Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1887
Views
0
Helpful
10
Replies

Cisco ISE 2.3 Wired guest rule

kamlenegi
Level 1
Level 1

‎07-14-2018 09:52 AM - edited ‎02-21-2020 11:00 AM

Hello Everyone,

 

Please guide me for ISE 3.1 authorization rule, downloadable ACL, and authentication rule for wired guest users. It will be very helpful if some using same setup and provide me some snapshots, including results. I have done for wireless which is working.

 

Thanks

Kamlesh

Labels:
0 Helpful
10 Replies 10

Francesco Molino
VIP Alumni
VIP Alumni

‎07-14-2018 12:44 PM

Hi

You can take a look on Cisco ISE community page:
https://communities.cisco.com/docs/DOC-77590
Examples are based on version 2.3 but it looks like the same on other versions.

By the way you said version 3.1 and this version doesn't exist.

There's also labminutes.com web site offering videos that can be very helpful.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

kamlenegi
Level 1
Level 1
In response to Francesco Molino

‎07-16-2018 07:55 AM

Thanks Francesco,

 

This document is very much helpful, wireless it is working. I will check for wired as well.

 

I mentioned wrongly (Cisco PI) version, 3.1.

 

Could you please tell me, how to fix of radius accounting frequent message from WLC to ISE. I am attaching device misconfiguration error.

 

Thanks

Kamlesh

Preview file
36 KB
0 Helpful

Arne Bier
VIP
VIP
In response to kamlenegi

‎07-17-2018 04:59 PM

Hi Kamlesh

 

that ISE error still exists in ISE 2.3 and it was not due to any misconfiguration in the NAD.  For many years Cisco has been preaching that the WLC/NAD is sending Accounting Interim updates too frequently and to avoid that, one should set Interim-Updates to 0 seconds in the Cisco WLC 8.x - this has the effect of only sending Interim-Updates if the client association also involves a DHCP event (i.e. client requests DHCP or the IP address of client changes).  In the past we used to hard code Interim-Updates to be like 600 seconds or whatever.  But if you don't care about the bytes in/out contained in the Accounting updates, then you can save yourself some processing on all systems concerned.  But I quite like the Interim updates once in a while so that ISE knows that the session is still alive. 

Accounting Start tells ISE the session has started.  Accounting Stop tells ISE the session has ended and also releases a Base license.  But if the time between these events is more than 24 hours, I don't quite know what happens to the Session table, or to the Licensing table.

0 Helpful

kamlenegi
Level 1
Level 1
In response to Arne Bier

‎07-17-2018 05:30 PM

Thanks Arne,

 

Where I can do this setting

 

hard code Interim-Updates to be like 600 seconds or whatever.

 

I will check what will happen, if we make it 24 hrs.

Secondly, I am facing DACL is not applying on switch from ISE for wired guest in pre-auth acl.

 

Thanks

Kamlesh

 

 

0 Helpful

Arne Bier
VIP
VIP
In response to kamlenegi

‎07-17-2018 06:39 PM

I forgot to mention that we always saw the ISE error about misbehaving NAD in ISE 2.2 and 2.3 - now that I am on ISE 2.4 patch 1 I don't get that error anymore.  We didn't change any NAD settings.

 

Unfortunately I work only with WLC's and the setting is in the GUI under the WLAN Radius config.  For LAN switches this feature may or may not even exist or apply.  Sorry I should have mentioned this.  But sure, set it to 24 hour interim update - that should make it less chatty.  But I would still argue that your NAD is probably not the issue here - in our case I think ISE was getting confused and thought that every Radius request from the NAD was always too fast.

0 Helpful

kamlenegi
Level 1
Level 1
In response to Arne Bier

‎07-31-2018 10:25 PM

Hello Arne,

 

I am stuck in applying redirect acl for wired guest using mab auth.

 

ISE 2.3

Switch : 3650 16.3.3 ver

My switch ACL is GUEST_WEBAUTH_REDIRECT & same called in CWA ISE.

 

Extended IP access list GUEST_WEBAUTH_REDIRECT
    10 deny ip any host ISE-IP
    30 permit tcp any any eq www
    40 permit tcp any any eq 443

 

Can anyone help me on this, is there any software related known issue.

 

Thanks

Kamlesh

0 Helpful

Arne Bier
VIP
VIP
In response to kamlenegi

‎08-01-2018 06:09 AM

The wired stuff is a bit different and I think if you did a google search for the www.labminutes.com videos then you'll get your answer quite nicely.  I have not done the wired stuff so I am the wrong guy to ask.

0 Helpful

kamlenegi
Level 1
Level 1
In response to Charlie Moreton

‎08-01-2018 08:42 AM

Hello,

I found bug in Cisco IOS 16.3.x for ISE BYOD client stuck in WEBAUTH_PEND with CWA + 802.1x

 

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvd93745

 

Is there any workaround for wired guest.

 

Thanks
Kamlesh

0 Helpful

Jason Kunst
Cisco Employee
Cisco Employee
In response to kamlenegi

‎08-01-2018 11:54 AM

Would need to ask switching team on that. Otherwise you could try to use the auth vlan
Aka walled garden might be an option?
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents