Solved: ISE 2.1 limited support with WLC 4400 on AAA and Guest service

Tai Eric · ‎12-14-2016

According to Cisco document " Cisco Identity Services Engine Network Component Compatibility, Release 2.1" , it stated that limited support with Cisco WLC 4400 on feature of AAA and Guest service but it doesn't provide any detailed information of what is the supported feature and unsupported feauture on WLC 4400 AAA and Guest services.

Anyone know the detail of supported feature and unsupported feauture on WLC 4400 AAA and Guest services

Regards,

Eric

nspasov · ‎12-14-2016

Hi Eric-

If memory serves me right, 7.0 is the latest version of code that the 4400 controllers can run. This is a problem because CoA (Change of Authorization) was added to the WCL platform in version 7.2. Many of the advanced/cool features of ISE depend on CoA: CWA (Central Web Authentication), Posture, BYOD are just a few to mention. Here is a quick summary of features and support:

Scenarios                      WLC 7.0            7.2
802.1X Auth                     Yes               Yes
802.1X + Posture                Yes               Yes
802.1X + Profiling              Yes               Yes
Web Auth + Posture              No                Yes
Web Auth + Profiling            Inventory only    Yes
Central Web Auth(CWA)           No                Yes
Local Web Auth(LWA)             Yes               Yes

So with regards to guest, you will only be able to run LWA (Local Web Authentication).

With that said, ISE 2.1 introduced additional support for devices that do not support CoA. One of those features is the DHCP/DNS services with an Auth VLAN. This feature allows those advanced features (CWA, Posture, etc) to be supported on devices such as the 4400s to support. For more information on that you can check ISE's Admin Guide:
http://www.cisco.com/c/en/us/td/docs/security/ise/2-1/admin_guide/b_ise_admin_guide_21/b_ise_admin_guide_20_chapter_01000.html

I hope this helps!

Thank you for rating helpful posts!

View solution in original post

nspasov · ‎12-14-2016

Hi Eric-

If memory serves me right, 7.0 is the latest version of code that the 4400 controllers can run. This is a problem because CoA (Change of Authorization) was added to the WCL platform in version 7.2. Many of the advanced/cool features of ISE depend on CoA: CWA (Central Web Authentication), Posture, BYOD are just a few to mention. Here is a quick summary of features and support:

Scenarios                      WLC 7.0            7.2
802.1X Auth                     Yes               Yes
802.1X + Posture                Yes               Yes
802.1X + Profiling              Yes               Yes
Web Auth + Posture              No                Yes
Web Auth + Profiling            Inventory only    Yes
Central Web Auth(CWA)           No                Yes
Local Web Auth(LWA)             Yes               Yes

So with regards to guest, you will only be able to run LWA (Local Web Authentication).

With that said, ISE 2.1 introduced additional support for devices that do not support CoA. One of those features is the DHCP/DNS services with an Auth VLAN. This feature allows those advanced features (CWA, Posture, etc) to be supported on devices such as the 4400s to support. For more information on that you can check ISE's Admin Guide:
http://www.cisco.com/c/en/us/td/docs/security/ise/2-1/admin_guide/b_ise_admin_guide_21/b_ise_admin_guide_20_chapter_01000.html

I hope this helps!

Thank you for rating helpful posts!

Tai Eric · ‎12-15-2016

Hi Neno Spasov,

Thanks for the information, it did help a lots.

Regards,

Eric Tai

nspasov · ‎12-16-2016

You are welcome Eric! Glad I was able to help! :)