WLANs deployment in cisco ISE presence

TrickTrick · ‎12-16-2020

Hello everybody,

Might look a noob question : I'm trying to understand WLAN environment of a client but i'm lost a little bit

My understanding of WLANs is as follows :

WLAN created = linked to an interface, which will play the role of a DHCP relay and give the client connect to that specific WLAN a IP address from the same scope as the IP of the wlan interface

This client has ISE sever configured in all of his WLANs, and the above understanding is not applied at all. different rules applied with captive portal capabilities which are not mentioned anywhere in the WLC

Can you confirm that once that an ISE server is involved in the WLAN configuration, WLC config doesn't matter (authentication method and IP addressing )?

if there any document explaining that i'll be more than happy to understand it

Thank you

marce1000 · ‎12-16-2020

- Basically IP addressing 'resolving' is done through a dhcp(-relay) as you mention. Specifying an ise-radius server for the wlan >becomes the authentication method for clients, hence as being configured that way any contradiction vanishes.

M.

-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

TrickTrick · ‎12-16-2020

Now I understand why the WLC config is not fully taken in consideration as all the policies (from authentication methods to IP addressing / vlans attribution) are all configured in the ISE

Thank you

Grendizer · ‎12-16-2020

WLC and WLAN Config does matter.

if the WLAN has Layer2 security configured (in your case using ISE) then the client will not be able to get IP Address until the L2 Authentication is done, while if the WLAN has L3 security configured then the client will get the IP Address then the Auth will happen from ISE in your case.

DHCP proxy can be enabled from the WLC globally from CONTROLLER > Advanced > DHCP or per interface from CONTROLLER > Interfaces > select the interface > DHCP Proxy mode.

If you disable proxy from the interface or globally then you need the next hop switch to have ip helper address command so can forward the DHCP to the DHCP server.

ISE can be configured to return to the WLC the interface name or the VLAN number that need to put the "authenticated" users on (this will need the WLAN to be configured with Allow AAA Override)

Hope that explain it all...

TrickTrick · ‎12-17-2020

Hello Grendizer ( nostalgic nickname :D)

Thank you for the explanation,

All the WLANs are L3 configured and pointing towards the ISE, all the interfaces have default configuration when it comes to "DHCP proxy mode", so I assume it's disabled (I don't have access to the WLC right now), it might be the ISE who does that process, here's my understanding : the machine should be apart of the AD domain first, then, the client uses his AD credentials, and the ISE decides where to put him based on policies already in place by security team (the IP address should be taken from which DHCP scope etc ...),

I noticed that there's some interfaces created in the WLC which have the same scope as the authenticated users (but those interfaces are not the ones used in the WLAN on which the users connect from), that's why my thought was that the ISE overrides maybe from which DHCP scope the user should take its IP (as you said, it defines the VLAN for the users, so, they will take IPs from the scope reserved for that VLAN)

You mentioned that (if the WLAN has L3 security configured then the client will get the IP Address then the Auth will happen from ISE in your case), so , before reaching to the ISE, from where the client gets its IP then? I'm pretty sure it's not the WLC because as I said before, the WLAN used uses an interface with different DHCP scope used in reality by the client

One last note, indeed, all the WLANs have "Allow AAA Override" enabled

Grendizer · ‎12-17-2020

Ok, because the client is using his/her AD credentials then the WLAN has to be configured as L2 security with 802.1x so in that case when ISE will verify that with the AD it possible to send also to the WLC the needed VLAN or interface that user should be on.
To your question regarding the L3 WLAN security, the client will get the IPs from the WLAN interface but I doubt that's what's happening in your case since you're seeing those clients getting IP Addresses different from the WLAN interface/VLAN.

TrickTrick · ‎12-17-2020

ok thank you,I have one last question if you don't mind, are the flexconnect ACLs have any impact in this ISE deployment? as far as I know, it's used to route Data traffic to the nearest end, instead of routing everything to the WLC and then to the destination. based on the above detailed scenario, since all the policies are managed by the ISE, do you think the Flexconnect ACLs still do something ? I don't think so

Thank you

Grendizer · ‎12-17-2020

it's really hard to say without seeing the whole picture, maybe they are using Local-Split ACL which control what traffic is locally or centrally switched per WLAN so maybe it is needed after all....

TrickTrick · ‎12-17-2020

all the APs are in the same AP group, and have Flexconnect enabled on them, I just don't know what Flexconnect ACLs stand for here (?)

Well thank you for all the answers, i'll rate them all of course

Grendizer · ‎12-17-2020

You made me think now for another possibility, you may have WLAN with L3 auth that uses ISE portal so users can type the AD username/pass in that case the ip address the client will get from the WLAN interface or in case of FlexConnect the local site subnet.

I guess the Flex ACL that’s being used is to determine which traffic is local and what traffic need to be sent to the WLC.

TrickTrick · ‎12-17-2020

Before answering, I noticed no L3 is configured in all the WLANs ( production and guest WLANs), only L2 and AAA server defined (ISE)

"you may have WLAN with L3 auth that uses ISE portal so users can type the AD username/pass" : that's correct partially, this is the workflow but without L3 auth, they're sent to ISE, ISE verifies first if the machine used, is in the domain, and verifies the credentials of the user after, no portal is in place for production WLAN, just AD credentials... for guest users they need a generated portal username and password (generated by ISE admin), lobbyadmin of the WLC does nothing here as well

"in that case the ip address the client will get from the WLAN interface" : if you mean the interface the WLAN is using, that's not the case, the interface is in a different subnet from the one attributed to the client once authenticated

"I guess the Flex ACL that’s being used is to determine which traffic is local and what traffic need to be sent to the WLC." : this is the part I'm missing, those Acls existed before deployment of the ISE, now since ISE is there, I think that it has all the policies needed and the Flexconnect Acls are irrelevent. Based on the user authenticated , the ISE will place that client in a vlan and give DHCP infos from where he should get the IP (of that vlan of course), since I have no access to ISE, I'm afraid to make wrong assumptions and say that those ACLs are irrelevent, all the WLANs btw have AAA server (ISE) defined, no L3 config