Issues with cisco ISE as proxy radius

nataliacas · ‎09-27-2022

I have problems with cisco ISE as proxy radius and WLC version 8.3.143.0. ISE sends the authentication request to the external radius, receives the access accept and returns it to the wlc. Aparently everything is working, I put the On Access-Accept, continue to Authorization Policy option in the ISE external RADIUS sequence, and In the authorization profile I assign the vlan 555.

Steps

	11001	Received RADIUS Access-Request
	11017	RADIUS created a new session
	15049	Evaluating Policy Group
	15008	Evaluating Service Selection Policy
	15048	Queried PIP - Network Access.UserName
	15048	Queried PIP - Radius.Called-Station-ID
	11358	Received request for RADIUS server sequence.
	11361	Valid incoming authentication request
	11355	Start forwarding request to remote RADIUS server
	11365	Modify attributes before sending request to external radius server
	11100	RADIUS-Client about to send request - ( port = 1812 )
	11101	RADIUS-Client received response
	11357	Successfully forwarded request to current remote RADIUS server
	24715	ISE has not confirmed locally previous successful machine authentication for user in Active Directory
	15036	Evaluating Authorization Policy
	24209	Looking up Endpoint in Internal Endpoints IDStore -
	24211	Found Endpoint in Internal Endpoints IDStore
	15048	Queried PIP - DEVICE.Device Type
	15016	Selected Authorization Profile - vlan-555
	22081	Max sessions policy passed
	22080	New accounting session created in Session cache
	11002	Returned RADIUS Access-Accept

When I look in the wlc I see the user associated but not authenticated in spite of the fact that the user has been assigned to the rigth vlan and it has no ip address (there is a dhcp server in this vlan

Please any idea of what is happening

marce1000 · ‎09-27-2022

- FYI : https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/204463-Configure-Maximum-Concurrent-User-Sessio.html

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

nataliacas · ‎09-27-2022

thanks but I don´t have any problem with the number of concurrent sessions

marce1000 · ‎09-27-2022

- Perform client debugging on the WLC for the involved 'users' aka mac addresses , you can have these analyzed with : https://cway.cisco.com/tools/WirelessDebugAnalyzer/

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

nataliacas · ‎09-27-2022

I still have no idea where the problem is

TimeTaskTranslated

Sep 27 15:08:20.214	*apfMsConnTask_5	Client made new Association to AP/BSSID BSSID 0c:27:24:76:84:ef AP T2-200-10-PA08
Sep 27 15:08:20.214	*apfMsConnTask_5	The WLC/AP has found from client association request Information Element that claims PMKID Caching support
Sep 27 15:08:20.214	*apfMsConnTask_5	The Reassociation Request from the client comes with 0 PMKID
Sep 27 15:08:20.214	*apfMsConnTask_5	Client is entering the 802.1x or PSK Authentication state
Sep 27 15:08:20.214	*apfMsConnTask_5	Client has successfully cleared AP association phase
Sep 27 15:08:20.214	*apfMsConnTask_5	WLC/AP is sending an Association Response to the client with status code 0 = Successful association
Sep 27 15:08:20.216	*Dot1x_NW_MsgTask_7	Client will be required to Reauthenticate in 1800 seconds
Sep 27 15:08:20.216	*Dot1x_NW_MsgTask_7	WLC/AP is sending EAP-Identity-Request to the client
Sep 27 15:08:20.241	*Dot1x_NW_MsgTask_7	Client sent EAP-Identity-Response to WLC/AP
Sep 27 15:08:20.252	*Dot1x_NW_MsgTask_7	RADIUS Server permitted access
Sep 27 15:08:20.252	*Dot1x_NW_MsgTask_7	Client will be required to Reauthenticate in 1800 seconds
Sep 27 15:08:37.696	*spamApTask4	Client delete code: AP idle timeout, AP triggered client deauth That can be due to possible reasons: Wired guest client has expired (no traffic)/ Default event for AP side triggered client delete. Normal scenarios would be idle timeout, AP radio issues, channel changes, etc.
Sep 27 15:08:37.697	*spamApTask4	Client expiration timer code set for 1 seconds. The reason: Dissasociation or deauthentication received from client, this is valid on 802.11w scenario. Also, generic termination clause, reason would be provided by pervious log message
Sep 27 15:08:38.557	*apfReceiveTask	Client session has timed out
Sep 27 15:08:38.557	*apfReceiveTask	Client session has timed out

nataliacas · ‎09-27-2022

it says "Normal scenarios would be idle timeout, AP radio issues, channel changes, etc." but I don´t have this problem with other users and SSID´s that are authenticated in ISE directly

marce1000 · ‎09-27-2022

- Try to disable fast roaming (802.11r) or related settings, for the SSID , check if it can help for this type of client.

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

nataliacas · ‎09-27-2022

I have fast transition disable,

marce1000 · ‎09-27-2022

- Make sure client wireless drivers are up to date, for controller look at https://www.cisco.com/c/en/us/support/docs/wireless/wireless-lan-controller-software/200046-tac-recommended-aireos.html , upgrade advises 8.3.x is old , take care of access point model restrictions if any.

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '