant test the RADIUS!

0 Helpful
Customers Also Viewed These Support Documents