Dear, Could someone please check and verify of this is normal. When I export the config from the GUI or CLI, I don't see the which AP are listed under which Flexconnect group. I need to have this information to automatically update the config on the N + 1 redundancy controller. Now I have to visually check every Flexconnect group and then copy past the mac of the AP to the other controller…. ☹ Kr Niels
... View more
Something strange is happening with EAP-TLS and ISE CRL.
It's not something very common scenario our client has 2 CA as temporary solution to migrate to the new CA.
ISE is authenticating bot client certificate without any problem.
Now we are running into this strange behavior:
The clients authenticate with the old CA certificate. (green report authentication success)
The new certificate is pushed, and the old certificate is deleted. (the repeat counters goes up, even if we hit a different authorization policy => this is normal default behavior if result is the same )
On the new CA we revoke the certificate that was received. (CRL is retrieved every 10 minute)
The client stays connected even removal from wlc, session terminations, reauthentications, … waited 30 min… (repeat counter increases)
Now here is the funny part if you disable the repeats successful authentication under admin => protocols =>radius. The client is directly disconnected.
We did the same test if the client started with the new certificated and that is working correctly.
It seems to me that ISE is taking a shortcut and not really checking the authentication when doing a repeated authentication.
I’m still looking into this maybe it can even be used as an exploit.
... View more
Hi Craig, Thanks for the information. That confirms why it's not working. For the workaround you are suggesting can be possible but don't think it will be manageable for the client. (meaning that all rules will be mixed together) What I think that would be better is to have policy set rules based on the location. device location equals ... =>( then go to Authentication rules and authorization rules) A bit disappointing that ISE can't work with dynamic attribute / manipulate them. I think it's quit easily done in a "freeradius" server. Hope that Meraki supports vlan name override soon. (making a wish...) For the moment I think we will need to stop deploying Meraki. Kr Niels
... View more
Dear, We are installing a new WIFI infrastructure for a test site. In total 80 other sites needs to be done. The client has chosen Cisco Meraki as their new wireless infrastructure. (MR 42) There is also an upgraded ISE to version 2.1.6. This server will be used to authenticate all SSID’s. The Dot1x SSID will be used for a lot of different devices. Laptop, phones, BYOD, Guest (PEAP with guest accounts) ISE will need to override the correct vlan’s. Meraki does support vlan override but only with vlan ID. (no vlan name is possible confirmed by local Cisco Meraki person) The problem is that all the sites are not standardized meaning guest vlan is different for each site. So per site we will have around 8 rules in ISE multiplied by 80 sites is many... many rules in ISE. Maybe not a software limitation it’s not scalable and it is easy to make mistakes also will be a lot of extra work. I tried to create a workaround what is not working. (therefore I am posting this) Under network devices groups in ISE, I created special network groups called: GUEST VLAN ID CORP VLAN ID BYOD VLAN ID Under each network device I placed the correct VLAN ID as the Name. I created a custom authorization profiles returning the name of the VLAN ID group but is not working. :S In the packet captures there is no tunnel- private-group when doing this. What I’m thinking that ISE returns the full path example: "GUEST VLAN ID#54" and should only (to get it working) only return 54. I created a similar workaround already with AD attribute and that’s working. Could this be checked, if this is possible in anyway? This could change 640 to 8 rules what would be great for me to implement and for the client to manage. Also 8 rules are easily recreated (still not possible re-import ISE rules) and possible to import and export devices and device groups Kr Niels
... View more