cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
981
Views
0
Helpful
3
Replies

WLC Service port IP address bound to AAA request to ISE

kbyrd
Level 2
Level 2

We're having two strange issues related to integrating 8540 WLCs in an SSO to a pair of HA ISE for AAA. This configuration was "ported" from a WiSM2 to the 8540....all IP addresses that were active on the WiSM2 are active on the 8540.

1) When we display Security>AAA>RADIUS>Authentication, there is a space for an "*" between the service index and the server IP address. That * is not displayed for the primary ISE but is displayed for the secondary ISE. What does that * indicate?

2) When troubleshooting an SSID that is defined with the ISE to be redirected to the ISE guest portal, we are seeing the ISE show that the NAS IPv4 Address is bound to the service port on the 8540, and not the management port as expected. Is there a way to bind that request specifically to the management port?

 

Thanks.

3 Replies 3

Hi,

 

1) When we display Security>AAA>RADIUS>Authentication, there is a space for an "*" between the service index and the server IP address. That * is not displayed for the primary ISE but is displayed for the secondary ISE. What does that * indicate?

 The * means  ISE server and WLC reacheability. 

 

2) When troubleshooting an SSID that is defined with the ISE to be redirected to the ISE guest portal, we are seeing the ISE show that the NAS IPv4 Address is bound to the service port on the 8540, and not the management port as expected. Is there a way to bind that request specifically to the management port?

 

Did you add the WLC to the ISE as a client, right?  Which IP did you use?  Looks like it is talking to the WLC through the service port. 

-If I helped you somehow, please, rate it as useful.-

 

Thanks for your response, Flavio.

1) The * is on some times, and off sometimes. No firewall is between the WLC and ISE.

2) More importantly, the WLC management IP is defined to the ISE, not the SP IP. The problem is that the ISE log/messages showing the authentication rejection show that the request is coming from the SP port on the WLC.

 

Would this have anything to do with SSO? We have a single 8540 defined to the ISE at another data center that has no problems. We have had two other WiSM2s defined to ISE with no problems. All were running the same 8.2.170.0 firmware. As a matter of fact, this 8540-SSO replaced one of the WiSM2s running the same configuration with the same IPs (with the exception of the SP).

 

Any ideas?

 I´ve never see this before in SSO. Do you have routes define on the WLC ?  Dont make any sense the packets go out from the SP. 

 

-If I helped you somehow, please, rate it as useful.-

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: