Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2564
Views
10
Helpful
7
Replies

ISE 2.0 about WLC3504

Go to solution
chunchao wei
Level 1
Level 1

‎05-25-2020 09:11 AM

Hello, Experts:

   

    The content is to do wireless 802.1x certification for WLC3504 in the wireless project, and build ISE2.0.0.306 to simulate customer environment test:

Requirements:

    The authentication policy passes the wireless 802.1x authentication, the authorization policy passes the MAB list, and the result USES the DVLAN to assign the address

The problems encountered in the test are as follows:

1. ISE 2.0.0.306 server adds WLC3504 device, turns on Radius authentication authorization, and tests to create internal user 'test' normally.

2. Authentication using the ‘default network access’ condition is found to be unsuccessful in connection with the mobile phone and laptop. but you can see in ISE Radius log that authentication/authorization is successful.

 

Compatibility I saw on the official website of cisco that version 2.2 of ISE supports WLC3504. Is this a compatibility problem?

Have you ever met the same problem as me? How did you solve it. Thankyou!

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎05-25-2020 04:00 PM

I'm not quite sure what you're trying to do here as there is conflicting information in your post (ISE 2.0 vs. 2.2, 802.1x vs. MAB, etc).

The WLC3504 was not available at the time of release for ISE 2.0. That platform would not have been tested against ISE 2.0, so it is not listed in the Compatibility List for that version. There are no significant differences in how the WLC3504 handles RADIUS over the other AireOS platforms (2504, 5508, etc), however, so there should be no compatibility issues.

I would suggest reviewing some of these examples to compare against your setup.

Understand and configure EAP-TLS using WLC and ISE 

Configure 802.1x Authentication with PEAP, ISE 2.1 and WLC 8.3 

ISE 2.2 Wireless 802.1X with EAP-TLS and PEAP (Part 1) - Lab Minutes 

View solution in original post

0 Helpful

Go to solution
chunchao wei
Level 1
Level 1
In response to Greg Gibbs

‎06-01-2020 07:59 PM

Hello, Greg

 

    The 802.1x authz issue been solution.  because is ISE version , Users ISE 2.2 version.

 

View solution in original post

7 Replies 7

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎05-25-2020 04:00 PM

I'm not quite sure what you're trying to do here as there is conflicting information in your post (ISE 2.0 vs. 2.2, 802.1x vs. MAB, etc).

The WLC3504 was not available at the time of release for ISE 2.0. That platform would not have been tested against ISE 2.0, so it is not listed in the Compatibility List for that version. There are no significant differences in how the WLC3504 handles RADIUS over the other AireOS platforms (2504, 5508, etc), however, so there should be no compatibility issues.

I would suggest reviewing some of these examples to compare against your setup.

Understand and configure EAP-TLS using WLC and ISE 

Configure 802.1x Authentication with PEAP, ISE 2.1 and WLC 8.3 

ISE 2.2 Wireless 802.1X with EAP-TLS and PEAP (Part 1) - Lab Minutes 

0 Helpful

Go to solution
chunchao wei
Level 1
Level 1
In response to Greg Gibbs

‎05-26-2020 02:27 AM

HelloGreg

 

    I make AUTHC conditions change to MABIPhone test connect SSID is successful .

    Why I can't connect to 802.1× with SSID

    802.1x is standard   want to uses PEAP protocol for 802.1x. exclude compatible issue.

Does anything to do with client security setting

0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to chunchao wei

‎05-26-2020 04:11 PM

I'm still not clear what you are trying to do here. You can only use MAB to connect to an Open SSID. You can't use 802.1x on an Open SSID and you must use 802.1x to connect to an SSID configured for 802.1x.

Are you working with two separate SSIDs?

 

With PEAP, the client needs to trust the server certificate. If you're trying to connect an iPhone to an 802.1x SSID using PEAP, the iPhone needs to trust the EAP certificate from ISE. If you're not using an EAP cert in ISE that is signed by a public CA that is already trusted by the iPhone, you will need to manually trust the identity or root CA cert in the iPhone.

See the following posts for more info/examples:

ISE BYOD Endpoint Notes

ISE ISE BYOD Prescriptive Deployment Guide 

Go to solution
chunchao wei
Level 1
Level 1
In response to Greg Gibbs

‎05-28-2020 11:53 PM

Hello,Greg

 

Yes,I opened the two SSID for testing.

 

Connect to 802.1× SSID the client pc will show “can`t connect to this network”

0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to chunchao wei

‎05-29-2020 12:23 AM

That is a generic Windows error that does not provide much help. You will need to look at the detailed session logs in ISE to start investigating the issue.

0 Helpful

Go to solution
chunchao wei
Level 1
Level 1
In response to Greg Gibbs

‎06-01-2020 07:59 PM

Hello, Greg

 

    The 802.1x authz issue been solution.  because is ISE version , Users ISE 2.2 version.

 

Go to solution
anousakisioannis
Level 1
Level 1
In response to chunchao wei

‎11-08-2021 01:59 AM

Can you further please explain which was the solution as, i also get the same error?

0 Helpful
Customers Also Viewed These Support Documents