Here I am listing top six settings I check for when looking at customer’s WLC settings when integrated with ISE. This document only describes few settings many admins mis-configure on the WLC and does not cover the full configuration. If you are looking for full WLC configuration, please refer to the following document:
Interim accounting is important piece of message for ISE to maintain session table. If ISE fails to receive interim accounting message for an endpoint session beyond 5 days, ISE will stop maintaining the session. This would mean that ISE thinks an endpoint is no longer connected to the network while the wireless controller shows the endpoint still connected. Also, ISE cannot manage the device via CoA (Change of Authorization) as session is not maintained on ISE. To avoid this, go to WLANs, click on the target WLAN ID > Security > AAA Servers > Check ‘Interim Update’ and set the value to zero. This will ensure the WLC will send accounting updates during roaming.
While you are here, make sure the ‘RADIUS Server Overwrite interface’ is not enabled when WLAN is managed by ISE. This setting essentially sources RADIUS requests from the interface IP, which would be different from the main WLC management IP.
Utilizing device sensor to forward DHCP & HTTP User agent string provides scalable profiling design for ISE. Go to WLANs, click on the target WLAN ID > Advanced > Radius Client Profiling. Check both DHCP & HTTP Profiling. This will make the WLC send the profiling information to ISE via RADIUS Accounting that is configured for the WLAN.
RADIUS server timeout
The default setting of 2 second may be short for large enterprise. It is recommended to set this value to 5 seconds. This provides enough time for the ISE to authenticate users via backend authentication or lookup group membership and attributes from the sources such as AD, LDAP, or SQL DB. Go to Security > AAA > RADIUS > Authentication > click on the target Server Index > Set ‘Server Timeout’ to 5 seconds. Do this for all ISE nodes.
With the default settings on the WLC, when the first RADIUS server in the list fails to respond, the WLC marks it as down and never tries it again. Using RADIUS fallback settings, you can ensure the primary PSN is used once the server or network recovers from outage. Go to Security > AAA > RADIUS > Fallback. There are two settings aside from the default setting, which is active and passive. Both settings will provide preemption, but the way it preempts is different. With active, the WLC will continuously send authentication request to the RADIUS server while the server is marked down and will mark the server alive once it receives valid response from the server. With passive, the WLC will wait the interval and unconditionally try the server for authentication and if it receives successful response then it will start using it, while it will make down again for the interval if there are no response from the server.
RADIUS Aggressive Failover
The default setting on the WLC enabled radius aggressive failover, which means WLC will failover to next configured RADIUS when a single endpoint is having issues with authentication. By disabling aggressive failover, the WLC fails over when 3 consecutive endpoints fail to get response from the RADIUS server. You can disable RADIUS aggressive failover by running following command from the CLI:
Duplicate header name; X-Agari-Policy-Matched: Compromised_SendersX-Agari-Policy-Matched: Untrusted MessagesX-Agari-Trust-Score: 1.0 I have a content filter that writes the header to the log; Condition: No conditionAction: log-entry("C...
I'm running ISE 2.4 Patch 10, and I'm hitting a roadblock when my BYOD users are trying to renew their (expiring) certificates. I've built an AuthZ profile that is applied when a user's BYOD certificate is within 30 days of expiration. I though...
Dear all, I have a Finger Print device which is connected to the LAN and it has Static IP Address, SM, DG, and DNS. in this device, i typed the address of the dyndns which is http:// xxxx.dyndns.org:9650/ The issue is: the device cannot connect ...
Hello, Hello, I can't add more Logical Devices, what do you think is the issue?Is there a limit per license, how can I check that?another question where do we set the this ip address? it's the chassis manager(Gui) interface address Thx a lo...
After a disconnection occurred in a video conference, troubleshooting was initiated to identify the root cause. After log analysis, we found that the call was disconnected by H.323 timeout. However, I would like to know if you have any ASA analysis o...