Cisco WLAN AAA server question

jwillie3 · ‎08-07-2017

I am working on a 7500 WLC with a lot of old RADIUS servers configured. We are in the process of migrating all function from older ACS servers over to ISE.

Under the Security Tab, all AAA RADIUS auth and accounting servers have 'Network user' and 'management' options set.

In the ISE logs, I am seeing messages coming from WLAN's that I don't believe should be sending any accounting info to ISE. The WLAN's are set for using a PSK or in one case, the WLAN is set to open.

On the WLAN/Security/AAA server settings the check boxes for overriding the default AAA server is checked, but in the drop down options those were left to 'none'.

I am assuming that this setup was chosen to try and prevent the WLC from forwarding any AAA accounting data anywhere.

My question is if this is a valid setup or is there another way to get the WLC to not send AAA accounting to ISE for WLAN's that are not doing 802.1X.

-Thanks

Rasika Nayanajith · ‎08-07-2017

On the WLAN/Security/AAA server settings the check boxes for overriding the default AAA server is checked, but in the drop down options those were left to 'none'.

This is a default setting when you creating a WLAN.

You can untick it if WLAN is Open or PSK SSID.

HTH

Rasika

*** Pls rate all useful responses ***

patoberli · ‎08-08-2017

If you do not want any accounting packets being sent, remove the accounting servers from the WLC.

jwillie3 · ‎08-08-2017

I guess I should have been more specific in my initial post.

I have other WLAN's on the controller that do use 802.1X and need to send logs to ISE.

patoberli · ‎08-08-2017

Ah ok :)

In that case, go to the specific BSSID and to the security tab and make sure that nothing is selected for accounting. That way no accounting information will be sent for that BSSID to the radius.