07-14-2018 09:52 AM - edited 02-21-2020 11:00 AM
Hello Everyone,
Please guide me for ISE 3.1 authorization rule, downloadable ACL, and authentication rule for wired guest users. It will be very helpful if some using same setup and provide me some snapshots, including results. I have done for wireless which is working.
Thanks
Kamlesh
07-14-2018 12:44 PM
07-16-2018 07:55 AM
Thanks Francesco,
This document is very much helpful, wireless it is working. I will check for wired as well.
I mentioned wrongly (Cisco PI) version, 3.1.
Could you please tell me, how to fix of radius accounting frequent message from WLC to ISE. I am attaching device misconfiguration error.
Thanks
Kamlesh
07-17-2018 04:59 PM
Hi Kamlesh
that ISE error still exists in ISE 2.3 and it was not due to any misconfiguration in the NAD. For many years Cisco has been preaching that the WLC/NAD is sending Accounting Interim updates too frequently and to avoid that, one should set Interim-Updates to 0 seconds in the Cisco WLC 8.x - this has the effect of only sending Interim-Updates if the client association also involves a DHCP event (i.e. client requests DHCP or the IP address of client changes). In the past we used to hard code Interim-Updates to be like 600 seconds or whatever. But if you don't care about the bytes in/out contained in the Accounting updates, then you can save yourself some processing on all systems concerned. But I quite like the Interim updates once in a while so that ISE knows that the session is still alive.
Accounting Start tells ISE the session has started. Accounting Stop tells ISE the session has ended and also releases a Base license. But if the time between these events is more than 24 hours, I don't quite know what happens to the Session table, or to the Licensing table.
07-17-2018 05:30 PM
Thanks Arne,
Where I can do this setting
hard code Interim-Updates to be like 600 seconds or whatever.
I will check what will happen, if we make it 24 hrs.
Secondly, I am facing DACL is not applying on switch from ISE for wired guest in pre-auth acl.
Thanks
Kamlesh
07-17-2018 06:39 PM
I forgot to mention that we always saw the ISE error about misbehaving NAD in ISE 2.2 and 2.3 - now that I am on ISE 2.4 patch 1 I don't get that error anymore. We didn't change any NAD settings.
Unfortunately I work only with WLC's and the setting is in the GUI under the WLAN Radius config. For LAN switches this feature may or may not even exist or apply. Sorry I should have mentioned this. But sure, set it to 24 hour interim update - that should make it less chatty. But I would still argue that your NAD is probably not the issue here - in our case I think ISE was getting confused and thought that every Radius request from the NAD was always too fast.
07-31-2018 10:25 PM
Hello Arne,
I am stuck in applying redirect acl for wired guest using mab auth.
ISE 2.3
Switch : 3650 16.3.3 ver
My switch ACL is GUEST_WEBAUTH_REDIRECT & same called in CWA ISE.
Extended IP access list GUEST_WEBAUTH_REDIRECT
10 deny ip any host ISE-IP
30 permit tcp any any eq www
40 permit tcp any any eq 443
Can anyone help me on this, is there any software related known issue.
Thanks
Kamlesh
08-01-2018 06:09 AM
The wired stuff is a bit different and I think if you did a google search for the www.labminutes.com videos then you'll get your answer quite nicely. I have not done the wired stuff so I am the wrong guy to ask.
08-01-2018 06:44 AM
Have you tried this guide?
https://community.cisco.com/t5/security-documents/ise-guest-access-deployment-guide/ta-p/3640475
08-01-2018 08:42 AM
Hello,
I found bug in Cisco IOS 16.3.x for ISE BYOD client stuck in WEBAUTH_PEND with CWA + 802.1x
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvd93745
Is there any workaround for wired guest.
Thanks
Kamlesh
08-01-2018 11:54 AM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: