08-21-2022 12:32 PM - edited 08-21-2022 12:32 PM
Hi everybody.
I have WLC 9800 (17.3.3, 17.3.5b, 17.6.3) and ISE 2.7 and WIndows clients.
Authorization in the ISE occurs using PEAP-TLS. (eap-tls + ms-chap v2)
There are 2 different rules configured on the ISE side.
When connected, the computer is subject to Rule No. 1 with a specific ACL. After entering the username and password, the user should get a different ACL list according to a different rule, but this does not happen. On the ISE side, I see the correct identification, but the second policy does not apply. Everything works correctly on the WLC 8540. Has anyone encountered a similar problem?
08-21-2022 03:13 PM
When connected, the computer is subject to Rule No. 1 with a specific ACL. After entering the username and password, the user should get a different ACL list according to a different rule, but this does not happen. On the ISE side, I see the correct identification, but the second policy does not apply.
what rule the user get applied ? (or user not at all applied any policies ?
what client device ?
what you see the Logs in ISE ?
08-21-2022 06:30 PM - edited 08-21-2022 06:32 PM
Your description is not very clear, remember “problem well stated is problem half solved”, so try again.
Let me rephrase what I understood. You are using PEAP-EAP-TLS instead of just EAP-TLS or PEAP, your authentication is successful, but during authorization correct dynamic ACL is not getting enforced by ISE on clients, because of which client do not get correct permission, is this correct problem statement ?
since it’s wireless, the ACL name is pushed through ISE but the ACL itself exist on the controller with exact same name, so share your policy details and ACL details and failed ISE log details. If your authentication is successful, I can rule out client (supplicant) misconfiguration.
08-21-2022 10:28 PM
Sounds like a COA issue.
Do you have the ACL defined on 9800 WLC? It has to match what ISE is sending.
Also it is mandatory that you enable AAA overide and NAC state in the policy profile. Refer the below document for more info.
08-21-2022 11:40 PM
- FYI : https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvv16183
M.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide