cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1056
Views
0
Helpful
3
Replies
Highlighted
Beginner

Issue with WLAN using dot1x to authorize with anchor in the DMZ

Hi,

I am trying to do a proof of concept where a company wireless laptop can authenticate using dot1x through ISE and be dumped on an anchor controller in our DMZ. The ISE bit works and then I can see the laptop appear briefly on the anchor but it is not associated to any SSID and it doesnt work.

neflt corp issue 5508.PNG

And when I do a debug on the anchor I get these logs

*mmMaListen: Feb 13 10:01:38.177: 10:02:b5:75:b4:ad SSID=Bxxxxxxxxxt Security policy received=0x46000

*mmMaListen: Feb 13 10:01:38.178: 10:02:b5:75:b4:ad SSID=Bxxxxxxxxxt not found or policy mismatch, delete client and ignore export anchor request

So I am guessing there is a difference in the config between the main WLC and the anchor so below I have put the two configs below. 

WLC - Cisco 5760 

wlan Bxxxxxxxxxt 4 Bxxxxxxxxxt
aaa-override
accounting-list
no assisted-roaming dual-list
no assisted-roaming neighbor-list
broadcast-ssid
ccx aironet-iesupport
channel-scan defer-priority 4
channel-scan defer-priority 5
channel-scan defer-priority 6
channel-scan defer-time 100
chd
client association limit ap 0
client association limit radio 0
client association limit 0
client vlan default
no device-classification
dtim dot11 24ghz 1
dtim dot11 5ghz 1
exclusionlist
exclusionlist timeout 60
ip access-group web
ip access-group
ip dhcp server 172.17.1.4
ip flow monitor wireless-avc-basic input
ip flow monitor wireless-avc-basic output
ipv6 traffic-filter web none
ipv6 traffic-filter none
mac-filtering
mfp client
mfp infrastructure-protection
mobility anchor sticky
mobility anchor 192.168.247.245
nac
no profiling local http
no profiling radius http
radio all
security wpa
security wpa akm dot1x
security wpa wpa2
security wpa wpa2 ciphers aes
security dot1x authentication-list ise-list-43
security dot1x encryption 104
security ft over-the-ds
security ft reassociation-timeout 20
security pmf association-comeback 1
security pmf saquery-retry-time 200
security static-wep-key authentication open
security tkip hold-down 60
security web-auth authentication-list
security web-auth parameter-map
service-policy client input unknown
service-policy client output unknown
service-policy input unknown
service-policy output unknown
service-policy type control subscriber
session-timeout 1800
wmm allowed
no shutdown
shutdown

 

And the Anchor config - Csco 5508

 

(Cisco Controller) >show wlan 4


WLAN Identifier.................................. 4
Profile Name..................................... Bxxxxxxxxxt
Network Name (SSID).............................. Bxxxxxxxxxt
Status........................................... Enabled
MAC Filtering.................................... Disabled
Broadcast SSID................................... Enabled
AAA Policy Override.............................. Enabled
Network Admission Control
Client Profiling Status
Radius Profiling ............................ Disabled
DHCP ....................................... Disabled
HTTP ....................................... Disabled
Local Profiling ............................. Disabled
DHCP ....................................... Disabled
HTTP ....................................... Disabled
Radius-NAC State............................... Disabled
SNMP-NAC State................................. Disabled
Quarantine VLAN................................ 0
Maximum Clients Allowed.......................... Unlimited
Security Group Tag............................... Unknown(0)
Maximum number of Clients per AP Radio........... 200
ATF Policy....................................... 0
Number of Active Clients......................... 0
Exclusionlist Timeout............................ 60 seconds
Session Timeout.................................. 1800 seconds
User Idle Timeout................................ Disabled
Sleep Client..................................... disable
Sleep Client Timeout............................. 720 minutes
Web Auth Captive Bypass Mode..................... None
User Idle Threshold.............................. 0 Bytes
NAS-identifier................................... none
CHD per WLAN..................................... Enabled
Webauth DHCP exclusion........................... Disabled
Interface........................................ nelft_corp
Multicast Interface.............................. Not Configured
WLAN IPv4 ACL.................................... unconfigured
WLAN IPv6 ACL.................................... unconfigured
WLAN Layer2 ACL.................................. unconfigured
mDNS Status...................................... Disabled
mDNS Profile Name................................ default-mdns-profile
DHCP Server...................................... Default
Central NAT Peer-Peer Blocking................... Unknown
DHCP Address Assignment Required................. Disabled
Static IP client tunneling....................... Disabled
Tunnel Profile................................... Unconfigured
PMIPv6 Mobility Type............................. none
PMIPv6 MAG Profile........................... Unconfigured
PMIPv6 Default Realm......................... Unconfigured
PMIPv6 NAI Type.............................. Hexadecimal
PMIPv6 MAG location.......................... WLC
Quality of Service............................... Silver
Per-SSID Rate Limits............................. Upstream Downstream
Average Data Rate................................ 0 0
Average Realtime Data Rate....................... 0 0
Burst Data Rate.................................. 0 0
Burst Realtime Data Rate......................... 0 0
Per-Client Rate Limits........................... Upstream Downstream
Average Data Rate................................ 0 0
Average Realtime Data Rate....................... 0 0
Burst Data Rate.................................. 0 0
Burst Realtime Data Rate......................... 0 0
Scan Defer Priority.............................. 4,5,6
Scan Defer Time.................................. 100 milliseconds
WMM.............................................. Allowed
WMM UAPSD Compliant Client Support............... Disabled
Media Stream Multicast-direct.................... Disabled
CCX - AironetIe Support.......................... Enabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled
CCX - Diagnostics Channel Capability............. Disabled
Dot11-Phone Mode (7920).......................... Disabled
Wired Protocol................................... 802.1P (Tag=0)
Passive Client Feature........................... Disabled
Peer-to-Peer Blocking Action..................... Disabled
Radio Policy..................................... All
DTIM period for 802.11a radio.................... 1
DTIM period for 802.11b radio.................... 1
Radius Servers
Authentication................................ Disabled
Accounting.................................... Disabled
Dynamic Interface............................. Disabled
Dynamic Interface Priority.................... wlan
Local EAP Authentication......................... Disabled
Radius NAI-Realm................................. Disabled
Mu-Mimo.......................................... Enabled
Security

802.11 Authentication:........................ Open System
FT Support.................................... Disabled
Static WEP Keys............................... Disabled
802.1X........................................ Disabled
Wi-Fi Protected Access (WPA/WPA2)............. Disabled
Wi-Fi Direct policy configured................ Disabled
EAP-Passthrough............................... Disabled
CKIP ......................................... Disabled
Web Based Authentication...................... Disabled
Web Authentication Timeout.................... 300
Web-Passthrough............................... Disabled
Mac-auth-server............................... 0.0.0.0
Web-portal-server............................. 0.0.0.0
qrscan-des-key................................
Conditional Web Redirect...................... Disabled
Splash-Page Web Redirect...................... Disabled
Auto Anchor................................... Enabled
FlexConnect Local Switching................... Disabled
FlexConnect Central Association............... Disabled
flexconnect Central Dhcp Flag................. Disabled
flexconnect nat-pat Flag...................... Disabled
flexconnect Dns Override Flag................. Disabled
flexconnect PPPoE pass-through................ Disabled
flexconnect local-switching IP-source-guar.... Disabled
FlexConnect Vlan based Central Switching ..... Disabled
FlexConnect Local Authentication.............. Disabled
FlexConnect Learn IP Address.................. Enabled
Client MFP.................................... Optional but inactive (WPA2 not configured)
PMF........................................... Disabled
PMF Association Comeback Time................. 1
PMF SA Query RetryTimeout..................... 200
Tkip MIC Countermeasure Hold-down Timer....... 60
Eap-params.................................... Not Applicable
AVC Visibilty.................................... Disabled
AVC Profile Name................................. None
OpenDns Profile Name............................. None
OpenDns Wlan Mode................................ ignore
Flow Monitor Name................................ None
Split Tunnel Configuration
Split Tunnel................................. Disabled
Call Snooping.................................... Disabled
Roamed Call Re-Anchor Policy..................... Disabled
SIP CAC Fail Send-486-Busy Policy................ Enabled
SIP CAC Fail Send Dis-Association Policy......... Disabled
KTS based CAC Policy............................. Disabled
Assisted Roaming Prediction Optimization......... Disabled
802.11k Neighbor List............................ Enabled
802.11k Neighbor List Dual Band.................. Disabled
802.11v Directed Multicast Service............... Enabled
802.11v BSS Max Idle Service..................... Enabled
802.11v BSS Transition Service................... Enabled
802.11v BSS Transition Disassoc Imminent......... Disabled
802.11v BSS Transition Disassoc Timer............ 200
802.11v BSS Transition OpRoam Disassoc Timer..... 40
DMS DB is empty
Band Select...................................... Disabled
Load Balancing................................... Disabled
Multicast Buffer................................. Disabled
Universal Ap Admin............................... Disabled
Broadcast Tagging................................ Disabled
PRP.............................................. Disabled

