Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1077
Views
0
Helpful
3
Replies

ISE WLAN Controllers Best Practises

Marcin Zgola
Level 4
Level 4

‎11-08-2016 09:56 AM - edited ‎03-11-2019 12:12 AM

I have a customer and large deployment of ISE. They have 100s of WLAN controllers in different parts of the world.

We experience occasional connectivity problems. The problem is on Wireless site, as clients can't successfully authenticate to get on the wireless network. 

I am not Wireless Expert, but I see things like:

1. FAST SSID Change Enabled and Disabled on some controllers

2. SSID Broadcast Select, but WLAN Anchor Controllers do not have this checked.

3. Aironet IE enabeld and disabled

4. Authentication and Accouting Servers enabled and disabled on some Anchor Controllers.

My question is : is there a best practise document out there, what is the optimal and best Wireless configuration for ISE to do CWA, and 802.1x with Posture.

Thank you

CCIE 18676
Labels:
0 Helpful
3 Replies 3

Gagandeep Singh
Cisco Employee
Cisco Employee

‎11-08-2016 01:38 PM

Hi,

CWA document for reference:

http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html

ASA Version 9.2.1 VPN Posture with ISE Configuration Example

http://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/117693-configure-ASA-00.html

Regards

Gagan

rate if it helps!!!!

0 Helpful

nspasov
Cisco Employee
Cisco Employee

‎11-10-2016 02:48 PM

Hello Marcin-

I would suggest you check out the following Cisco Live Session:

BRKSEC-3699 - Designing ISE for Scale & High Availability

https://www.ciscolive.com/online/connect/sessionDetail.ww?SESSION_ID=90923&tclass=popup

There is tons of good info there but more importantly, the slides include best practices for the different NAD types including WLCs. 

I hope this helps!

Thank you for rating helpful posts!

0 Helpful

antmatrix
Level 1
Level 1

‎11-11-2016 12:45 AM

The four items listed wont cause/fix the issue you explained. Fast SSID should be enabled if user switches between different SSID often and wlc anchors don't broadcast SSIDs the foregien controller does so that setting is correct.

What does the Prime logs say for the clients that failed authentication? 

0 Helpful
Customers Also Viewed These Support Documents