Hi All,
Just want to get some clarification around the requirements to add ISE under the Foreign and Anchor WLCs.
In short, below is the lab testing and research showing only t Foreign WLC is required to have ISE PSN nodes added and Anchor WLC does NOT communicate with ISE even when it has been added with the exception of Accounting Interim update
Lab Testing:
- LAB Test -Guest WLAN#1 with CoA and Contractor WLAN#2 with PEAP setup between Foreign and Anchor WLC 8.2.x and ISE 2.0
- LAB Test Result- Only Foreign WLC communicates to ISE
Research
- [CCO] Anchor-Foreign Scenario Central Web Authentication on the WLC and ISE Configuration Example
- Summary- Only the foreign WLC contacts the ISE
- [ISE Community] ISE Guest Anchor controller DMZ Configuration
- Foreign controller you need to point auth/accounting to the guest PSN in the DMZ. Poke holes in the FW to allow UDP 1812/1813 to that PSN.
- On the anchor controller only auth should be sent to the guest PSN. Do not send accounting information
- Summary:
- [ISE Community]No Redirect URL received -ISE 1.4-WLC Anchoring
State: Radius is done only by foreign wlc. The ACL should be configured on both WLC.
- [Tech Zone]ISE Integration With Foreign/Anchor WLC Deployment
- State: The diagram shows the Radius Packet Between Foreign WLC to the ISE
- [ISE Community]ISE Guest Access Prescriptive Deployment Guide
- State: Page 10 - Accounting needs to be configured on the foreign controller (e.g remove Accounting on the Anchor)
- [WLC Defect]CSCuz45986 CWA not working on Cisco 8500 Series WLC as Guest anchor with Accounting enabled
- State: Accounting on the Anchor WLC should be removed
In summary -
- Radius Accounting and Authentication on the Anchor WLC is not required
- Is there any reason why we should be adding ISE PSN on the Anchor WLC for Accounting or Authentication reason?
- Any other points will be great!
Cheers,
Won
