We are in the process of integrating ISE into our WLC and are planning on implementing HReap (Flexconnect) local switching. We have setup the ISE server as a Radius entry in the WLC and added WLC to ISE, same shared secret. We have a test SSID configured on the WLC and it is using the entry to ISE for AAA. We have used "none" for layer 2 security as well as WPA.......but we never see any activity on the ISE server. Also from the WLC if we do a show radius auth stat there doesn't appear to be any traffic sent from the WLC to ISE.
(Cisco Controller) >show radius auth sta
Server Index..................................... 4
Server Address................................... IP ADDRESS OF ISE
If you are trying to authenticate users using username/password or certificates then the most likely issue based on how you are describing your configuration is that the Layer2 Security needs to not only be set for WPA or WPA2, but you also need to have the 802.1x checkbox enabled. See page 15 of the document
I installed the vWLC and now I am able to get authentication attempts to the ISE. I am not sure if the issue was out production version running 7.0.X. We are wanting to deploy Locally switched Flexconnect. I understand that you can't do Dacl's with locally switched flexconnect but you can change VLAN and attribute that to a Flexconnect ACL, is this correct?
I am also interested in the LDAPS, I have successfully integrated non secure LDAP without issue. We potentially will be integrating/authenticating with several LDAP instances and want to make sure we are able to do it securely.
In the earlier releases, you could have a per client access control list (ACL) in a centrally switched traffic. In this release, this feature has been enhanced to support ACL for local switching traffic with both central and local authentication. Client ACL is returned from AAA on successful client Layer 2 authentication as part of Airespace RADIUS attributes. As the Airespace RADIUS attribute is an ACL name, the ACL must be already present on the FlexConnect AP.
In downstream traffic, VLAN ACL is applied first and then the client ACL is applied. In upstream traffic, the client ACL is applied first and then the VLAN ACL is applied.
There are some other limitations when using FlexConnect that you should be aware about.
This guide will show you how to use Centrally Authenticated with Locally Switched
If you are using Active Directory I would recommend against using LDAP because there are more features when using the native AD integration. If you not using AD then the issue with the Secure LDAP is probably related to the CA certificate not being installed correctly.
We hope to be using ISE to authenticate multiple customers for a wireless solution. From what I understand you can only integrate ISE with one AD. We could potentially have over 100 different LDAP instances that we will have to leverage. We haven't tested the LDAPS, I am still trying to find good documentation on the deployment of it.
ISE is not designed for multi-tenancy. I do not know what the maximum number of supported LDAP servers is, but I do not believe that you will be able to reliably use 100 different sets of ldap servers. I personally would run each of the different tenants in their own instance. The Authz rules alone would easily become very large very quickly even with very simple policies.
Outside of keeping everything strait every AuthZ for tenant 100 would first need to be checked against the first 200+non matching Authz rules before a matching AuthZ was found. This increases the time to process. It may work in a lab environment but when you start pushing real live authentications through this very large policy you may see performance decrements. I would verify this design with the ISE BU before attempting to deploy this design.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...