Solved: NAS Device Type Issue - Guest Wi-Fi

Matthew Martin · ‎06-27-2024

Hello All,

A little background... We are replacing most of our internal switching for a 3rd party company who is going to be managing our LAN switching and Wi-Fi. But we still want to use ISE as the RADIUS server. They gave us 2 x 48-port switches and 2 APs to setup testing so we can have everything configured when we make the switch.

These switches act as the NAS device for both Wired and Wireless, so when I added the NAS devices to ISE the Device Type was set to the Default type, *i.e. "All Device Types".

What's odd is I was able to get our EAP-TLS cert Auth working on both Wired and Wireless. However, when I started on the Guest Wi-Fi I began running into issues (*we use ISE's captive portal for authentication). After a few hours of troubleshooting I noticed in the Authentication details that on the initial connection to the Guest SSID the Authentication Policy was hitting "Default >> Default". I haven't seen this happen before since all our Cisco Switches and WLC had device types set to either WLAN, Switch, or VPN. I assume hitting this Authentication Policy means ISE couldn't tell if it was coming from a switch or a wlan NAS...

Since we're still in the testing phase of this I was able to go into the Network Device settings for this NAS and changed it from All Device Types to WLAN just to see what would happen and it instantly started working... Unfortunately, I can't leave it this way because this same NAS is what's used for Wired Auths as well.

I'm attaching some screenshots. The "Failed_Auth" image is before changing the NAS Device Type, and the "Successful_Auth" is after changing that type to WLAN. No other settings were changed, just the NAS Device Type. FYI, they actually gave me a file to upload to ISE for their NAS Device Profiles that defines some settings.

Any suggestions on what to do about this would be greatly appreciated. Maybe I'm just missing something I need to add in the Policy Sets, but I'm not sure.?

Thanks in Advance,
Matt

Rob Ingram · ‎06-27-2024

@Matthew Martin if it works by changing the Device Type and the connections are wireless, why not just rely on "NAS Port Type = Wireless IEEE 802.11" condition and not combine it with Device Type? You just need these policy conditions to differentiate from the other policy sets in order to process the connection requests.

View solution in original post

Rob Ingram · ‎06-27-2024

@Matthew Martin if it works by changing the Device Type and the connections are wireless, why not just rely on "NAS Port Type = Wireless IEEE 802.11" condition and not combine it with Device Type? You just need these policy conditions to differentiate from the other policy sets in order to process the connection requests.

Matthew Martin · ‎06-27-2024

Hey Rob, thanks for the reply.

After I posted and looked through the screenshots I added to the post again, I thought the EXACT same thing... We had a contractor setup our original ISE server years ago. So I wasn't sure if that was something that was there by default or not and was thinking maybe we could do without it...

Ok, if you don't think there's any reason to have that extra condition, I can remove it and see what happens.

-Matt

Rob Ingram · ‎06-27-2024

@Matthew Martin it should work fine, all wireless connections will be processed by that policy set and not match the policy sets above. You can add additional conditions if you wish, but there is probably no need in your environment.

Matthew Martin · ‎06-27-2024

Thanks Rob, appreciate the second pair of eyes...

I removed the extra Device Type condition and just using the Port-Type now. Also changed the NAS device back to the Default "All Device Types" and was able to reconnect to that Guest network.

Thanks Again,
Matt