We are also evaluating/deploying ISE, since ISE is not in the pathway of client traffic from a wireless lan controller, how do we do dhcpspan, do we disable dhcp proxy on the controller, add helper address on the nearest router and include the ISE address in the helper address list?
For example: if interface vlan 100 is where clients on a particular ssid are placed after validation:
You are on the right path, however the latest WLC code 7.2.110 has the dhcp profiling built in so it sends some of that information in the radius packet. Also 7.3 adds the http profiling features and is configurable in the advanced submenu in the security section where you enable AAA override and Radius NAC.
I am deploying ISE for the first time, I have around 100 sites ( I only use ISE+WLC 7.3, NO WIRED).
It's good to forward all dhcp request to ISE with IP-HELPERS before deploying.
This is what I did with one of my sites and I had no problem when they switched over as 90% of devices were already profiles using dhcp probe
Hope to help.
P.s note that WLC 7.3 does send first http packet to ISE but only if you opened up safari first after authentication, if you opened any other application that uses http protocol it will send weird strings to ise, ie VIBER and so on.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...