cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2760
Views
15
Helpful
9
Replies

WLC Management Access via ISE 2.2 Radius

bret
Level 3
Level 3

We recently upgraded ISE from 2.1 to 2.2 and have radius configured to authenticate management sessions to our network devices. After the upgrade we can login to our WLC via GUI or SSH, but when a change is made an Authorization Failed. No sufficient privileges pops up. From the CLI no changes can be made, but we can login.

Here is my Results>Authorization>Authorization Profiles. This is then used in a policy set shared with our switches and routers.

Web Authentication (Local Web Auth) - is checked

Attribute settings are:

Radius:Service-Type = Administrative

Cisco:cisco-av-pair = shell:priv-lvl=15

Any help from the forum experts would be greatly appreciated.

Thanks,

BW

2 Accepted Solutions

Accepted Solutions

Hi,

I have the same problem. I debugged the aaa session on the WLC and Service-Type 7 showed up in the authorization result however ISE policy is configured with Service-Type Administrative.

This must be an ISE issue, the authorization result is configured properly but the logs show Service-Type 7. 

Update 1:

I found this bug.

CSCvd61189

Update 2:

I reverted to ISE 2.1, now the WLC debug log contains Service Type 6 however ISE log contains NAS-Prompt. So it's only a cosmetic issue on ISE 2.1.

View solution in original post

Hi 

I've upgraded my lab ISE to 2.2 and face the same bug. 

However, right now there is no correction. 

Sorry for that.

If you have a backup before upgrade, do a rollback..

Thanks 

PS: Please don't forget to rate and mark as correct answer if this answered your question


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

9 Replies 9

Francesco Molino
VIP Alumni
VIP Alumni

Hi

Could you paste screenshots of your config please?

Then can you have a try and paste here the result of your ISE servers and output of your WLC debug (debug aaa events enable)

thanks 

PS: Please don't forget to rate and mark as correct answer if this answered your question


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Thanks for chiming in so quickly guys. I have a case opened, but the response is terrible.

Attached are the debugs from the WLC and my authorization profile. This profile is used by our switches and routers and there are no problems. Also attached is my Policy Set.

Something to note. I have another controller on a different ISE server ver 1.2 using the same policy set and results with no issues. So something changed with ISE 2.2 to make this stop working.

Hi,

The policy is to authenticate a user to manage your WLC. Why have you checked Local Webauth?

2nd thing, on your wlc debugs, we see the service-type 7 (NAS-Prompt) instead of service-type 6 (Administrative):

radiusTransportThread: Apr 07 09:49:01.801: AVP[02] ServiceType.............................0x00000007 (7) (4 bytes)

Do you have ISE authorization logs for that specific session?

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

The local webauth check may have been an oversight. It was removed and still does not allow RW access.

I noticed the service-type was 7 as well, but the service-type in the authorization profile is set for Administrative. Now I need to figure out why that is happening.

I do and there are no errors with event authentication succeeded. I compared to a switch and the only difference is in the result. The switch shows the result Service-Type NAS Prompt, where the WLC shows no service-type in the Result.

Is the WLC taking the right rule? or is it taking another one maybe?

are you running ISE as policy-set? If Yes, you can have a test by creating a new policy set just for that specific WLC and recreate your authz rule to validate.

You said you have another wlc, can you validate the other one that you have service-type 6 received ? Are they taking both the exact same rule?

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Hi,

I have the same problem. I debugged the aaa session on the WLC and Service-Type 7 showed up in the authorization result however ISE policy is configured with Service-Type Administrative.

This must be an ISE issue, the authorization result is configured properly but the logs show Service-Type 7. 

Update 1:

I found this bug.

CSCvd61189

Update 2:

I reverted to ISE 2.1, now the WLC debug log contains Service Type 6 however ISE log contains NAS-Prompt. So it's only a cosmetic issue on ISE 2.1.

Hi 

I've upgraded my lab ISE to 2.2 and face the same bug. 

However, right now there is no correction. 

Sorry for that.

If you have a backup before upgrade, do a rollback..

Thanks 

PS: Please don't forget to rate and mark as correct answer if this answered your question


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

M. Wisely
Level 4
Level 4

For read/write access you need this attribute in addition to the ACCESS_ACCEPT access-type:

Radius:Service-Type = Administrative