Here I am listing top six settings I check for when looking at customer’s WLC settings when integrated with ISE. This document only describes few settings many admins mis-configure on the WLC and does not cover the full configuration. If you are looking for full WLC configuration, please refer to the following document:
Interim accounting is important piece of message for ISE to maintain session table. If ISE fails to receive interim accounting message for an endpoint session beyond 5 days, ISE will stop maintaining the session. This would mean that ISE thinks an endpoint is no longer connected to the network while the wireless controller shows the endpoint still connected. Also, ISE cannot manage the device via CoA (Change of Authorization) as session is not maintained on ISE. To avoid this, go to WLANs, click on the target WLAN ID > Security > AAA Servers > Check ‘Interim Update’ and set the value to zero. This will ensure the WLC will send accounting updates during roaming.
While you are here, make sure the ‘RADIUS Server Overwrite interface’ is not enabled when WLAN is managed by ISE. This setting essentially sources RADIUS requests from the interface IP, which would be different from the main WLC management IP.
Utilizing device sensor to forward DHCP & HTTP User agent string provides scalable profiling design for ISE. Go to WLANs, click on the target WLAN ID > Advanced > Radius Client Profiling. Check both DHCP & HTTP Profiling. This will make the WLC send the profiling information to ISE via RADIUS Accounting that is configured for the WLAN.
RADIUS server timeout
The default setting of 2 second may be short for large enterprise. It is recommended to set this value to 5 seconds. This provides enough time for the ISE to authenticate users via backend authentication or lookup group membership and attributes from the sources such as AD, LDAP, or SQL DB. Go to Security > AAA > RADIUS > Authentication > click on the target Server Index > Set ‘Server Timeout’ to 5 seconds. Do this for all ISE nodes.
With the default settings on the WLC, when the first RADIUS server in the list fails to respond, the WLC marks it as down and never tries it again. Using RADIUS fallback settings, you can ensure the primary PSN is used once the server or network recovers from outage. Go to Security > AAA > RADIUS > Fallback. There are two settings aside from the default setting, which is active and passive. Both settings will provide preemption, but the way it preempts is different. With active, the WLC will continuously send authentication request to the RADIUS server while the server is marked down and will mark the server alive once it receives valid response from the server. With passive, the WLC will wait the interval and unconditionally try the server for authentication and if it receives successful response then it will start using it, while it will make down again for the interval if there are no response from the server.
RADIUS Aggressive Failover
The default setting on the WLC enabled radius aggressive failover, which means WLC will failover to next configured RADIUS when a single endpoint is having issues with authentication. By disabling aggressive failover, the WLC fails over when 3 consecutive endpoints fail to get response from the RADIUS server. You can disable RADIUS aggressive failover by running following command from the CLI:
I have this FirePower that continously power cycles am not sure what has failed I have tried software recovery but which worked but after reboot, It still power Cycled.I cleaned the the file system as per cisco documentation with init system command now t...
Hi, we want to attach a header to our mails with the attached mime-types. In the Content-Filter/Action Variables documentation section we found a list of possible variables. The "filetypes" variable sounded very promising: File Types$filetypesRe...
When connecting directly to console on an ISE 3655, it is showing non-readable characters.
Customer is using Putty and baud rate is set to 9600, it is a new node, it has never worked before.
Please see error attached.
Can it be a hard...
Folks,We have to work on a rebuild the SNS 3515 by installing the 2.3 version from the existing 2.4 version. This is a new install and the devices got shipped with the 2.4 version. We went through some documentation in the below link:https://ww...
in this picture , we are seeing a scenario for ASA firewall . i'm gana ask a question for youe.. can we have one ip address with two mac-address on outbound interface ? if the answer is positive , how?there are two context , ctx1 and ctx2 on firewall .&nb...