Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2541
Views
5
Helpful
7
Replies

ISE NAC not supported with flexconnect ?

Go to solution
Michal Garcarz
Cisco Employee
Cisco Employee

‎12-21-2017 10:12 AM - edited ‎07-05-2021 08:00 AM

Hello Team,

 

vWLC 8.4.100.0

AP 2702

 

I have configured flexconnect (central auth, local switching and is working perfectly fine). I have a WLAN with interface putting my users in the right VLAN switched locally.

But so far i had in WLAN advanced tab NAC state = none. I wanted to enable it to support CoA, quarantine etc. It took me some time to narrow down this problem, but it's 100% replicable, after enabling NAC state = ISE NAC:

- users can authenticate (802.1x) correctly

- users get the right address via DHCP (locally switched VLAN/dhcp server)

- arp is working fine

- but i have no IP connectivity (can not even ping default gateway)

 

When checking in Monitor/Clients everything looks to be the same including right VLAN.

 

Is that expected ? Why that is happening ? Maybe after enabling ISE NAC i need to configure some ACL for flexconnect ? (but i am not doing any BYOD/NAC yet, just want basic network connectivity still at this stage).

 

Could you please help ?

 

Thanks,

Micha

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to Michal Garcarz

‎12-21-2017 02:38 PM

Hi

Is the WLC up and running now?
Which version?

Upload the version 8.5.110 on the wlc and reload it. You can't do pre-download on AP as there're stuck.
After that, if APs are not registered to wlc, can you do a debug on wlc :
- debug capwap errors enable
- debug capwap detail enable

And/or if you can, access your APs in console mode and see what are the messages shown.

If you want we can also do a webex session to see what's going on. I don't have any lab available right now to test version 8.6 but sure 8.5.110 is working fine on vwlc for at least few customers (3)

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

7 Replies 7

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎12-21-2017 12:08 PM

Hi Michal,

The issue you're facing looks like the same we had with 8.5 and corrected in the latest 8.5 version. Can you upgrade 8.5.110?
Also the version 8.4 has been deferred.
Thanks

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
Michal Garcarz
Cisco Employee
Cisco Employee
In response to Francesco Molino

‎12-21-2017 01:29 PM - edited ‎12-21-2017 01:42 PM

Hi Francesco,

I have upgraded to 8.6.101.0.

And now for 1-2 hours both APs are constantly rebooting, downloading and rebooting (changing operational status from REG to downloading). Many many times (10+). Once REG i can see most of AP specific config is lost (like static ip or flexconnect vlan support). Also primary software version for those APs is always 8.4.100.0 - so it looks like those can not be upgrade to anything newer and stays on loop :(

It does not look good :(

Would you recommend 8.6 or 8.5 ?

(i am hitting bug: CSCvf52723 on 8.4 and it's fixed in 8.6.101.0, but that 8.6 version seems to not support my 2700 even if compatibility matrix says something different)

 

Thanks,

Michal

0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to Michal Garcarz

‎12-21-2017 02:00 PM

I've not used 8.6 but I confirm 8.5.110 is working fine.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
Michal Garcarz
Cisco Employee
Cisco Employee
In response to Francesco Molino

‎12-21-2017 02:31 PM

I have definitively stuck in limbo now. WLC: Primay image 8.6, secondary 8.5. For both of them my APs are in circle trying to upgrade and failing, getting back to 8.4 (for 3 hours now). Can i keep AP on 8.4 while WLC on 8.5 ?

Is it possible that AIR-CAP2702I-E-K9 do not support newer software ?

I can not download my old relatively stable 8.4 because it's deferred. What would you recommend now ?

 

Thanks,

Michal

0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to Michal Garcarz

‎12-21-2017 02:38 PM

Hi

Is the WLC up and running now?
Which version?

Upload the version 8.5.110 on the wlc and reload it. You can't do pre-download on AP as there're stuck.
After that, if APs are not registered to wlc, can you do a debug on wlc :
- debug capwap errors enable
- debug capwap detail enable

And/or if you can, access your APs in console mode and see what are the messages shown.

If you want we can also do a webex session to see what's going on. I don't have any lab available right now to test version 8.6 but sure 8.5.110 is working fine on vwlc for at least few customers (3)

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Go to solution
Michal Garcarz
Cisco Employee
Cisco Employee
In response to Francesco Molino

‎12-21-2017 03:30 PM

Francesco, Thank for the help here.

I have finally managed to solve it:

- downgraded to 8.0 - that software was installed on both APs without issues, but had no flexconnect mode

- after that i have upgraded WLC to 8.5 and then both APs also got upgraded to 8.5 without issues, now i have flexconnect working

- and i have achieved my initial goal - bug with ISE NAC is fixed !

 

Thanks again a lot !

0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to Michal Garcarz

‎12-21-2017 03:35 PM

Ok nice. You're welcome.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card