Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
453
Views
0
Helpful
6
Replies

Profiling Problem & Web Authentication Proxy

rmujeeb81
Level 1
Level 1

‎07-22-2013 11:45 AM - edited ‎03-10-2019 08:40 PM

Dear All,

I am facing problem with profiling of workstation over wireless network as ISE is marking these workstations as 'Unknown'. Whereas if I connect same workstation using wired connection then it gets profiled in the right category.

Profiling for wireless network was working fine initially but as soon as I pointed AAA towards ISE in the employee SSID then ISE started marking any new workstation as 'Unknown'. Before enabling AAA in the WLAN (SSID) the profiling was working fine using 'Radius NAC' setting in advanced tab of the same SSID. Becasue of the unknown category, workstation gets authorization rejection as per the authorization policy.

***************************

I have another query reagrding enabling 'web authentication proxy' on Cisco WLC. I have guest wireless setup using dedicated anchor controller and ISE is providing the guest sponsor and guest portal services. So when a guest user comes in and if the user already has some proxy configured in the browser then url redirection for guest portal doesn't work and guest user must remove the proxy.

So this requires someone to enagage with guest user but the client want this process to be automatic. I have gone through following document,

http://www.cisco.com/en/US/products/ps10315/products_configuration_example09186a0080b8a909.shtml

but I am not sure if this solution will also work if the guest portal service is through ISE instead of WLC itself ??

Thanks & Regards,

Mujeeb

Labels:
0 Helpful
6 Replies 6

rmujeeb81
Level 1
Level 1

‎07-22-2013 10:39 PM

Dear All,

Kindly guide

Thanks

0 Helpful

Tarik Admani
VIP Alumni
VIP Alumni
In response to rmujeeb81

‎07-22-2013 11:05 PM

Hi,

What version of code are you running on your controller? Also are you performing dhcp proxy at the controller or are you passing the dhcp requests through and up to the svi? With the recent release of code you can perform dhcp profiling but this depends on your current code version.

Also for your web authentication - this seems to be a setting to perform web authentication proxy if it were local to the controller. How are the guests proxy settings being provisioned? If the proxy settings are provisioned by the user while they were on a seperate network then I do not see an easy workaround and this doesnt seem to be an ISE issue. Its a basic problem that your customer should understand that doesnt fall within the scope of the design.

Tarik Admani
*Please rate helpful posts*

0 Helpful

rmujeeb81
Level 1
Level 1
In response to Tarik Admani

‎07-22-2013 11:51 PM

Hi Tarik,

Thanks for your response.

WLC version is 7.0.220.0 and DHCP proxy is enabled however their primary DHCP scope is on a dedicated DHCP server and they have ip-helper address for this server on the SVI. But they also have DHCP scope configured on WLC as a backup as they had some issues with DHCP server and now they can change ip-helper address towards WLC in case of problem with DHCP server.

***************

So for proxy settings, they should ask the guest user not to have any proxy so that redirection works properly and once the guest user gets authenticated he/she should use client's proxy to browse the internet or either by-pass the proxy for guest users ? what is your recommendation

Thanks

0 Helpful

Tarik Admani
VIP Alumni
VIP Alumni
In response to rmujeeb81

‎07-22-2013 11:56 PM

Not a problem the reason your profiling is failing for wireless users is that the profiling information for dhcp isnt hitting the ise nodes. For the wired devices are you using the dhcp probe to profile the users? If so, then your issue is with the dhcp proxy setting on the controller. Even through you have the ip helper statement on the svi, essentially your controller is proxying the dhcp broadcasts from the client straight to the dhcp server, so even you enable the ip helper statements on the svi for the ISE nodes it will not work.

You are correct for the guests, typically if a guest has enabled proxy settings before they should know that they should probably disable this setting when the connect to a new network.

Also I can not remember but arent the proxy settings configured under the network settings tab? Meaning the only time you would experience this issue is if the ssid you are broadcasting is the same as the ssid they have connected to previously?

Thanks,

Tarik Admani
*Please rate helpful posts*

0 Helpful

rmujeeb81
Level 1
Level 1
In response to Tarik Admani

‎07-23-2013 12:12 AM

Hi,

On ISE all common profiling probes are enabled like DHCP, SNMP, Radius , DNS etc so I believe this setting is global for both wired and wireless users. Similarly switches are configured with ip-helper address for ISE, snmp, radius parameters and WLC is also configured with snmp, radius etc.

As I mentioned in first post, profiling of wireless devices was working fine till I changed the 'AAA' tab settings to reflect ISE nodes as authentication server.

Kindly guide how can I troubleshoot this.

Thanks & Regards,

0 Helpful

rmujeeb81
Level 1
Level 1
In response to rmujeeb81

‎07-23-2013 12:24 AM

Also I disabled the 'DHCP Proxy' on WLC but still ISE is putting the workstation as 'Unknown'.

Could it be related to pre-auth ACL on WLC ?

Regards,

Mujeeb

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents