Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
572
Views
2
Helpful
4
Replies

WLC 5508 Airos 8.2.170 AAA with ISE 3.0

Go to solution
ifabrizio
Level 1
Level 1

‎03-13-2023 02:52 AM

Dear All,

In a test environment, I'm setting up EAP-TLS client authentication and authorization using DACL.
Authentication works. Although I haven't configured DTLS yet to secure the Radius protocol communication between the WLC and ISE. My first question is:

Does WLC 8.2 version support ECC encrypted certificates?

During the authorization phase, the DACL is not downloaded on the WLC, and ISE while successfully authenticating the client does not increment the counter of active clients.

Second question:

Could this be caused by the fact that on the WLC I haven't yet configured the radius attributes like 6 , 8 and 25? If yes, how can I do it?

Bye,

JF.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
marce1000
VIP
VIP
In response to ifabrizio

‎03-13-2023 09:24 AM

 

 - Check this info : https://community.cisco.com/t5/wireless/wireless-authentication-and-dacls/m-p/3851304#M18913

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

View solution in original post

0 Helpful
4 Replies 4

Go to solution
marce1000
VIP
VIP

‎03-13-2023 04:46 AM

 

                                 >...Does WLC 8.2 version support ECC encrypted certificates?
  For starters , testing and or all use cases consider that both  5508 and 8.2.x is old , use 
  https://software.cisco.com/download/home/282600534/type/280926587/release/8.5.182.0 ,   ( https://www.cisco.com/c/en/us/support/docs/wireless/wireless-lan-controller-software/200046-tac-recommended-aireos.html )
                    Depending on outcome  and business requirements you may want to migrate to the new 9800 controller platform(s)
                                      You may for instance deploy virtual 9800 for testing

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Go to solution
ifabrizio
Level 1
Level 1
In response to marce1000

‎03-13-2023 06:39 AM

HI Marce,

Thank you for your reply.

Yes I know I am working on old WLC and release. We had planned to change it two years ago.

But the pandemic events has changed our plans. Anyway I have alredy ordered two new wlc 9840, in the meantime I need to try to work with the old stuff.

I have implemented a double head 2 tier CA, one head works with the ECC certificates and the other with the RSA, if the 5508 doesn't support the ECC I can try to use the RSA.

Now the authentication is working, but the Authorization is not working the DACL is not downloaded on the WLC, do you have any idea about this issue?

Bye,

JF.

0 Helpful

Go to solution
marce1000
VIP
VIP
In response to ifabrizio

‎03-13-2023 09:24 AM

 

 - Check this info : https://community.cisco.com/t5/wireless/wireless-authentication-and-dacls/m-p/3851304#M18913

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

Go to solution
Rich R
VIP
VIP

‎03-13-2023 05:06 PM

1. Do NOT use 8.5.182.0 if you decide to upgrade - it will leave your IOS APs in an endless boot loop as per field notice below.  If you decide to upgrade then use 8.5.182.7 (link below too)

2. As ECC certs are quite new I doubt that 8.2 will support them.  I see no mention in the docs.

3. See https://www.cisco.com/c/en/us/td/docs/security/ise/3-0/compatibility_doc/b_ise_sdt_30.html#ciscowlcs

Note

Cisco Wireless LAN Controllers (WLCs) and Wireless Service Modules (WiSMs) do not support downloadable ACLs (dACLs), but support named ACLs.

So you can configure the named ACL on the WLC and then send the ACL name from ISE but you can't send the ACL.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card