Solved: Cisco ISE authorization

surazb · ‎05-03-2025

Hi Experts,

I have setup where Clients connected on WLC-9800 SSID should get Vlans assignment from Cisco ISE authorization Profile, But it still clients gets IP from Access Policy configured on WLC-9800

AAA is configured on WLC with Mac Filtering and authorization list
AAA override and NAC state is selected
ISE is configured with authorization profile and with authorization plicy
Client MAC is added is Cisco ISE identity group
Strange this is ISE logs says that authorization success with correct authorization policy but actually VLans are not pushed to client

Can you guys please help me where i went wrong, If needed i will share config snaps
Thanks Guys

surazb · ‎05-12-2025

Hi Guys,
Thanks all for your support
Issue got resolved, actually there is no correct flex profile colled under site tag, after putting correct flex profile it works as expected
Thanks guys

View solution in original post

marce1000 · ‎05-03-2025

- Start with a sanity check of the WLC-9800 configuration using the CLI command
show tech wireless and feed the output from that into Wireless Config Analyzer
(Use the full command denoted in green, it does not work with a simple show tech-support )

M

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

MHM Cisco World · ‎05-03-2025

In wlc 9800 do you enable CoA and set password?

MHM

surazb · ‎05-04-2025

Yes, CoA is enabled with password

MHM Cisco World · ‎05-04-2025

Point to check

1- aaa override must enable

2- if you use dyanmic vlan then you need to select vlan all under wlan profile

MHM

surazb · ‎05-04-2025

1 - Yes, AAA override is enable
2- I want ISE to push vlans through Authorization Profile so
locally configured vlan under wlan will does not matter

MHM Cisco World · ‎05-04-2025

You want to make ISE dynamic assign vlan to wlan

So it matters

Check below link

https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/217043-configure-dynamic-vlan-assignment-with-c.html

MHM

Rich R · ‎05-04-2025

- What version of software are you using?

- Have you run a Radioactive Trace on the client MAC to confirm the WLC is receiving the AAA VLAN override from ISE?
Use Debug Analyzer (link below) to clean up the RA trace output.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

surazb · ‎05-04-2025

1 - WLC Version - 17.12.4
Switch 3750 - 15.2.(4).E10

2 - Nope, But i will run radioactive test and check the logs

Thanks guys for help

marce1000 · ‎05-04-2025

- @surazb Execute the WirelessAnalyzer procedure from my initial reply also. Consider that mandatory ,

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

surazb · ‎05-04-2025

1 - WLC version - 17.12.4
Switch 3750 - 15.2.(4).E10

2. Nope, i will do Radioactive trace and observe logs

Thanks for help guys

Saikat Nandy · ‎05-04-2025

One more important thing in addition to the suggestion been made by other experts - the vlan you would like to push via AAA override need to be present in the WLC switchport - if it is local mode AP/central switching or should be present in the AP switchport - if it is flex mode AP/local switching.

surazb · ‎05-12-2025

Hi Guys,
Thanks all for your support
Issue got resolved, actually there is no correct flex profile colled under site tag, after putting correct flex profile it works as expected
Thanks guys