Problem with authentication and authorization dot1x on Cisco ISE

ilya0693@yandex.ru · ‎03-06-2018

Good day.

I have a problem. I can't connect to Wi-Fi network through the Android device and other device. For authentication and authorization used Cisco ISE v2.2. Wireless controller WLC 5760 are manages the access points.

On WLC I configured the RADIUS SERVER, Server group and Method List. Also I created and configured WLAN. In the attachment screenshots with settings.

Policy Authentication created in the following way:

Standart rule 1 : if Airespace:Airespace-Wlan-id EQUALS 10 Allow protocols: Default Network Access and
Default :Use Internal users

Policy Authorization created in the following way:

Standart rule 1 : if LME_Guest AND (Airespace:Airespace-Wlan-id EQUALS 10) then: PermitAccess

When device is connected to the network, the device issues Authentication problem. Log WLC 5760 are here:

Mar 5 19:33:24.695: %PARSER-5-CFGLOG_LOGGEDCMD: User:vg logged command:shell processing

Mar 5 19:33:25.223: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Processing assoc-req station: 7423.4497.7706 AP: 84b8.02c0.9050 -00 thread:-110073160

Mar 5 19:33:25.223: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Association received from mobile on AP 84b8.02c0.9050

Mar 5 19:33:25.223: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 qos upstream policy is In_Client_LME_Guest and downstream policy is Eg_Client_LME_Guest

Mar 5 19:33:25.223: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 apChanged 0 wlanChanged 1 mscb ipAddr 192.168.111.151, apf RadiusOverride 0x0, numIPv6Addr=0

Mar 5 19:33:25.223: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Applying WLAN policy on MSCB.

Mar 5 19:33:25.223: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Disconnect client immediately due to WLANswitch from 3(LME_Guest) to 10(LME_Employee)

Mar 5 19:33:25.223: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Clean up Mscb after WLAN change

Mar 5 19:33:25.223: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Clear aaa attributes

Mar 5 19:33:25.223: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 dot1xapiCleanup Session Stop for dot1x/open client.iifid: 5095c0000f336e capwap id: 76f7000000005f old capwap id:76f7000000005f

Mar 5 19:33:25.223: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Clearing the audit session ID and AAA session id in MSCB

Mar 5 19:33:25.223: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Incrementing the Reassociation Count 1 for client (of interface VLAN311_LME_Guest)

Mar 5 19:33:25.223: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 MS got the IP, resetting the Reassociation Count 0 for client

Mar 5 19:33:25.223: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Clearing Address 192.168.111.151 on mobile

Mar 5 19:33:25.224: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 192.168.111.151 RUN (20) Skipping TMP rule add

Mar 5 19:33:25.224: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Change state to DHCP_REQD (7) last state RUN (20)

Mar 5 19:33:25.224: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 WCDB_CHANGE: Client 1 vlan 311 m_vlan 311 Radio iif id 0x4d2ec000000075 bssid iif id 0x66a380000000fe, bssid 84b8.02c0.9050

Mar 5 19:33:25.224: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 WCDB_AUTH: Adding opt82 len 0

Mar 5 19:33:25.224: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 WCDB_CHANGE: Suppressing SPI (client pending deletion) pemstate 7 state LEARN_IP(2) vlan 311 client_id 0x5095c0000f336e mob=Local(1) ackflag 2 dropd 0, delete 1

Mar 5 19:33:25.224: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 0.0.0.0 DHCP_REQD (7) pemAdvanceState2: MOBILITY-INCOMPLETE with state 7.

Mar 5 19:33:25.225: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 0.0.0.0 DHCP_REQD (7) State Update from Mobility-Complete to Mobility-Incomplete

Mar 5 19:33:25.225: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 0.0.0.0 DHCP_REQD (7) Reached FAILURE: from line 4334

Mar 5 19:33:25.225: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Reason code 1, Preset 1, AAA cause 1

Mar 5 19:33:25.225: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Scheduling deletion of Mobile Station: (callerId: 9) in 10 seconds

Mar 5 19:33:25.225: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Cannot delete client entry, IP address is 0

Mar 5 19:33:25.225: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 0.0.0.0 DHCP_REQD (7) Deleted mobile LWAPP rule on AP [ 84b8.02c0.9050 ]

Mar 5 19:33:25.225: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Cannot delete client entry, IP address is 0

