11-13-2014 04:06 PM - edited 07-05-2021 01:56 AM
Hello,
I have a very strange scenario with 2504 WLC. It is deployed as an Anchor with 5508 as the foreign. In summary, my set up is as follows:
2504 - Anchor (version 7.6.120), Port 1- MGT, Port 2 - Guest subnet, No AAA Server, Internal DHCP server
5508 - Foreign (version 7.6.101.1, Guest interface (dummy, non-routable and no vlan on switch), MAC filtering, ACL-redirect, AAA with Radius NAC.
The mobility tunnels are up and FW rule also allows DNS and TCP/8443 from the guest subnet. The guest client receives its DHCP address and queries external DNS on the DMZ, but after that nothing happens. The web redirect URL times out.
I can see hits on the FW ACL for the DNS query and response but none for TCP/8443. The client browser times out. From wireshark, I can see the client query the DNS for the ISE hostname and the DNS replies with the IP address, but I don't see the guest send a packet to ISE. It's as if the DNS packet flows through the Guest interface, but the TCP/8443 packet doesn't flow out of the Anchor WLC to the Foreign to be sent to ISE.
Please does anyone understand this very strange occurrence.
11-15-2014 02:53 AM
After contacting Cisco TAC without a successful resolution, I discovered that Policy Set was the problem. This was very strange as the Policy set was evaluated and the correct Authz policy applied.
I had a policy set with Radius conditions equal 802.11 AND Wireless_MAB. This was to separate it from another policy set for 802.1X. The Wireless_MAB policy set was evaluated and the web redirect ACL was applied by ISE, but after that ISE didn't respond with the Guest Portal page.
As soon as I removed the condition Wireless_MAB from the policy set definition, the Guest portal worked.
I think Cisco should either evaluate the Policy set functionality and fix it or release a statement that Policy set can't work with 2 conditions defined, which I think doesn't make sense as why would I use Policy set for Radius Nas_Port_type 802.11. This means the 802.1X Policy set would be checked first (if it is first in the order) before the Wireless_MAB Policy as both use NAS_port_type of 802.11.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide