ise radius/nac

edondurguti · ‎06-19-2012

Can ISE 1.1 act as a RADIUS for WGB through WLC?

thank you

Tarik Admani · ‎06-23-2012

Yes it can, ISE supports the protocols found in this QA regarding WGB -

http://www.cisco.com/en/US/products/hw/wireless/ps441/products_qanda_item09186a0080094644.shtml#q11

Here is the authentication protocol configuration section in ISE -

http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_auth_pol.html#wp1146161

Thanks,

Tarik Admani

edondurguti · ‎06-24-2012

Hi thanks for your reply.

Here is my in depth problem:

https://supportforums.cisco.com/message/3666442#3666442

Tarik Admani · ‎06-24-2012

Edon,

Are you using eap-fast or mac filtering to get the workgroup bridge authenticated to the same ssid? I had a chance to skim through the thread an it seems that you are being redirected to the web portal for authentication, is that correct? If you are using mac filtering then we may have to manually add all the WGB to a specific endpoint group and build a policy so that all WGB on receive an access-accept with no additional attributes.

If that is not the case please summarize where you are at this point.

thanks,

tarik Admani

edondurguti · ‎06-24-2012

Tarik,

Thanks for your answer, here is the problem !!!

In order to do PROFILING/POSTURING and all that for wireless clients here is what's needed:

Need to go to WLC (wireless controller) and choose RADIUS/NAC for the SSID.

So SSID = test RADIUS/NAC - then all normal clients go through ISE and get postured and profiled and all that works fine except...

WGBs cannot connect to SSID=test at all and they do not appear on ISE as an attempt at all.

As soon as I remove option RADIUS/NAC from WLC wgb connects and shows up on ISE fine and get authenticated ---> you would say well there you go that's ur problem , well yeah but if i DISABLE Radius/Nac option from WLC I lose the ability to control normal users that connect to SSID=test so it would just be PERMIT/DENY ACCESS based on username and the whole point of ISE would be ACS or Simple Radius Server.

Do you get my point?

Thank you.

P.s so for me to POSTURE/PROFILE wireless clients I need to use RADIUS/NAC option and for WGBs I have to setup a NEW SSID and leave that SSID without RADIUS/NAC option so it can only authenticate through ISE and not posture/profile clients, and I do not need to posture/profile clients behind WGB (it would be great but I don't necessarily need to, and I know they don't support CoA Change of Access attribute in RADIUS)

Tarik Admani · ‎06-24-2012

Edon,

Here is an article that states WGB is not supported, however I think the scope of the document focuses primarily on posturing so I dont want to give up hope yet.

https://supportforums.cisco.com/docs/DOC-18121#Limitations

How are you associating your WGB to the production SSID? Are you using mac filtering or eap-fast (excuse my ignorance since this a AAA forum I am not well versed in the WGB arena).

I think if you can create a test condition where the WGB is statically assigned to a endpoint group, enable mac filtering on the ssid, and select an authoriziation policy where the endpoint group of the WGB matches an access accept only authorization profile (no redirect, no acls, just send the access accept) then this may get the ball rolling and drop the webauth messages you are seeing the in the debugs. Let me know if that works.

thanks,

Tarik Admani

edondurguti · ‎06-25-2012

Thank you sir will try to do that, but as of right now I had WLC demo and I don't have it now, but will soon get the real thing of all ISE WLC AND NCS and will do some further testing.

I have like 800 wgbs and if I have to create another ssid and re-configure them all thta would be