Mar 5 19:33:25.226: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Incrementing the Reassociation Count 1 for client (of interface VLAN311_LME_Guest)

Mar 5 19:33:25.226: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Clearing Dhcp state for station ---

Mar 5 19:33:25.226: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Sending SPI spi_epm_terminate_feature successfullifid: 5095c0000f336e capwap id: 76f7000000005f

Mar 5 19:33:25.226: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Deleting wireless client; Reason code 1, Preset 1, AAA cause 1

Mar 5 19:33:25.226: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 WCDB_DEL: Successfully sent

Mar 5 19:33:25.227: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Challenge Fail, already scheduled for deletion

Mar 5 19:33:25.227: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 0.0.0.0 DHCP_REQD (7) Handling pemDelScb Event skipping delete

Mar 5 19:33:25.240: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 WCDB SPI response msg handler client code 1 mob state 1

Mar 5 19:33:25.240: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 apfProcessWcdbClientDelete: Delete ACK from WCDB.

Mar 5 19:33:25.240: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 WCDB_DELACK: wcdbAckRecvdFlag updated

Mar 5 19:33:25.240: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 WCDB_DELACK: Client IIF Id dealloc SUCCESS w/ 0x5095c0000f336e.

Mar 5 19:33:25.240: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Invoked platform delete and cleared handle

Mar 5 19:33:25.240: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Deleting mobile on AP 84b8.02c0.9050 (0)

Mar 5 19:33:25.240: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Calling SM stop unconditionally for dot1x/open ifid: 0 capwap id: 76f7000000005f old capwap id:76f7000000005f

Mar 5 19:33:25.240: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Unlinked and freed mscb

Mar 5 19:33:25.721: %AUTHMGR-4-UNAUTH_MOVE: (slow) MAC address (3084.5437.e218) from Ca60 to Ca2

Mar 5 19:33:25.753: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Processing assoc-req station: 7423.4497.7706 AP: 84b8.02c0.9050 -00 thread:-110073160

Mar 5 19:33:25.753: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Adding mobile on LWAPP AP 84b8.02c0.9050 (0)

Mar 5 19:33:25.753: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Creating WL station entry for client - rc 0

Mar 5 19:33:25.753: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Association received from mobile on AP 84b8.02c0.9050

Mar 5 19:33:25.753: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 apChanged 0 wlanChanged 0 mscb ipAddr 0.0.0.0, apf RadiusOverride 0x0, numIPv6Addr=0

Mar 5 19:33:25.753: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Applying WLAN policy on MSCB.

Mar 5 19:33:25.753: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Applying WLAN ACL policies to client

Mar 5 19:33:25.753: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 No Interface ACL used for Wireless client in WCM(NGWC)

Mar 5 19:33:25.753: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Applying site-specific IPv6 override for station 7423.4497.7706 - vapId 10, site 'default-group', interface 'VLAN311_LME_Guest'

Mar 5 19:33:25.754: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Applying local bridging Interface Policy for station 7423.4497.7706 - vlan 311, interface 'VLAN311_LME_Guest'

Mar 5 19:33:25.754: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 STA - rates (8): 2 4 11 22 12 18 24 36 0 0 0 0 0 0 0 0

Mar 5 19:33:25.754: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 STA - rates (12): 2 4 11 22 12 18 24 36 48 72 96 108 0 0 0 0

Mar 5 19:33:25.754: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Received 802.11i 802.1X key management suite, enabling dot1x Authentication

Mar 5 19:33:25.754: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 new capwap_wtp_iif_id 76f7000000005f, sm capwap_wtp_iif_id 0

Mar 5 19:33:25.754: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 WCDB_ADD: Radio IIFID 0x4d2ec000000075, BSSID IIF Id 0x57a500000f31b8, COS 4

Mar 5 19:33:25.754: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 WCDB_ADD: Anchor Sw 1, Doppler 1

Mar 5 19:33:25.754: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 WCDB_ALLOCATE: Client IIF Id alloc SUCCESS w/ client 738540000f33e1 (state 0).

Mar 5 19:33:25.755: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 iifid Clearing Ack flag

Mar 5 19:33:25.755: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 WCDB_ADD: Platform ID allocated successfully ID:3819

Mar 5 19:33:25.755: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 WCDB_ADD: Adding opt82 len 0

Mar 5 19:33:25.755: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 WCDB_ADD: Cleaering Ack flag

Mar 5 19:33:25.755: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 WCDB_ADD: ssid LME_Employee bssid 84b8.02c0.9050 vlan 311 auth=ASSOCIATION(0) wlan(ap-group/global) 10/10 client 0 assoc 74 mob=Unassoc(0) radio 0

Mar 5 19:33:25.755: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 m_vlan 311 ip 0.0.0.0 src 0x76f7000000005f dst 0x0 cid 0x738540000f33e1 glob rsc id 3819 dhcpsrv 192.168.96.1 type 0 IPSG off

Mar 5 19:33:25.756: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 WCDB_ADD: mscb iifid 0x738540000f33e1 msinfo iifid 0x0

Mar 5 19:33:25.756: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 0.0.0.0 START (0) Initializing policy

Mar 5 19:33:25.756: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Change state to AUTHCHECK (2) last state START (0)

Mar 5 19:33:25.756: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Change state to 8021X_REQD (3) last state AUTHCHECK (2)

Mar 5 19:33:25.756: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 0.0.0.0 8021X_REQD (3) DHCP Not required on AP 84b8.02c0.9050 vapId 10 apVapId 10for this client

Mar 5 19:33:25.756: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Not Using WMM Compliance code qosCap 00

Mar 5 19:33:25.757: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 0.0.0.0 8021X_REQD (3) Plumbed mobile LWAPP rule on AP 84b8.02c0.9050 vapId 10 apVapId 10

Mar 5 19:33:25.757: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 apfPemAddUser2 (apf_policy.c:204) Changing state for mobile 7423.4497.7706 on AP 84b8.02c0.9050 from Idle to Associated

Mar 5 19:33:25.757: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Stopping deletion of Mobile Station: (callerId: 48)

Mar 5 19:33:25.757: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Ms Timeout = 0, Session Timeout = 300

Mar 5 19:33:25.757: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Sending assoc-resp station: 7423.4497.7706 AP: 84b8.02c0.9050 -00 thread:-110073160

Mar 5 19:33:25.758: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Sending Assoc Response to station on BSSID 84b8.02c0.9050 (status 0) ApVapId 10 Slot 0

Mar 5 19:33:25.758: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 apfProcessAssocReq (apf_80211.c:6359) Changing state for mobile 7423.4497.7706 on AP 84b8.02c0.9050 from Associated to Associated

Mar 5 19:33:25.762: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Session start for dot1x/open client. iifid: 738540000f33e1 capwap id: 76f7000000005f old capwap id:0

Mar 5 19:33:25.915: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Not comparing because the ACLs have not been sent yet.

Mar 5 19:33:25.915: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Final flag values are, epmSendAcl 1, epmSendAclDone 0

Mar 5 19:33:25.915: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 client incoming attribute size are 670

Mar 5 19:33:25.922: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Session Update for dot1x/open client.iifid: 738540000f33e1 capwap id: 76f7000000005f old capwap id:76f7000000005f

Could you tell me please where to look for the problem? On ISE or WLC?

Francesco Molino · ‎03-06-2018

Hi

On your screenshots the ports for ISE on wlc aren't correct. Ports are 1812 for authentication and 1813 for accounting.

Then LME_GUEST on your ISE policy corresponds to local ISE group, right?

Do you see any authentication requests on ISE? If yes, can you share the log from ISE?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

ilya0693@yandex.ru · ‎03-07-2018

1. On your screenshots the ports for ISE on wlc aren't correct. Ports are 1812 for authentication and 1813 for accounting.
Thank you for your comment.

I fixed the ports on WLC, but it did't help, my device is not authenticated.

2. Then LME_GUEST on your ISE policy corresponds to local ISE group, right?

Yes, right! I created and added Users in group LME_Guest on ISE.

