08-24-2012 10:58 AM - edited 07-03-2021 10:34 PM
Hello folks,
I ran into an issue while deploying integrating WLC with ISE and changing the authentication to dot1x.
Previously when it was set to WebAuth this limitation somehow worked even though it was very unhelpful because the user was getting an error message that didn't specify the reason why he was denied. See attached file that shows how it was setup in WLC
Now when we changed it to dot1x and all authentications are done on ISE side this limitation doesn't work anymore.
Needless to say that current ISE software doesn't support it as well. Cisco only promises to have it addressed in the future release 1.2
Any ideas or suggestions if I still can use this rudimentory limitation with dot1x ?
08-24-2012 08:38 PM
Well that feature works with ACS 5.x, so it must be a limitation with ISE.
Sent from Cisco Technical Support iPad App
08-24-2012 11:46 PM
Hello,
In your screenshot there is a foot note says:
"When using 802.1X security make sure max-login-ignore-identity-response is disabled.".
You need to disable max-loign-itnore-identity-response in order for the limitation to work.
You can disable it from GUI:
Security-> Local EAP->General.
You can disable it from CLI:
config advanced eap max-login-ignore-identity-response disable.
I can find this is enabled by default with all my wireless controllers. If you disable it that should get your limitation functionality to work.
HTH
Amjad
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide