Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
2761
Views
15
Helpful
9
Replies

WLC Management Access via ISE 2.2 Radius

Go to solution
bret
Level 3
Level 3

ā€Ž04-07-2017 06:42 AM - edited ā€Ž03-11-2019 12:37 AM

We recently upgraded ISE from 2.1 to 2.2 and have radius configured to authenticate management sessions to our network devices. After the upgrade we can login to our WLC via GUI or SSH, but when a change is made an Authorization Failed. No sufficient privileges pops up. From the CLI no changes can be made, but we can login.

Here is my Results>Authorization>Authorization Profiles. This is then used in a policy set shared with our switches and routers.

Web Authentication (Local Web Auth) - is checked

Attribute settings are:

Radius:Service-Type = Administrative

Cisco:cisco-av-pair = shell:priv-lvl=15

Any help from the forum experts would be greatly appreciated.

Thanks,

BW

1 person had this problem
Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
zoltan.varga0217
Level 1
Level 1
In response to bret

ā€Ž04-09-2017 11:25 AM

Hi,

I have the same problem. I debugged the aaa session on the WLC and Service-Type 7 showed up in the authorization result however ISE policy is configured with Service-Type Administrative.

This must be an ISE issue, the authorization result is configured properly but the logs show Service-Type 7. 

Update 1:

I found this bug.

CSCvd61189

Update 2:

I reverted to ISE 2.1, now the WLC debug log contains Service Type 6 however ISE log contains NAS-Prompt. So it's only a cosmetic issue on ISE 2.1.

View solution in original post

Preview file
13 KB
Preview file
8 KB

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to zoltan.varga0217

ā€Ž04-09-2017 11:25 AM

Hi 

I've upgraded my lab ISE to 2.2 and face the same bug. 

However, right now there is no correction. 

Sorry for that.

If you have a backup before upgrade, do a rollback..

Thanks 

PS: Please don't forget to rate and mark as correct answer if this answered your question


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

9 Replies 9

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

ā€Ž04-07-2017 07:02 AM

Hi

Could you paste screenshots of your config please?

Then can you have a try and paste here the result of your ISE servers and output of your WLC debug (debug aaa events enable)

thanks 

PS: Please don't forget to rate and mark as correct answer if this answered your question


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
bret
Level 3
Level 3
In response to Francesco Molino

ā€Ž04-07-2017 07:37 AM

Thanks for chiming in so quickly guys. I have a case opened, but the response is terrible.

Attached are the debugs from the WLC and my authorization profile. This profile is used by our switches and routers and there are no problems. Also attached is my Policy Set.

Preview file
39 KB
Preview file
53 KB
Preview file
284 KB
0 Helpful

Go to solution
bret
Level 3
Level 3
In response to bret

ā€Ž04-07-2017 07:44 AM

Something to note. I have another controller on a different ISE server ver 1.2 using the same policy set and results with no issues. So something changed with ISE 2.2 to make this stop working.

0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to bret

ā€Ž04-07-2017 08:30 AM

Hi,

The policy is to authenticate a user to manage your WLC. Why have you checked Local Webauth?

2nd thing, on your wlc debugs, we see the service-type 7 (NAS-Prompt) instead of service-type 6 (Administrative):

radiusTransportThread: Apr 07 09:49:01.801: AVP[02] ServiceType.............................0x00000007 (7) (4 bytes)

Do you have ISE authorization logs for that specific session?

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
bret
Level 3
Level 3
In response to Francesco Molino

ā€Ž04-07-2017 09:06 AM

The local webauth check may have been an oversight. It was removed and still does not allow RW access.

I noticed the service-type was 7 as well, but the service-type in the authorization profile is set for Administrative. Now I need to figure out why that is happening.

I do and there are no errors with event authentication succeeded. I compared to a switch and the only difference is in the result. The switch shows the result Service-Type NAS Prompt, where the WLC shows no service-type in the Result.

0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to bret

ā€Ž04-07-2017 11:31 AM

Is the WLC taking the right rule? or is it taking another one maybe?

are you running ISE as policy-set? If Yes, you can have a test by creating a new policy set just for that specific WLC and recreate your authz rule to validate.

You said you have another wlc, can you validate the other one that you have service-type 6 received ? Are they taking both the exact same rule?

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
zoltan.varga0217
Level 1
Level 1
In response to bret

ā€Ž04-09-2017 11:25 AM

Hi,

I have the same problem. I debugged the aaa session on the WLC and Service-Type 7 showed up in the authorization result however ISE policy is configured with Service-Type Administrative.

This must be an ISE issue, the authorization result is configured properly but the logs show Service-Type 7. 

Update 1:

I found this bug.

CSCvd61189

Update 2:

I reverted to ISE 2.1, now the WLC debug log contains Service Type 6 however ISE log contains NAS-Prompt. So it's only a cosmetic issue on ISE 2.1.

Preview file
13 KB
Preview file
8 KB

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to zoltan.varga0217

ā€Ž04-09-2017 11:25 AM

Hi 

I've upgraded my lab ISE to 2.2 and face the same bug. 

However, right now there is no correction. 

Sorry for that.

If you have a backup before upgrade, do a rollback..

Thanks 

PS: Please don't forget to rate and mark as correct answer if this answered your question


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Go to solution
M. Wisely
Level 4
Level 4

ā€Ž04-07-2017 07:14 AM

For read/write access you need this attribute in addition to the ACCESS_ACCEPT access-type:

Radius:Service-Type = Administrative

0 Helpful
Customers Also Viewed These Support Documents