cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4313
Views
0
Helpful
2
Replies

WLC, FlexConnect, ISE: Dynamic VLAN not working

Hi,

Not sure if this is a WLC or ISE problem, but since I am unsure of the WLC config I will try here first.

Equipment:

WiSM2 7.2.111.3

ISE 1.1.1.268

AP 3502 in FlexConnect

What I want to achive:

One SSID, multiple VLAN

Devices gets profiled in ISE and based on type of device it gets asigned to a VLAN

Problem:

When the device connects the first time it ends up in native VLAN and not switched to the right VLAN, but when I reconnect then it is added to the right VLAN.

WLC config (I know you like images so here you go

Interface.jpg

WLAN1.jpg

WLAN2.jpg

WLAN3.jpg

WLAN4.jpg

WLAN5.jpg

AP_group.jpg

AP_FC1.jpg

AP_FC2.jpg

I must be missing something but I can't figure out what. I will be attaching a debug aaa event enable for when the client connect the first time.

In ISE I have an Authorization Profile that just say VLAN ID/Tag 158 (the VLAN that the device should go to) an it is added to the Authorization rule of the profiled device. CoA is set to Reauth.

When the client connects I get three events in ISE:

1.

Authentication failed :

22056 Subject not found in the applicable identity store(s)

2. Authentication Success. With the results:

UserName=00:18:DE:A2:BC:3A

User-Name=00-18-DE-A2-BC-3A

State=ReauthSession:c20e8b2f0000027e50ed27f8

Class=CACS:c20e8b2f0000027e50ed27f8:ISE01/144259326/671335

Termination-Action=RADIUS-Request

Tunnel-Type=(tag=1) VLAN

Tunnel-Medium-Type=(tag=1) 802

Tunnel-Private-Group-ID=(tag=1) 158

cisco-av-pair=profile-name=AX-Intel-Device

3.

Dynamic Authorization failed :

11213 No response received from Network Access Device

Has anyone got this to work? Do I need to add FlexConnect groups? If so then why?

Regards,

Philip

1 ACCEPTED SOLUTION

Accepted Solutions
wesleyterry
Participant

I think you're hitting CSCua58554

The bugtoolkit description is horrible....  From what I recall when I ran into it, I believe that Flex connect is having a problem with Mac filtering based AAA override on open wlans (and/or CWA based).  In general, AAA override works fine when it is from like an eap authentication.

We had to use a 7.3 ES to resolve it.....

Looks like it is implemented in 7.4 though.....     If you dont want to join the 7.4 bandwagon quite yet, you might could ask TAC for an ES of 7.3,  don't think they have a 7.2 build.

View solution in original post

2 REPLIES 2
wesleyterry
Participant

I think you're hitting CSCua58554

The bugtoolkit description is horrible....  From what I recall when I ran into it, I believe that Flex connect is having a problem with Mac filtering based AAA override on open wlans (and/or CWA based).  In general, AAA override works fine when it is from like an eap authentication.

We had to use a 7.3 ES to resolve it.....

Looks like it is implemented in 7.4 though.....     If you dont want to join the 7.4 bandwagon quite yet, you might could ask TAC for an ES of 7.3,  don't think they have a 7.2 build.

View solution in original post

Hi Wesley,

It seems you are right. I changed L2 security to WPA .1x and removed Mac filtering and then it worked.

I just used open auth and mac filter to test, since I had not configured .1x auth yet.

Too bad I spent countless hours of troubleshooting of my config and not checking for bugs

Regards,

Philip

Content for Community-Ad