03-02-2023 06:37 AM
Dear All,
I am trying to setup an IPSEC Tunnel between a WLC 5508 and a ISE, to perform AAA with radius protocol.
I' d like setupo a IPSEC tunnel and let the radius data from the wlc to ISE pass inside it.
I have configured the WLC Radius profile enabling the IPSEC, and also configured the IPSEC parameters:
and also on the ISE ESR router I have setup the IPSEC Tunnel:
crypto isakmp policy 5
encr aes
authentication pre-share
group 14
crypto isakmp key xxxxxxxxxxx address 0.0.0.0
crypto isakmp profile MVPN-profile
description LAN-to-LAN for spoke router(s) connection
keyring MVPN-spokes
match identity address 0.0.0.0
crypto ipsec transform-set radius-3 esp-aes esp-sha-hmac
mode tunnel
crypto map radius 10 ipsec-isakmp dynamic MVPN-dynmap
!
!
!
!
!
interface Ethernet0/0
description e0/0->connection to external NAD
ip address yyy.yyy.yyy.yyy 255.255.252.0
ip nat outside
ip virtual-reassembly in
no ip route-cache
crypto map radius
!
!
!
crypto dynamic-map MVPN-dynmap 10
set transform-set radius radius-2 radius-3
When I try to use the WLAN I got on the WLC enabling the Debug ipsec event enable:
*ProcessLoggingTask: Mar 02 15:24:51.556: 1 Mar 2 14:24:51 02[KNL] creating acquire job for policy 172.26.110.4/32[udp/32769] === 172.26.31.248/32[udp/radius] with reqid {1007}
*ProcessLoggingTask: Mar 02 15:24:51.557: 0 Mar 2 14:24:51 02[IKE] <172.26.110.4-172.26.31.248-0-1812|57> initiating Main Mode IKE_SA 172.26.110.4-172.26.31.248-0-1812[57] to 172.26.31.248
*ProcessLoggingTask: Mar 02 15:24:51.557: 1 Mar 2 14:24:51 02[ENC] <172.26.110.4-172.26.31.248-0-1812|57> generating ID_PROT request 0 [ SA V V V V ]
*ProcessLoggingTask: Mar 02 15:24:51.557: 1 Mar 2 14:24:51 02[NET] <172.26.110.4-172.26.31.248-0-1812|57> sending packet: from 172.26.110.4[500] to 172.26.31.248[500] (156 bytes)
*ProcessLoggingTask: Mar 02 15:24:51.557: 1 Mar 2 14:24:51 16[NET] error writing to socket: Operation not permitted
*ProcessLoggingTask: Mar 02 15:24:55.557: 1 Mar 2 14:24:55 12[IKE] <172.26.110.4-172.26.31.248-0-1812|57> sending retransmit 1 of request message ID 0, seq 1
*ProcessLoggingTask: Mar 02 15:24:55.558: 1 Mar 2 14:24:55 12[NET] <172.26.110.4-172.26.31.248-0-1812|57> sending packet: from 172.26.110.4[500] to 172.26.31.248[500] (156 bytes)
*ProcessLoggingTask: Mar 02 15:24:55.558: 1 Mar 2 14:24:55 16[NET] error writing to socket: Operation not permitted
*ProcessLoggingTask: Mar 02 15:25:02.761: 1 Mar 2 14:25:02 01[IKE] <172.26.110.4-172.26.31.248-0-1812|57> sending retransmit 2 of request message ID 0, seq 1
*ProcessLoggingTask: Mar 02 15:25:02.762: 1 Mar 2 14:25:02 01[NET] <172.26.110.4-172.26.31.248-0-1812|57> sending packet: from 172.26.110.4[500] to 172.26.31.248[500] (156 bytes)
*ProcessLoggingTask: Mar 02 15:25:02.762: 1 Mar 2 14:25:02 16[NET] error writing to socket: Operation not permitted
*ProcessLoggingTask: Mar 02 15:25:15.725: 1 Mar 2 14:25:15 12[IKE] <172.26.110.4-172.26.31.248-0-1812|57> sending retransmit 3 of request message ID 0, seq 1
*ProcessLoggingTask: Mar 02 15:25:15.726: 1 Mar 2 14:25:15 12[NET] <172.26.110.4-172.26.31.248-0-1812|57> sending packet: from 172.26.110.4[500] to 172.26.31.248[500] (156 bytes)
*ProcessLoggingTask: Mar 02 15:25:15.726: 1 Mar 2 14:25:15 16[NET] error writing to socket: Operation not permitted
*ProcessLoggingTask: Mar 02 15:25:23.871: 1 Mar 2 14:25:23 10[KNL] creating acquire job for policy 172.26.110.4/32[udp/32769] === 172.26.31.248/32[udp/radius] with reqid {1007}
*ProcessLoggingTask: Mar 02 15:25:23.871: 1 Mar 2 14:25:23 04[CFG] ignoring acquire, connection attempt pending
*ProcessLoggingTask: Mar 02 15:25:39.057: 1 Mar 2 14:25:39 07[IKE] <172.26.110.4-172.26.31.248-0-1812|57> giving up after 3 retransmits
Any Idea about this errors?
Bye,
Igor.
Solved! Go to Solution.
03-02-2023 08:06 AM
- I don' think ISE can do that ; it is designed to work with Microsoft Windows IAS Server , check : https://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/109774-ipsec-wlc.html
M.
03-02-2023 08:06 AM
- I don' think ISE can do that ; it is designed to work with Microsoft Windows IAS Server , check : https://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/109774-ipsec-wlc.html
M.
03-03-2023 12:11 AM
Hi Marce,
Thank you for your support.
I have a question, does the new wlc 9800 support ipsec tunnel creation with cisco ISE?
Bye,
JF.
03-03-2023 01:18 AM
- No it can't neither ,
M.
03-04-2023 04:13 AM - edited 03-04-2023 04:14 AM
Generally speaking if you want things in IPSEC the you do that on your routers or switches (if they support IPSEC).
If you want encrypted radius: https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-9/config-guide/b_wl_17_9_cg/m_radius_dtls.html
Take note of https://bst.cisco.com/bugsearch/bug/CSCwa77027
Obviously your radius server needs to support it too. For ISE: https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/200972-Configure-RADIUS-DTLS-on-Identity-Servic.html
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide