WLAN Guest - ISE sending CoA to foreign disassociates (some) clients
We have a funny behavior on one customer's guest access.
The solution has web authentication (L3), the login page is stored locally to the anchor controllers (Local Web Authentication) and Cisco ISE v184.108.40.2069, patch 6, hosts the sponsor portal and authenticates clients via CHAP/RADIUS.
Recently we implemented a foreign + anchors architecture and upgraded to 7.6.130 (from 7.3).
As stated on Cisco’s Enterprise Mobility 7.3 Design Guide, the wlan’s security parameters are configured exactly the same on both the foreign and the anchors, including the authentication and accounting servers (acct+auth are active on both foreign and anchors, with the same radius servers - the ISE PSNs).
This generates double accounting, where the foreign send acct start with username = mac as soon as the client associates and the anchor acct start with username=username after the user authenticates. The "live sessions" on ISE indicate the foreign IP as the NAS associated to these guest users.
On certain clients (didn’t catch yet the trigger) ISE sends a CoA Admin Reset to the foreign after the user is successfully authenticated by the anchor and the user is dissociated. The workaround is to disable RFC3576 (CoA feature) on the radius servers configuration of the foreign – ISE sends the CoA but the WLC rejects it and everybody is happy (except from a "dynamic authorization failed" alarm on ISE).
When I disable the "Allow only one guest sessions per user" option on ISE, this behavior stops, which seems to indicate that ISE is somehow counting sessions twice. My theory at this point is that ISE understands that the accounting from the foreign (with the device mac) is actually from the same user as the one on the anchor and disconnects the older session (as expected), being this the one on the foreign because it is created as soon as the client associates.
One solution is, of course, to disable accounting (and maybe even authentication) on the foreign but: first, I don't know if this will break the anchoring at some point; second, because I don't want to diverge from the design guides on a productive environment.
Is anyone seeing the same behavior? What is your opinion on this?
Dear Friends, I have to upgrade IOS in 5520, here my question was how to identify which FUS was installed in the WLC.GUI ----Software Version 220.127.116.11Emergency Image Version 18.104.22.168 -------sh sysinfo Product Version....................
Security has become one of the greatest concerns for every company alike. The industry is moving towards a fast paced and customer-oriented network infrastructure which automatically increases the vulnerabilities a network is exposed to. As the industry t...
We got some new Apple Macbook Air, when connected to wifi, we found the link speed was only 54Mbits, but other laptops like DELL or Panasonic were working fine, the link speed was at least 800 Mbits. we are using Cisco WLC 5504 and 2702I ap.and the funny ...
In today’s world where business needs to be up and available 24X7, one of the major challenges faced by a lot of companies is the seamless uptime of their network infrastructure. Any company’s primary focus is always on keeping its infrastructure ready fo...