cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1108
Views
15
Helpful
9
Replies
Participant

WLC Management Access via ISE 2.2 Radius

We recently upgraded ISE from 2.1 to 2.2 and have radius configured to authenticate management sessions to our network devices. After the upgrade we can login to our WLC via GUI or SSH, but when a change is made an Authorization Failed. No sufficient privileges pops up. From the CLI no changes can be made, but we can login.

Here is my Results>Authorization>Authorization Profiles. This is then used in a policy set shared with our switches and routers.

Web Authentication (Local Web Auth) - is checked

Attribute settings are:

Radius:Service-Type = Administrative

Cisco:cisco-av-pair = shell:priv-lvl=15

Any help from the forum experts would be greatly appreciated.

Thanks,

BW

2 ACCEPTED SOLUTIONS

Accepted Solutions

Hi,

Hi,

I have the same problem. I debugged the aaa session on the WLC and Service-Type 7 showed up in the authorization result however ISE policy is configured with Service-Type Administrative.

This must be an ISE issue, the authorization result is configured properly but the logs show Service-Type 7. 

Update 1:

I found this bug.

CSCvd61189

Update 2:

I reverted to ISE 2.1, now the WLC debug log contains Service Type 6 however ISE log contains NAS-Prompt. So it's only a cosmetic issue on ISE 2.1.

View solution in original post

VIP Advisor

Hi 

Hi 

I've upgraded my lab ISE to 2.2 and face the same bug. 

However, right now there is no correction. 

Sorry for that.

If you have a backup before upgrade, do a rollback..

Thanks 

PS: Please don't forget to rate and mark as correct answer if this answered your question


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

9 REPLIES 9
VIP Advisor

Hi

Hi

Could you paste screenshots of your config please?

Then can you have a try and paste here the result of your ISE servers and output of your WLC debug (debug aaa events enable)

thanks 

PS: Please don't forget to rate and mark as correct answer if this answered your question


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Participant

Thanks for chiming in so

Thanks for chiming in so quickly guys. I have a case opened, but the response is terrible.

Attached are the debugs from the WLC and my authorization profile. This profile is used by our switches and routers and there are no problems. Also attached is my Policy Set.

Highlighted
Participant

Something to note. I have

Something to note. I have another controller on a different ISE server ver 1.2 using the same policy set and results with no issues. So something changed with ISE 2.2 to make this stop working.

VIP Advisor

Hi,

Hi,

The policy is to authenticate a user to manage your WLC. Why have you checked Local Webauth?

2nd thing, on your wlc debugs, we see the service-type 7 (NAS-Prompt) instead of service-type 6 (Administrative):

radiusTransportThread: Apr 07 09:49:01.801: AVP[02] ServiceType.............................0x00000007 (7) (4 bytes)

Do you have ISE authorization logs for that specific session?

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Participant

The local webauth check may

The local webauth check may have been an oversight. It was removed and still does not allow RW access.

I noticed the service-type was 7 as well, but the service-type in the authorization profile is set for Administrative. Now I need to figure out why that is happening.

I do and there are no errors with event authentication succeeded. I compared to a switch and the only difference is in the result. The switch shows the result Service-Type NAS Prompt, where the WLC shows no service-type in the Result.

VIP Advisor

Is the WLC taking the right

Is the WLC taking the right rule? or is it taking another one maybe?

are you running ISE as policy-set? If Yes, you can have a test by creating a new policy set just for that specific WLC and recreate your authz rule to validate.

You said you have another wlc, can you validate the other one that you have service-type 6 received ? Are they taking both the exact same rule?

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Hi,

Hi,

I have the same problem. I debugged the aaa session on the WLC and Service-Type 7 showed up in the authorization result however ISE policy is configured with Service-Type Administrative.

This must be an ISE issue, the authorization result is configured properly but the logs show Service-Type 7. 

Update 1:

I found this bug.

CSCvd61189

Update 2:

I reverted to ISE 2.1, now the WLC debug log contains Service Type 6 however ISE log contains NAS-Prompt. So it's only a cosmetic issue on ISE 2.1.

View solution in original post

VIP Advisor

Hi 

Hi 

I've upgraded my lab ISE to 2.2 and face the same bug. 

However, right now there is no correction. 

Sorry for that.

If you have a backup before upgrade, do a rollback..

Thanks 

PS: Please don't forget to rate and mark as correct answer if this answered your question


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Participant

For read/write access you

For read/write access you need this attribute in addition to the ACCESS_ACCEPT access-type:

Radius:Service-Type = Administrative