09-26-2023 08:33 AM
Earlier this year, we migrated from the WLC 2504 to the Catalyst 9800-CL cloud wireless controller, and we have Cisco ISE as our radius server for authentication. With the old wireless controller, if someone was successfully connected to wifi (after being authorized b ISE), then it would show the endpoint as "Connected". However, ever since we cut over to the new wireless controller, we have found that even when someone is successfully connected to wifi via ISE, the endpoint shows as "Disconnected", and as a result, our license consumption is not accurate. Has anyone else come across this, and are you aware of a configuration that would explain what we are seeing? Thank you.
Solved! Go to Solution.
01-05-2024 01:24 AM - edited 01-05-2024 01:28 AM
It took change right away after I did a "session reauth" on the endpoint in ISE.
And you added the Accounting List under Advanced tab in Policy Profile?
09-26-2023 08:48 AM
now that we aware of this issue
you need to provide what WLC verison code, what ISE version running.
how is your authentication process, Just Radius or also with certs ?
09-26-2023 09:10 AM
We are on ISE 3.3 now; when we cut over to the new wireless controller, we were on ISE 3.1 maybe?
The wireless controller we have now is version 17.6.4 of the Cisco Catalyst 9800-CL
The authentication process for wifi depends on the machine having a DigiCert-signed trusted certificate loaded on it, which matches the one in ISE that corresponds to the admin portal and bears the same common name and subject altnernate name as the hostname.
09-26-2023 09:25 AM
i am working on WLC 9800 with 17.9.3 with ISE 3.1 with certs and 802.1x all works as expected for me.
Iam sure user able to login to network and get what resources - this means ISE profiles working with radius.
where do you see this : the endpoint shows as "Disconnected",
09-26-2023 09:34 AM
So if I were to look at the WLC and see who is active, then look for the same endpoint in ISE under active endpoints, the person does not show up. However, if I look under Total Endpoints, then the use will show up in there as disconnected, and at that moment, the person's machine can be pinged and he or she is accessing the network. It will show here the person has been successfully authenticated.
09-26-2023 09:30 AM
- Have a checkup of the 9800-CL controller with the CLI command show tech wireless ; feed the output into :
https://cway.cisco.com/wireless-config-analyzer/
Whether clients get effective wireless connection or not , you can get insights into this issue with client debugging according to
https://logadvisor.cisco.com/logadvisor/wireless/9800/9800ClientConnectivity
Client debugs (RadioActive Traces) can be analyzed with : https://cway.cisco.com/wireless-debug-analyzer/
M.
09-26-2023 09:34 AM
Thanks for the suggestion! I will check it out.
09-29-2023 07:26 AM
I ran the one script to check the config-errors and I corrected one error that definitely applied, but it made no difference as far as ISE showing the devices connected.
09-29-2023 07:45 AM - edited 09-29-2023 07:47 AM
Well I'm running (home lab) ISE 3.3 and 9800 with v17.12.1 and I see the same issue. I have like 50+ devices connected on wireless and only my son's PS5 shows as connected. All other devices show disconnected. I run ISE 3.0 in production and I see all 100% connected under authentication status.
Just to clarify, I run MAB for testing on a PSK SSID and the PS% is connected to an RLAN. I will try 802.1x and see if ISE 3.3 shows connected.
09-29-2023 07:54 AM
Yeah, I have noticed with ISE 3.3 that all the wired devices have come up as MAB and not 802.1X, even though they are domain joined and all have the trusted DigiCert-signed certificate.
09-29-2023 08:09 AM
So just tested with ISE 3.3 and using 802.1x and still, the only device that shows connected is the PS5.
Keep in mind that maybe your policy for wired has MAB, so you would need to look more into that.
09-29-2023 08:14 AM
I do see all my device under the active endpoints under live sessions, but under context visibility, only the PS5:)
09-29-2023 08:25 AM
I am seeing them under live sessions, but at least one of them is coming up with the wrong IP address in ISE (I am basing this on what I see on the WLC) and yet they do not show a connected status when I look under Total Endpoints, so they are not consuming licenses.
09-29-2023 08:35 AM - edited 09-29-2023 08:36 AM
You might just want to open a TAC case and see what they have to say. Under my licensing, I do see the license being consumed, which seems different from what you see.
10-16-2023 08:22 AM
I have opened a case, but it has not gone far.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide