ISE 1.3 not receiving Radius requests from WLC 5508 ver 8.0.110.0

west33637 · ‎03-17-2015

Hello all. I just implemented ISE 1.3 at a customer site. added a WLC running 8.0.110.0 using its mgmt address with a RADIUS preshared key. On the WLC, I created to SSIDs, corp and guest.

For corp I configured WPA2 and AES and forwarded Radius requests to my 2 ISE node PSN interfaces

For the guest I configured MAC filter with advanced features AAA overide and Radius NAC - per Cisco's documents

The corp forwards Radius requests to ISE, the guest does not. I get nothing from the guest.

I configured the WLC step by step from the Cisco document. I have completed over 10 ISE implementations in the last year using ISE 1.2 and WLC 7.x and have never run into this issue before.

Any help will be much appreciated.

Saurav Lodh · ‎03-20-2015

allow clients by < access_accept> when they are not found , also RADIUS server has RFC3576 (CoA) enabled

ajc · ‎03-26-2015

Like another person previously mentioned. Looks like you missed the following on the WLC:

Security -- > Radius --- > Authentication --- > Server Index (The radius server used for the CWA process configured on Guest SSID) --- > Support for RFC 3576 -- > Enabled.

west33637 · ‎04-29-2015

This issue has been resolved. The issue was that for the guest SSID MAC filtering was enabled as required, but they had the test PCs on a mac filter bypass list for that SSID in the WLC. This was automatically authenticating the PC, and therefore not forwarding the RADIUS to ISE.

Once we removed the PC from the MAC filter list in the WLC, the authentications were forwarded to ISE as desired.