3. Do you see any authentication requests on ISE? If yes, can you share the log from ISE?

Yes, I see authentication requests on ISE. Logs indicate that authentication is successful, however I do not connect to the Wi-Fi network, Authentication problem. I
Steps authentication is here:

Шаги аутентификации

	11001	Received RADIUS Access-Request
	11017	RADIUS created a new session
	15049	Evaluating Policy Group
	15008	Evaluating Service Selection Policy
	15048	Queried PIP - NormalisedRadius.RadiusFlowType
	15048	Queried PIP - Airespace.Airespace-Wlan-Id
	15004	Matched rule - LME_Guest Authentication
	11507	Extracted EAP-Response/Identity
	12500	Prepared EAP-Request proposing EAP-TLS with challenge
	12625	Valid EAP-Key-Name attribute received
	11006	Returned RADIUS Access-Challenge
	11001	Received RADIUS Access-Request
	11018	RADIUS is re-using an existing session
	12301	Extracted EAP-Response/NAK requesting to use PEAP instead
	12300	Prepared EAP-Request proposing PEAP with challenge
	12625	Valid EAP-Key-Name attribute received
	11006	Returned RADIUS Access-Challenge
	11001	Received RADIUS Access-Request
	11018	RADIUS is re-using an existing session
	12302	Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated
	12319	Successfully negotiated PEAP version 1
	12800	Extracted first TLS record; TLS handshake started
	12805	Extracted TLS ClientHello message
	12806	Prepared TLS ServerHello message
	12807	Prepared TLS Certificate message
	12810	Prepared TLS ServerDone message
	12305	Prepared EAP-Request with another PEAP challenge
	11006	Returned RADIUS Access-Challenge
	11001	Received RADIUS Access-Request
	11018	RADIUS is re-using an existing session
	12304	Extracted EAP-Response containing PEAP challenge-response
	12305	Prepared EAP-Request with another PEAP challenge
	11006	Returned RADIUS Access-Challenge
	11001	Received RADIUS Access-Request
	11018	RADIUS is re-using an existing session
	12304	Extracted EAP-Response containing PEAP challenge-response
	12319	Successfully negotiated PEAP version 1
	12812	Extracted TLS ClientKeyExchange message
	12813	Extracted TLS CertificateVerify message
	12804	Extracted TLS Finished message
	12801	Prepared TLS ChangeCipherSpec message
	12802	Prepared TLS Finished message
	12816	TLS handshake succeeded
	12310	PEAP full handshake finished successfully
	12832	Tunnel build with local server certificate is not yet active or it has already expired
	12305	Prepared EAP-Request with another PEAP challenge
	11006	Returned RADIUS Access-Challenge
	11001	Received RADIUS Access-Request
	11018	RADIUS is re-using an existing session
	12304	Extracted EAP-Response containing PEAP challenge-response
	12313	PEAP inner method started
	11521	Prepared EAP-Request/Identity for inner EAP method
	12305	Prepared EAP-Request with another PEAP challenge
	11006	Returned RADIUS Access-Challenge
	11001	Received RADIUS Access-Request
	11018	RADIUS is re-using an existing session
	12304	Extracted EAP-Response containing PEAP challenge-response
	11522	Extracted EAP-Response/Identity for inner EAP method
	11806	Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge
	12305	Prepared EAP-Request with another PEAP challenge
	11006	Returned RADIUS Access-Challenge
	11001	Received RADIUS Access-Request
	11018	RADIUS is re-using an existing session
	12304	Extracted EAP-Response containing PEAP challenge-response
	11808	Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated
	15041	Evaluating Identity Policy
	15006	Matched Default Rule
	15013	Selected Identity Source - Internal Users
	24210	Looking up User in Internal Users IDStore - amedzhbel
	24212	Found User in Internal Users IDStore
	22037	Authentication Passed
	11824	EAP-MSCHAP authentication attempt passed
	12305	Prepared EAP-Request with another PEAP challenge
	11006	Returned RADIUS Access-Challenge
	11001	Received RADIUS Access-Request
	11018	RADIUS is re-using an existing session
	12304	Extracted EAP-Response containing PEAP challenge-response
	11810	Extracted EAP-Response for inner method containing MSCHAP challenge-response
	11814	Inner EAP-MSCHAP authentication succeeded
	11519	Prepared EAP-Success for inner EAP method
	12314	PEAP inner method finished successfully
	12305	Prepared EAP-Request with another PEAP challenge
	11006	Returned RADIUS Access-Challenge
	11001	Received RADIUS Access-Request
	11018	RADIUS is re-using an existing session
	12304	Extracted EAP-Response containing PEAP challenge-response
	24423	ISE has not been able to confirm previous successful machine authentication
	15036	Evaluating Authorization Policy
	15048	Queried PIP - Radius.NAS-Port-Type
	15004	Matched rule - LME_GUEST_Access
	15016	Selected Authorization Profile - PermitAccess
	12306	PEAP authentication succeeded
	11503	Prepared EAP-Success
	11002	Returned RADIUS Access-Accept

Francesco Molino · ‎03-07-2018

On ISE, everything looks like good.

On your WLC, you're getting this error:

Mar 5 19:33:25.225: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 0.0.0.0 DHCP_REQD (7) Reached FAILURE: from line 4334

Can you share output of show wlan x ?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

ilya0693@yandex.ru · ‎03-07-2018

In the attachment output data show wlan x.

I understand correctly, the problem is still not in ISE?

ajc · ‎03-07-2018

When you are using 802.1x, authentication happens first and once it is successful then the WLC on behalf of the client (IF YOU ARE USING DHCP PROXY ENABLED on the WLC), sends a DHCP discover to the dhcp server using the WLC subinterface IP assigned to that specific SSID.

Since that your dhcp is not responding (assuming WLC is properly configured and any FW in the middle of the path is not blocking that traffic), the WLC status for that connection is DHCP_REQUIRED as you saw.

The failure can be:

1.-misconfigured WLC interface for that specific SSID including DHCP ip value

2.-misconfigured DHCP scope for the WLC interface subnet

3.-firewall blocking traffic between wlc and dhcp.

ilya0693@yandex.ru · ‎03-08-2018

Thanks for your comment.

In my network only one SSID does not work, others SSID is work and connect to the network.
The only difference is that a non-working SSID is authenticated via ISE, other SSID authenticated via daloradius. Via daloradius clients connect successfully, via ISE - not successful.
Error, it seems to me, not on the controller, but on the ISE.

ajc · ‎03-07-2018

Post removed, you are using 5760

Francesco Molino · ‎03-07-2018

This is weird. Can you use the same vlan and dhcp server for a wired vlan and try if you're getting an IP address.

When the client is stuck in that way, what's his status. Can you share printscreen of monitor client for that particular client?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

ilya0693@yandex.ru · ‎03-08-2018

1. Can you use the same vlan and dhcp server for a wired vlan and try if you're getting an IP address.

No, this vlan is used only for wireless clients and I can't verify wired connect, sorry.

2. When the client is stuck in that way, what's his status. Can you share printscreen of monitor client for that particular client?

When client is authenticated his status is as follows:

1. He enters login and password and connects

2. He tries to authenticate and connect
3. then dropped or authenticated problem

In attachment screenshots of connecting to Wi-Fi network

ajc · ‎03-08-2018

Firstable, your ISE Logs shows that PEAP Authentication is working.

12306	PEAP authentication succeeded
	11503	Prepared EAP-Success
	11002	Returned RADIUS Access-Accept

From the WLC side, you are stuck on DHCP_Required status as shown in the logs provided. Check your DHCP configuration for the WLC interface.

Francesco Molino · ‎03-08-2018

What I'm asking is the client status on the WLC (you need to go on monitor, then client and the click on the client that's stuck and share this print screen).

Can you also share the authorization profile you're sending via ISE?
Others SSID are working but do they use all of them the same DHCP server?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

ilya0693@yandex.ru · ‎03-08-2018

In the attachment client status on the WLC.
Can you also share the authorization profile you're sending via ISE?

I'm use the default authorization profile (PermitAccess). Unfortunately, it is not possible to view it in detail. In the attachment configuration policy authentication and authorization.

Others SSID are working but do they use all of them the same DHCP server?
In the attachment configuration work SSID and does not work SSID. The difference between them is only authentication via daloradius and ISE. SSID, that is authenticated via ISE does not work.

ajc · ‎03-08-2018

From your last reply I do NOT see the ISE Logs for that 'failed" connection but the client status for Policy Manager state = 8021.X required (not RUN). So, let's check everything from scratch including the SHARED KEY on WLC and ISE (network device list - WLC entry). Follow the steps indicated in the next link BUT select 802.1x ONLY as indicated in the screenshot below. You are missing the accounting part in your WLC configuration.

https://mrncciew.com/2013/12/16/configuring-radius-on-5760/

ilya0693@yandex.ru · ‎03-08-2018

In the attachment configuration WLC 5760 and ISE. Thanks for the instruction. please explain which particular parameter affects the inoperability?

Thank you