03-17-2015 04:23 PM - edited 03-10-2019 10:33 PM
Hello all. I just implemented ISE 1.3 at a customer site. added a WLC running 8.0.110.0 using its mgmt address with a RADIUS preshared key. On the WLC, I created to SSIDs, corp and guest.
For corp I configured WPA2 and AES and forwarded Radius requests to my 2 ISE node PSN interfaces
For the guest I configured MAC filter with advanced features AAA overide and Radius NAC - per Cisco's documents
The corp forwards Radius requests to ISE, the guest does not. I get nothing from the guest.
I configured the WLC step by step from the Cisco document. I have completed over 10 ISE implementations in the last year using ISE 1.2 and WLC 7.x and have never run into this issue before.
Any help will be much appreciated.
03-20-2015 01:34 AM
allow clients by < access_accept> when they are not found , also RADIUS server has RFC3576 (CoA) enabled
03-26-2015 12:33 PM
Like another person previously mentioned. Looks like you missed the following on the WLC:
Security -- > Radius --- > Authentication --- > Server Index (The radius server used for the CWA process configured on Guest SSID) --- > Support for RFC 3576 -- > Enabled.
04-29-2015 08:03 AM
This issue has been resolved. The issue was that for the guest SSID MAC filtering was enabled as required, but they had the test PCs on a mac filter bypass list for that SSID in the WLC. This was automatically authenticating the PC, and therefore not forwarding the RADIUS to ISE.
Once we removed the PC from the MAC filter list in the WLC, the authentications were forwarded to ISE as desired.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide