cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
456
Views
0
Helpful
8
Replies

Issues with cisco ISE as proxy radius

nataliacas
Level 1
Level 1

I have problems with cisco ISE as proxy radius and WLC version 8.3.143.0. ISE sends the authentication request to the external radius, receives the access accept and returns it to the wlc. Aparently everything is working, I put the On Access-Accept, continue to Authorization Policy option in the ISE external RADIUS sequence, and In the authorization profile I assign  the vlan 555. 

Steps

 11001Received RADIUS Access-Request
 11017RADIUS created a new session
 15049Evaluating Policy Group
 15008Evaluating Service Selection Policy
 15048Queried PIP - Network Access.UserName
 15048Queried PIP - Radius.Called-Station-ID
 11358Received request for RADIUS server sequence.
 11361Valid incoming authentication request
 11355Start forwarding request to remote RADIUS server
 11365Modify attributes before sending request to external radius server
 11100RADIUS-Client about to send request - ( port = 1812 )
 11101RADIUS-Client received response
 11357Successfully forwarded request to current remote RADIUS server
 24715ISE has not confirmed locally previous successful machine authentication for user in Active Directory
 15036Evaluating Authorization Policy
 24209Looking up Endpoint in Internal Endpoints IDStore - 
 24211Found Endpoint in Internal Endpoints IDStore
 15048Queried PIP - DEVICE.Device Type
 15016Selected Authorization Profile - vlan-555
 22081Max sessions policy passed
 22080New accounting session created in Session cache
 11002Returned RADIUS Access-Accept

When I look in the wlc I see the user associated but not authenticated in spite of the fact that the user has been assigned to the rigth vlan and it has no ip address (there is a dhcp server in this vlan 

 

nataliacas_2-1664271924651.png

Please any idea of what is happening

 

 

 

 

8 Replies 8

marce1000
VIP
VIP

 

 - FYI : https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/204463-Configure-Maximum-Concurrent-User-Sessio.html

 M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

thanks but I don´t have any problem with the number of concurrent sessions

 

 - Perform client debugging on the WLC for the involved 'users' aka mac addresses , you can have these analyzed with : https://cway.cisco.com/tools/WirelessDebugAnalyzer/

 M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

 

I still have no idea where the problem is 

TimeTaskTranslated

Sep 27 15:08:20.214*apfMsConnTask_5Client made new Association to AP/BSSID BSSID 0c:27:24:76:84:ef AP T2-200-10-PA08
Sep 27 15:08:20.214*apfMsConnTask_5The WLC/AP has found from client association request Information Element that claims PMKID Caching support
Sep 27 15:08:20.214*apfMsConnTask_5The Reassociation Request from the client comes with 0 PMKID
Sep 27 15:08:20.214*apfMsConnTask_5Client is entering the 802.1x or PSK Authentication state
Sep 27 15:08:20.214*apfMsConnTask_5Client has successfully cleared AP association phase
Sep 27 15:08:20.214*apfMsConnTask_5WLC/AP is sending an Association Response to the client with status code 0 = Successful association
Sep 27 15:08:20.216*Dot1x_NW_MsgTask_7Client will be required to Reauthenticate in 1800
seconds
Sep 27 15:08:20.216*Dot1x_NW_MsgTask_7WLC/AP is sending EAP-Identity-Request to the client
Sep 27 15:08:20.241*Dot1x_NW_MsgTask_7Client sent EAP-Identity-Response to WLC/AP
Sep 27 15:08:20.252*Dot1x_NW_MsgTask_7RADIUS Server permitted access
Sep 27 15:08:20.252*Dot1x_NW_MsgTask_7Client will be required to Reauthenticate in 1800
seconds
Sep 27 15:08:37.696*spamApTask4Client delete code: AP idle timeout, AP triggered client deauth
That can be due to possible reasons: Wired guest client has expired (no traffic)/ Default event for AP side triggered client delete. Normal scenarios would be idle timeout, AP radio issues, channel changes, etc.
Sep 27 15:08:37.697*spamApTask4Client expiration timer code set for 1 seconds. The reason: Dissasociation or deauthentication received from client, this is valid on 802.11w scenario. Also, generic termination clause, reason would be provided by pervious log message
Sep 27 15:08:38.557*apfReceiveTaskClient session has timed out
Sep 27 15:08:38.557*apfReceiveTaskClient session has timed out

it says "Normal scenarios would be idle timeout, AP radio issues, channel changes, etc." but I don´t have this problem with other users and SSID´s that are authenticated in ISE directly

 

 - Try to disable fast roaming (802.11r) or related settings, for the SSID , check if it can help for this type of client.

 M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

I have fast transition disable, 

 

 - Make sure client wireless drivers are up to date, for controller look at https://www.cisco.com/c/en/us/support/docs/wireless/wireless-lan-controller-software/200046-tac-recommended-aireos.html , upgrade advises 8.3.x is old , take care of access point model restrictions if any.

 M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: