I am facing problem with profiling of workstation over wireless network as ISE is marking these workstations as 'Unknown'. Whereas if I connect same workstation using wired connection then it gets profiled in the right category.
Profiling for wireless network was working fine initially but as soon as I pointed AAA towards ISE in the employee SSID then ISE started marking any new workstation as 'Unknown'. Before enabling AAA in the WLAN (SSID) the profiling was working fine using 'Radius NAC' setting in advanced tab of the same SSID. Becasue of the unknown category, workstation gets authorization rejection as per the authorization policy.
I have another query reagrding enabling 'web authentication proxy' on Cisco WLC. I have guest wireless setup using dedicated anchor controller and ISE is providing the guest sponsor and guest portal services. So when a guest user comes in and if the user already has some proxy configured in the browser then url redirection for guest portal doesn't work and guest user must remove the proxy.
So this requires someone to enagage with guest user but the client want this process to be automatic. I have gone through following document,
What version of code are you running on your controller? Also are you performing dhcp proxy at the controller or are you passing the dhcp requests through and up to the svi? With the recent release of code you can perform dhcp profiling but this depends on your current code version.
Also for your web authentication - this seems to be a setting to perform web authentication proxy if it were local to the controller. How are the guests proxy settings being provisioned? If the proxy settings are provisioned by the user while they were on a seperate network then I do not see an easy workaround and this doesnt seem to be an ISE issue. Its a basic problem that your customer should understand that doesnt fall within the scope of the design.
WLC version is 184.108.40.206 and DHCP proxy is enabled however their primary DHCP scope is on a dedicated DHCP server and they have ip-helper address for this server on the SVI. But they also have DHCP scope configured on WLC as a backup as they had some issues with DHCP server and now they can change ip-helper address towards WLC in case of problem with DHCP server.
So for proxy settings, they should ask the guest user not to have any proxy so that redirection works properly and once the guest user gets authenticated he/she should use client's proxy to browse the internet or either by-pass the proxy for guest users ? what is your recommendation
Not a problem the reason your profiling is failing for wireless users is that the profiling information for dhcp isnt hitting the ise nodes. For the wired devices are you using the dhcp probe to profile the users? If so, then your issue is with the dhcp proxy setting on the controller. Even through you have the ip helper statement on the svi, essentially your controller is proxying the dhcp broadcasts from the client straight to the dhcp server, so even you enable the ip helper statements on the svi for the ISE nodes it will not work.
You are correct for the guests, typically if a guest has enabled proxy settings before they should know that they should probably disable this setting when the connect to a new network.
Also I can not remember but arent the proxy settings configured under the network settings tab? Meaning the only time you would experience this issue is if the ssid you are broadcasting is the same as the ssid they have connected to previously?
On ISE all common profiling probes are enabled like DHCP, SNMP, Radius , DNS etc so I believe this setting is global for both wired and wireless users. Similarly switches are configured with ip-helper address for ISE, snmp, radius parameters and WLC is also configured with snmp, radius etc.
As I mentioned in first post, profiling of wireless devices was working fine till I changed the 'AAA' tab settings to reflect ISE nodes as authentication server.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :