12-17-2018 01:57 PM - edited 07-05-2021 09:36 AM
We're having two strange issues related to integrating 8540 WLCs in an SSO to a pair of HA ISE for AAA. This configuration was "ported" from a WiSM2 to the 8540....all IP addresses that were active on the WiSM2 are active on the 8540.
1) When we display Security>AAA>RADIUS>Authentication, there is a space for an "*" between the service index and the server IP address. That * is not displayed for the primary ISE but is displayed for the secondary ISE. What does that * indicate?
2) When troubleshooting an SSID that is defined with the ISE to be redirected to the ISE guest portal, we are seeing the ISE show that the NAS IPv4 Address is bound to the service port on the 8540, and not the management port as expected. Is there a way to bind that request specifically to the management port?
Thanks.
12-19-2018 06:16 PM
Hi,
1) When we display Security>AAA>RADIUS>Authentication, there is a space for an "*" between the service index and the server IP address. That * is not displayed for the primary ISE but is displayed for the secondary ISE. What does that * indicate?
The * means ISE server and WLC reacheability.
2) When troubleshooting an SSID that is defined with the ISE to be redirected to the ISE guest portal, we are seeing the ISE show that the NAS IPv4 Address is bound to the service port on the 8540, and not the management port as expected. Is there a way to bind that request specifically to the management port?
Did you add the WLC to the ISE as a client, right? Which IP did you use? Looks like it is talking to the WLC through the service port.
-If I helped you somehow, please, rate it as useful.-
12-20-2018 09:28 AM
Thanks for your response, Flavio.
1) The * is on some times, and off sometimes. No firewall is between the WLC and ISE.
2) More importantly, the WLC management IP is defined to the ISE, not the SP IP. The problem is that the ISE log/messages showing the authentication rejection show that the request is coming from the SP port on the WLC.
Would this have anything to do with SSO? We have a single 8540 defined to the ISE at another data center that has no problems. We have had two other WiSM2s defined to ISE with no problems. All were running the same 8.2.170.0 firmware. As a matter of fact, this 8540-SSO replaced one of the WiSM2s running the same configuration with the same IPs (with the exception of the SP).
Any ideas?
12-22-2018 02:19 PM
I´ve never see this before in SSO. Do you have routes define on the WLC ? Dont make any sense the packets go out from the SP.
-If I helped you somehow, please, rate it as useful.-
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide