I have a very strange scenario with 2504 WLC. It is deployed as an Anchor with 5508 as the foreign. In summary, my set up is as follows:
2504 - Anchor (version 7.6.120), Port 1- MGT, Port 2 - Guest subnet, No AAA Server, Internal DHCP server
5508 - Foreign (version 220.127.116.11, Guest interface (dummy, non-routable and no vlan on switch), MAC filtering, ACL-redirect, AAA with Radius NAC.
The mobility tunnels are up and FW rule also allows DNS and TCP/8443 from the guest subnet. The guest client receives its DHCP address and queries external DNS on the DMZ, but after that nothing happens. The web redirect URL times out.
I can see hits on the FW ACL for the DNS query and response but none for TCP/8443. The client browser times out. From wireshark, I can see the client query the DNS for the ISE hostname and the DNS replies with the IP address, but I don't see the guest send a packet to ISE. It's as if the DNS packet flows through the Guest interface, but the TCP/8443 packet doesn't flow out of the Anchor WLC to the Foreign to be sent to ISE.
Please does anyone understand this very strange occurrence.
After contacting Cisco TAC without a successful resolution, I discovered that Policy Set was the problem. This was very strange as the Policy set was evaluated and the correct Authz policy applied.
I had a policy set with Radius conditions equal 802.11 AND Wireless_MAB. This was to separate it from another policy set for 802.1X. The Wireless_MAB policy set was evaluated and the web redirect ACL was applied by ISE, but after that ISE didn't respond with the Guest Portal page.
As soon as I removed the condition Wireless_MAB from the policy set definition, the Guest portal worked.
I think Cisco should either evaluate the Policy set functionality and fix it or release a statement that Policy set can't work with 2 conditions defined, which I think doesn't make sense as why would I use Policy set for Radius Nas_Port_type 802.11. This means the 802.1X Policy set would be checked first (if it is first in the order) before the Wireless_MAB Policy as both use NAS_port_type of 802.11.
After adding a WLC to ISE if you get the following error (See message below) after running debug aaa tacacs enable in the WLC. Incorrectly formatted authorization message Here's what you need to do to fix it. Login to ISE Work centers, Settings, Device ad...
Community Live- Understanding How Multicast Works with Cisco Wireless LAN Controllers
(Live event - formerly known as Webcast- Tuesday November 19, 2019 at 9 am Pacific/ 12 pm Eastern / 6 pm Paris)
This event will have place on Tuesday 19th, Novembe...
Where to download
Attached files on this post
Alternatively, cloud version (only summaries)
New implementation for the WLC Config Analyzer. it is a new re-write of the application, with clean up and improved checks
Support for IOS...
New Version for the Wireless Lan Config Analyzer: v.4.4.14
Supports AireOS up to 8.8, any model.
Error parsing AP list with location with spaces
For tool information: