cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Who Me Too'd this topic

CWA using ISE and mobility anchor

michael.lymbery
Level 1
Level 1

My team is trying to demo wireless guest access using CWA with an ISE server.  We appear to be hitting an issue when combining this with mobility anchoring.

When we don't use a mobility anchor the authentication goes off without a hitch seemingly proving that the ISE configuration is sound.  The test laptop associates and gets redirected, auths, moves to the RUN state and access to the network is granted.

When the mobility anchor is enabled, the test laptop does get redirected, authentication is successful, but the process does not fully complete, as on the foreign controller the user is in RUN state whereas on the anchor the user is still stuck at CWA required.

Now, I've read the L2 auth occurs between the foreign controller and ISE, and the L3 auth occurs between the anchor controller and ISE, but this does not appear to borne out in packet captures of the process where both parts of the auth seems to go to and from the foreign controller and ISE.

I'm curious to know if anyone else has come across this issue, or has ideas where I should be looking in the config or debugs to find the root cause.

When setting up the controllers and ISE this guide (linked below) was used and the controllers are 2504 controllers on 7.5 series software and ISE is on the latest 1.2 patches:

http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bead09.shtml

To me it seems to be mobility related, but the authentication flow does seem to be off compared with what the guide says.

Who Me Too'd this topic