Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
694
Views
0
Helpful
4
Replies

WLC 9800 AAA issue

malkovich072
Level 1
Level 1

‎08-21-2022 12:32 PM - edited ‎08-21-2022 12:32 PM

Hi everybody.
I have WLC 9800 (17.3.3, 17.3.5b, 17.6.3) and ISE 2.7 and WIndows clients.
Authorization in the ISE occurs using PEAP-TLS. (eap-tls + ms-chap v2)
There are 2 different rules configured on the ISE side.
When connected, the computer is subject to Rule No. 1 with a specific ACL. After entering the username and password, the user should get a different ACL list according to a different rule, but this does not happen. On the ISE side, I see the correct identification, but the second policy does not apply. Everything works correctly on the WLC 8540. Has anyone encountered a similar problem?

0 Helpful
4 Replies 4

balaji.bandi
Hall of Fame
Hall of Fame

‎08-21-2022 03:13 PM 

When connected, the computer is subject to Rule No. 1 with a specific ACL. After entering the username and password, the user should get a different ACL list according to a different rule, but this does not happen. On the ISE side, I see the correct identification, but the second policy does not apply.

what rule the user get applied ? (or user not at all applied any policies ?

what client device ? 

what you see the Logs in ISE ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

ammahend
VIP
VIP

‎08-21-2022 06:30 PM - edited ‎08-21-2022 06:32 PM

Your description is not very clear, remember “problem well stated is problem half solved”, so try again.
Let me rephrase what I understood. You are using PEAP-EAP-TLS instead of just EAP-TLS or PEAP, your authentication is successful, but during authorization correct dynamic ACL is not getting enforced by ISE on clients, because of which client do not get correct permission, is this correct problem statement ?

since it’s wireless, the ACL name is pushed through ISE but the ACL itself exist on the controller with exact same name, so share your policy details and ACL details and failed ISE log details. If your authentication is successful, I can rule out client (supplicant) misconfiguration. 

-hope this helps-
0 Helpful

Arshad Safrulla
VIP Alumni
VIP Alumni

‎08-21-2022 10:28 PM

Sounds like a COA issue.

Do you have the ACL defined on 9800 WLC? It has to match what ISE is sending.

Also it is mandatory that you enable AAA overide and NAC state in the policy profile. Refer the below document for more info.

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213920-central-web-authentication-cwa-on-cata.html

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla
0 Helpful

marce1000
VIP
VIP

‎08-21-2022 11:40 PM

 

                - FYIhttps://bst.cloudapps.cisco.com/bugsearch/bug/CSCvv16183

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card