Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ISE WLC Integration issues

We are in the process of integrating ISE into our WLC and are planning on implementing HReap (Flexconnect) local switching.  We have setup the ISE server as a Radius entry in the WLC and added WLC to ISE, same shared secret.  We have a test SSID configured on the WLC and it is using the entry to ISE for AAA.  We have used "none" for layer 2 security as well as WPA.......but we never see any activity on the ISE server.  Also from the WLC if we do a show radius auth stat there doesn't appear to be any traffic sent from the WLC to ISE.

(Cisco Controller) >show radius auth sta

Authentication Servers:

<Output Ommited>

Server Index..................................... 4

Server Address................................... IP ADDRESS OF ISE

Msg Round Trip Time.............................. 0 (msec)

First Requests................................... 0

Retry Requests................................... 0

Accept Responses................................. 0

Reject Responses................................. 0

Challenge Responses.............................. 0

Malformed Msgs................................... 0

Bad Authenticator Msgs........................... 0

Pending Requests................................. 0

Timeout Requests................................. 0

Unknowntype Msgs................................. 0

Other Drops...................................... 0

We have integrated ISE with swtich and ASA and have always been able to get some activity on the ISE authentication monitor.

Thanks,

Joe

7 REPLIES
New Member

ISE WLC Integration issues

I suggest going to the following website and checking out the Universal wireless configuration

http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_11_universal_wlc_config.pdf

If you are trying to authenticate users using username/password or certificates then the most likely issue based on how you are describing your configuration is that the Layer2 Security needs to not only be set for WPA or WPA2, but you also need to have the 802.1x checkbox enabled.  See page 15 of the document

ISE WLC Integration issues

What are you trying to accomplish? User authentication? Dynamic VLAN?

New Member

Re: ISE WLC Integration issues

I installed the vWLC and now I am able to get authentication attempts to the ISE. I am not sure if the issue was out production version running 7.0.X. We are wanting to deploy Locally switched Flexconnect. I understand that you can't do Dacl's with locally switched flexconnect but you can change VLAN and attribute that to a Flexconnect ACL, is this correct?

I am also interested in the LDAPS, I have successfully integrated non secure LDAP without issue. We potentially will be integrating/authenticating with several LDAP instances and want to make sure we are able to do it securely.

Thanks,


Sent from Cisco Technical Support iPad App

New Member

Re: ISE WLC Integration issues

Wireless will not do dACLs with or without FlexConnect.  In centrally switched networks you can use Named ACLs which are differnt than dACLs.  

But you are correct with FlexConnect (pre-7.5*) you can use FlexConnect ACLs tied to the VLAN.  Then you can use ISE to set the VLAN.

*As of 7.5 version of code you can now user named ACLs on Locally Switched users, but it is still a named ACL and not a dACL.

From the release notes

"

In the earlier releases, you could have a per client access control list (ACL) in a centrally switched traffic. In this release, this feature has been enhanced to support ACL for local switching traffic with both central and local authentication. Client ACL is returned from AAA on successful client Layer 2 authentication as part of Airespace RADIUS attributes. As the Airespace RADIUS attribute is an ACL name, the ACL must be already present on the FlexConnect AP.

In downstream traffic, VLAN ACL is applied first and then the client ACL is applied. In upstream traffic, the client ACL is applied first and then the VLAN ACL is applied.

"

There are some other limitations when using FlexConnect that you should be aware about.

This guide will show you how to use Centrally Authenticated with Locally Switched

http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080c090eb.shtml

This document will show you the feature matrix for ISE and FlexConnect

http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080b3690b.shtml

If you are using Active Directory I would recommend against using LDAP because there are more features when using the native AD integration.  If you not using AD then the issue with the Secure LDAP is probably related to the CA certificate not being installed correctly. 

New Member

Re: ISE WLC Integration issues

We hope to be using ISE to authenticate multiple customers for a wireless solution. From what I understand you can only integrate ISE with one AD. We could potentially have over 100 different LDAP instances that we will have to leverage. We haven't tested the LDAPS, I am still trying to find good documentation on the deployment of it.

Sent from Cisco Technical Support iPhone App

New Member

Re: ISE WLC Integration issues

You can authenticate to multiple LDAP sources, but keeping them separate could be difficult especially if you have overlapping IP address structures. 

Make sure you follow the following design guide to integrate into multiple AD domains.

http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_45_multiple_active_directories.pdf

ISE is not designed for multi-tenancy.  I do not know what the maximum number of supported LDAP servers is, but I do not believe that you will be able to reliably use 100 different sets of ldap servers.  I personally would run each of the different tenants in their own instance.  The Authz rules alone would easily become very large very quickly even with very simple policies. 

Outside of keeping everything strait every AuthZ for tenant 100 would first need to be checked against the first 200+non matching Authz rules before a matching AuthZ was found.  This increases the time to process.  It may work in a lab environment but when you start pushing real live authentications through this very large policy you may see performance decrements.  I would verify this design with the ISE BU before attempting to deploy this design.

New Member

Re: ISE WLC Integration issues

Thanks for the information, I will get with out account team and have them fun it by the BU. Running a separate instance for each customer doesn't seem coat effective.

Sent from Cisco Technical Support iPhone App

644
Views
0
Helpful
7
Replies