We are facing a strange behaviour with an ISE installation:
We have a wireless CWA configuration and when for any circumstances the client is redirected to the login page and abandons the session or even only disconnects, the WLC correctly terminates the session but ISE still keeps the session in its table in the state "authenticated". We have to manually terminate the session on ISE for redirect to work again. On WLC the client session is no longer present.
The WLC is a 5520 running 8.3MR1 and is in an anchor-foreign installation. Accounting is set to ISE servers and enabled on foreign only and the SSID is set to default session timeout value (1800s). ISE is running on 2.1 patch 1. CWA policy checks for SSID and if MAB was used, no session timeout from RADIUS server set, so I assume default timers here.
Can someone explain this behaviour? I would expect the WLC to update the ISE on clients that have closed their connection and therefore the session was cleared on WLC so the ISE could also clear the session.
... View more
Hi guys, I have a strange situation at a customer with a common guest internet access using a cisco ISE and a cisco Wireless network. The ISE is a physical 3415 using wireless-only licenses and is on the software release 22.214.171.124. The WLC is a 5508 running currently 126.96.36.199, the APs are 2700 series models. The rest of the infrastructure is cisco LAN switches. The goal for the guest implementation is to use CWA to get the guests to a guest-portal. on the wireless controller, I have a SSID set to use no l2 security, enabled mac filtering, has set the ISE as radius auth and acct server (RFC3576 is enabled) and on the advanced tab I have activated aaa override and NAC state RADIUS NAC. The ACL for redirect is similar to: permit any any dhcp permit any any dns permit any ISE-HOST TCP 8443 deny any any On the ISE I have a authz profile for cwa set to have access-accept, CWA redirect using the ACL redirect (yep, no typo in) and nothing else. The AuthZ profile has the guest flow check for the internet access once authenticated and the default rule is set to trigger the cwa profile. So far so good... When testing the network, I see my client being connecting, getting IP address and also on the ISE logs, that the CWA url and ACL were pushed to the WLC. On the WLC client detail, the ACL is also shown to be applied BUT the client is in the policy manager state RUN. If I am not mistaken (and this is not my first ISE guest implementaion) It should be set to WEBAUTH_REQU as long as the user has not been redirected and authenticated to the portal. Now the biggie on this is, the user can surf the internet without being authenticated. Has anyone ever met this issue and can help me? Thanks.
... View more
Hi, I make it working, the problem I have is I want the routing through the backplane. I have now a cable from one switchport to the router part. That's a bit ugly. I think there should be a way to have the routing working without the cable. The routing through the backplane should work, but I didn't find any configuration guide in Cisco nor what I have tried didn't work. I tried to make the routing working through de service-module G1/0 working, but it didn't. From the router, I can see the switch form interface g1/0 (internal), and from the switch through g0/26 (internal too). I tried to make the routing through them but fail. Any ideas? Thanks!
... View more