Sure , the issue was caused by ISE (exactly version 1.3) ; and not related to authenticator device (as the same authenticator was working normally on version 1.2.1).

Hi all,

it turned out (well 99% likeliness) that we were struck by a different issue:

If you see error 500 in a wireless situation with mobility groups, esp. an anchor controller, consider this document: http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html#anc11 (I assume cco login is required).

In short: enable accounting ONLY on the (single; maybe active/standby) foreign controller, or disable it completely.

Otherwise all controllers send different session ids in their accounting messages to ISE confusing the latter. This is a long outstanding WLC bug CSCuo56780.

Regards,

Michael.

awesome! fixed my problem even 2 years later. guess this bug will last forever!

Excuse me ,Sir,can I ask you a question .Before this .we use ACS to manage the Network Device. And define user access the device's level  Example some user only use "show  some user can use "config" .i want to know How to use ISE achieve it .

Unfortunately it's not as easy as it used to be in ACS. However, it can be done; You will have to use "parser views" feature (each view with specific command authorizations ) along with exec authorization on each IOS device and then define the corresponding authorization profile on ISE to allocate the specific "cli view name" Radius AV pair, and finally assign the profile to authorization policy that is matching a specific user or group condition (a local identity or an  external identity user).

“Parser Views”？ i can not find in the ISE . And how to config the  Authorization profile . Can you give me a Link or Website to help me .Thank you very much.

Wency, maybe you should start a new thread, this is not error 500 related.

That said, you seem to refer to Tacacs functionality. This protocol is not yet supported in ISE. (will be in 2.0; no, I don't know when this will be out).

One can manage CLI access to devices with Radius too, but rather than being able to check each command on ISE, the user gets a certain 'privilege' at login. How the devices enforces that depens on the device. Parser views are a cool feature on IOS devices (routers), but several devices (switches and old routers) support only 15 privilege levels (and you can change the preset levels of commands). Yet other devices (WLC and Prime) use user Roles. Which Radius attributes are to be send depends on the device. You'll have to look it up in the switch/router/etc. manual. Look for aaa and radius attributes.

On Ise, you just add the proper Radius attributes to the authz profile, like this.

To assign a level of 15 (enable mode) for example.

Hi All,

Just an update to the current bug that we are facing, the bug CSCur94336 was fixed in 1.3 patch 1. However the issue was not resolved and a new bug has been opened CSCus89119. This bug does not clearly mention though that if its the authenticator thats triggering the session id removal or the ISE. For all the wireless used cases where the error 500 is seen, it might be worthwhile to get a detailed debugging to find out if its an authenticator trigger or the way ISE handles the session id management.

The patch for CSCus89119 is expected to be released in April.

Ok so, good information to know, but I have a hard time seeing how this is a solution.