Mobility Anchor List
WLAN ID IP Address Status
------- --------------- ------
4 192.168.247.245 Up

802.11u........................................ Disabled

MSAP Services.................................. Disabled

Local Policy

----------------
Priority Policy Name
-------- ---------------

Lync State ...................................... Disabled
Audio QoS Policy................................. Silver
Video QoS Policy................................. Silver
App-Share QoS Policy............................. Silver
File Transfer QoS Policy......................... Silver
Lync State ...................................... Disabled
Audio QoS Policy................................. Silver
Video QoS Policy................................. Silver
App-Share QoS Policy............................. Silver
File Transfer QoS Policy......................... Silver
File Transfer QoS Policy......................... Silver
QoS Fastlane Status.............................. Disable
Selective Reanchoring Status..................... Disable
Lobby Admin Access............................... Disabled

Fabric Status
--------------

Fabric status.................................... Disable

Vnid Name........................................
Vnid............................................. 0
Applied SGT Tag.................................. 0
Peer Ip Address.................................. 0.0.0.0
Flex Acl Name....................................
Flex Avc Policy Name.............................

U3-Interface................................... Disable

U3-Reporting Interval.......................... 30

 

Does anyone have any suggestion of where I am going wrong, I hope there is enough information.

 

Many thanks,

Paddy

3 REPLIES 3
Highlighted
Hall of Fame Master

Paddy,

The 5760’s are not even available to purchase anymore. My suggestion is to look into the newer 9800’s or focus in the short term upgrading away from the 5760 and 5508’s. The mix and match you have and the end of life for the two devices doesn’t make sense to do a proof of concept.
In traditional AireOS that is rock solid, authentication always happens on the foreign and once authenticated, then moves to the anchor. Part of making anchoring work is having the ssid configuration the same. That is a bit difficult in your case using CA. I don’t know if you will ever get that to work to be honest, but maybe focus on moving to a new platform where support is still available. That would be my approach.
-Scott
*** Please rate helpful posts ***
Highlighted

Hi Scott,
I appreciate that we are using old kit, unfortunately we are not in a position to get new controllers for the next 12 months probably so our short term plan is to make do with what we have. We are being asked to provide an SSID for a sister organisation to connect their laptops to, authenticating etc through their ISE (but we dont want their laptops on our core network, hence the anchor in the dmz). I am trying to do some initial testing to see if I can get it working, if I cant then I will ditch the dmz and just have a straightforward SSID.
Paddy
Highlighted

Yeah I don’t know if that will work. Also, not many folks run converged access anymore. I had a few clients switch from AireOS to CA when CA was being pushed and all of them ended up going back to AireOS. Good luck, keep us posted if you do get that to work.
-Scott
*** Please rate helpful posts ***
Content for Community-Ad