Cisco Identity Services Engine (ISE) and Wireless LAN Controller (WLC) - Part 1


Fri, 02/08/2013 - 03:37
Jul 22nd, 2011
User Badges:
Video Upload: 

In this video you will See -

1. Integration of ISE and WLC.

2. Basic configuration of WLC and ISE.

Cisco Identity Services Engine (ISE) is a next generation product that provides various types of solutions/services in a single box. Example – ACS, NAC, NAC Profiler, NAC Guest Portfolios.

PART 2:-

Cisco Identity Services Engine

Wireless LAN Controller

ankbhasi Fri, 07/22/2011 - 09:45
User Badges:
  • Cisco Employee,

Great content. Thanx for posting the same.

I am trying to make WLC+ISE with no PSK for a SSID. When users connect I want to display a banner where users have to click OK to continue.

The info here talks about using 802.1x..which requires cert to be configured and NAC enabled in SSID which uses Global Radius config.

How can I achieve my objective with and without PSK?

hkumarsh Mon, 09/05/2011 - 06:16
User Badges:


1. so far only 802.1x authentications are supported. so it's not possible to redirect two times. anyhow, wht is need of displaying a different page before redirecting ? The default page itself is having complete info. is there any specific reason ?

2. PSK is not supported. probably it will be supported in next release and webauth as well.


vishalwaghmare Wed, 11/09/2011 - 03:00
User Badges:

Thank you very much. I wanted to do POC for WLC with ISE however I was not sure how and where to start with. This video sure gave me pointer. My intention is to identify personal mobile devices vs. company provided one (both using NT credentials). The ISE presenstaion has this use case however not sure how to get it done. Can you provide some assistance? Do I need to have to NAC client on these devices to identify device type?

hkumarsh Thu, 11/10/2011 - 05:45
User Badges:

Hi Vishal,

This is not supported in 1.0....I think it will be supported in next release.


vishalwaghmare Thu, 11/10/2011 - 09:53
User Badges:

Strange. Our Cisco SE introduced ISE for mobile device classification and control. I have ver 1.0 and I could see lot of mobile devices ipod, iphone, ipad, android etc. under profiling. I have never worked on NAC and hence not sure use it. I used your video to configure WLAN with ISE as RADIUS server.

hkumarsh Thu, 11/10/2011 - 20:56
User Badges:

you are right there is a big list of attributes...but you asked can we differentiate between company mobile and personal mobile, official it may be supported in next release. you can provide different profile to different type of mobiles...say if iphone come give him vlan-x and if android comes give him vlan-y.

Bijo Abraham Thu, 11/24/2011 - 19:29
User Badges:

Hi Hemant, Thanks for the video, but want to know more about the configuration and integration of WLC with ISE. I am testing it in the LAB for the deployemnt, can you please tell me what all licenses I need for this to work. right now I have got a 4402 controller with 2 CAPWAP AP and evaulation ver of ISE on a VM machine. I tried to authenticate the user, but am getting username and pasword box agian and agian on the pc, but not getting connected. I can see the error loggs in the ISE says the client need some certificate. Also I am trying with wireless client, so would like know if am missing some license or I am trying with some wrong configs.

hkumarsh Thu, 11/24/2011 - 19:55
User Badges:

Hi Bijo,

plz share ur WLAN config and what auth u r using at client side.


vishalwaghmare Thu, 11/24/2011 - 20:42
User Badges:

Hi Bijo,

Check the authentication logs. I had similar problem which I managed to partially resolved. I was using native wireless client on Win 7. The authentication logs on ISE were showing that the auth was working against host\<machine name> instead of username. I had specified the authentication mode to user authentication in wireless client (Security -> Advanced Settings -> Specify user authentication) and I could see ISE authenticating against username. Hemant's video is showing wireless profile configuration using Intel Pro Set utility and user authenticaiton may be the default configuration. In the authentication logs on ISE, I can see that the client is authenticated using internal database. I am stuck with authorization now as ultimately no access granted as it is matching the "default deny" rule.

Hi Hemant,

This is my first experience with NAC based product and it is too confusing. Can you please point to resources which talks more about the steps and provide more info about the involved elements for posture based authentication? Thanks for your video, I have made some progress . I still need to figure out why it is matching the default deny profile. I have defined apps to be open as telnet.exe.

hkumarsh Thu, 11/24/2011 - 21:06
User Badges:

Hi Vishal,

It's confusing coz ISE has lots of option to configure...   but once you understand it...u will feel that you have very powerfull device in your hand....

client matching "deny profile" coz ISE fail to to match all the profile u configured....It work same like our ACLs...

This video is for basic posture only...if you follow the step one by one i think u will not face issue for basic posturing. Plz let me what you not able to understand in the video...

Plz let me know the config of ISE -

Policy Elements

Results -

  • Authorization Profile - create profiles - like complient and non-complient and specifiy ACLs
  • Posture Requirement – map the posture condition.
  • Client Provisioning – upload agent software (client or web agent).

Client Provisioning -

  • Here we map the NAC_Agent to the Identity Group.

Authorization -

  • Creating rules. Give the specific Authorization to non-compliant or compliant….etc.
vishalwaghmare Thu, 11/24/2011 - 21:52
User Badges:

Hi Hemant,

I have followed all steps in your video only as so I dont know any other way to configure ISE .

hkumarsh Thu, 11/24/2011 - 21:55
User Badges:

hahhaaha.... if possible plz let me know config of ISE as i mentioned in my previouse reply - screen shots...

vishalwaghmare Fri, 11/25/2011 - 00:31
User Badges:

Hi Hemant,

How can I provide you screenshots? Can I directly post in reply? The logs shows that the client is failing authorization profile while authentication works.

hkumarsh Fri, 11/25/2011 - 00:36
User Badges:

ya u can attach it here if you r not voilating ur company's privacy..

vishalwaghmare Fri, 11/25/2011 - 01:01
User Badges:

Hurreyyy. I managed to get it working. Now I can see the client with posture status pending. Since I am working from home today, I cannot test it further with my test laptop which has a LAN connection too apart from Wireless (I have connected via RDP). I watched the video closely again and followed "All" steps. I assumed few of the steps earliar . Yes the box sure has lot of options to configure. My main goal is to identify mobile devices and provide access. I will be able to get it tested further on Monday. Thanks Hemant for all your assistant.

vishalwaghmare Fri, 11/25/2011 - 01:04
User Badges:

Hi Hemant,

I have configured condition as firefox.exe and I have it running on the test laptop. Why is it still waiting in the posture check status?

hkumarsh Fri, 11/25/2011 - 01:23
User Badges:

it shld's tough to assume wht wld be d prob...need config to troubleshoot...

Bijo Abraham Sun, 11/27/2011 - 12:27
User Badges:

Above is the report just taken from the ISE. I am using WPA2-enterprise with AES on the client....I think the username is coming as the mac address in the above screen shot, I dont know how to change it,

hkumarsh Sun, 11/27/2011 - 19:27
User Badges:

Hi Bijo,

1. Your WLC is running image. ISE is supported on and above. Plz upgrade it...

George Stefanick Sun, 11/27/2011 - 19:34
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, October 2015

Can you point me to the WLC config needed to pofile wireless client? Like SNMP etc ...

hkumarsh Sun, 11/27/2011 - 19:47
User Badges:

if u talkin about ISE..then WLC does not use SNMP so u dont really need to configure it for just need to enable Radius NAC on wlan and configure Radius Auth/Acc server as ISE on WLC.

vishalwaghmare Thu, 12/01/2011 - 02:45
User Badges:

I am facing the same issue. I can authenticate fine but nothing for posture validation. I can see the request going to ISE as I had got the cert warning message but I dont get web agent after that.

hkumarsh Thu, 12/01/2011 - 02:59
User Badges:

Hi Yhamoudah/Vishal,

so client is in "posture_req" state and not passing the traffic right ?

if yes plz check following things -

1. - has NAC agent been uploaded and mapped to the Identity Group.

2. - DNS configuration for ISE.

3. - If DNS is not possible then add ISE IP and name to Host file of the windows.


George Stefanick Sun, 11/27/2011 - 19:50
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, October 2015

Thank you for your quick reply. Then can you share how ISE profiles wifi devices? Or point me to specific reading on the topic (just for wifi). Dont care much about wired right now.

hkumarsh Sun, 11/27/2011 - 20:04
User Badges:

1. i dont think there is such doc available....but i think you can find such info in WLC/ISE config guide.

2. i think this video covers that part and how wireless client gets authenticated as well...

George Stefanick Sun, 11/27/2011 - 23:13
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, October 2015

Actually, these videos dont cover anything about the "profiling" and how it works. There are 7 ways to profile, DHCP finger printing, SNMP, etc ... How does a client get profiled on a WLC ? Do you know?

hkumarsh Mon, 11/28/2011 - 00:18
User Badges:

ohh oki oki got it...i not know about any doc specific to will hve to read ISE config guide....i am working on it...will publish it asap...

George Stefanick Sun, 11/27/2011 - 19:47
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, October 2015

Also, is there an ISE prerequisite document for the WLCs. Like you pointed out the code version. Are there any other things we need to know ...?


Bijo Abraham Sun, 11/27/2011 - 20:37
User Badges:

Hi Hemant, thanks I will try that and let you know. but just a progress, i did a reset to factory reset to the VM ISE  and reconfigured today, it started working with my WLAN controller now which was not working yesterday. I am using my ISE user to access WLAN controller now. But still the wireless is not working, will try upgrading the LAN controller and see

patrick.kofler Mon, 11/28/2011 - 07:04
User Badges:

Hi Hemant,

thanks for this guide. I currently evaluate the ISE for our Wireless deployment and have a few questions.

I configured the following scenario.

On the WLC

- ACLs

- Radius NAC in the SSID

On the ISE

- Enabled HTTP, DHCP, Netflow and RADIUS probes

-  An authorization result for Quarantine VLAN with limited access ACL and  redirect to the client pre-posturing (Does the CPP acronym actually  stands for this?) webpage.

  Name is Unknown_Client and attributes are:

  Access Type = ACCESS_ACCEPT

  Tunnel-Private-Group-ID = 1:111



  cisco-av-pair = url-redirect-acl=Limited_Access

  cisco-av-pair = url-redirect= https://ip:8443/guestportal/gateway?sessionId=SessionIdValue&action=cpp

- Profiling Policy

  Changed "Windows7-Workstation" Endpoint policy from Hirarchy to Create Matching Endpoint Policy

- Authentication policy

  1) If Wireless 802.1x allow protocols PEAP&EAP-TLS

  2) If WLC_WebAuth allow protocols PAP/ASCII

- Authorization policy with the rules in the following order (Currently Testing Only)

  1) If "Windows7-Workstation" then PermitAccess

  2) If Any and "Session:Posturestatus EQUALS Unknown" then Unknown_Client

This  scenario now looks the following. The user connects to the SSID "Test".  As his posture status is unknown he will be put into the quarantine  VLAN with the Limited_Access ACL on the WLC applied. As soon as he opens  up a browser and tries to open up a webpage he will get redirected to  the Temporary Notification webpage stating "the ISE is not able to apply  an access policy to the log-in session at this time". After some  seconds the client disconnects and regains connectivity to the WLAN  immediately again. This time he is put into the user VLAN. I suspect it  has something to do with the HTTP probe when accessing the ISE webpage  that he gets reprofiled.

He is now recognized as a Win7 workstation and thus has the PermitAccess permission.

What I now wanted to test is to test the NAC agent on the Win7 workstation.

The authorization policy looks as following

  1) If "Windows7-Workstation" and "Session:Posturestatus EQUALS Compliant" then PermitAccess

  2) If Any and "Session:Posturestatus EQUALS Unknown" then Unknown_Client

I deleted the endpoint as well as the WLAN session of my user to have clean starting conditions.

I  started up the NAC agent and connected to the "Test" SSID. During the  connection the posturing was taking place and turned out to be  successful. However afterwards I lost connection to the WLAN and had to  manually reconnect. I was again put into the quarantine VLAN. Checking  the endpoint in the ISE revealed that it was not accurately profiled  (recognized as a Microsoft-Workstation).

Is there a possibility for the NAC agent to communicate the OS to the ISE?

The only workaround I found out so far is to loosen up  the authorization policy to allow any identity group and require a  company specific attribute for posturing.

I also tried to make an  SSID limited approch by trying to set the attribute  "Radius:Called-Station-ID" as this contains the SSID name. However as  this is only part of the whole string (AP MAC+SSID) I only have the  choice of 3 operands EQUALS, NOT EQUALS, MATCHES.

Is there a possibility to somehow filter for only a part of the whole string?

Next step was the client provisioning feature. I  configured it to provide the NAC WebAgent. This also means that  connecting to the WLAN will forward you to the provisioning web page  instead of the temporaryNotification.html web page.

I shut  down the NAC agent on the test machine. I assumed that since I am going  to use the WebAgent the client will be profiled correctly as I have to  access the webpage on the ISE.

A HTTP probe should be taken.  However it turned out to be the same issue. The client only got profiled  as a Microsoft-Workstation, same as with the regular NAC agent.

Is the profiling via HTTP proble exclusive to the temporaryNotification.html?

Is there a way to access the the temporaryNotification.html for HTTP profiling parallel to the client provisioning webpage when client provisioning is enabled?

Also is it possible to customize the  Client Pre-Posturing  webpages (temporaryNotification.html,  errorPage.html, evaluation during  Posture)?

Is it possible to do HTTP profiling for guest access in order to determine the correct device type?

Thanks in advance!



Bijo Abraham Tue, 11/29/2011 - 15:41
User Badges:

Hi Hemant, thanks a lot, I got the WLAN Controller upgraded to and all working fine. I am able to connect to the network with ISE.

Another one for the ISE as it started working, can we have this configured without a posture, just to keep in mind about the deployment which will be with the AD user with company Laptop and AD user with BYOD. What will be the best method to start with, Do you have a full configuration guide for this.?


hkumarsh Wed, 11/30/2011 - 02:08
User Badges:

Hi Bijo,

you can use ISE without posturing as well. Sorry i do not know if there is any specific guide will have to use ISE config guide.



yhamoudah Thu, 12/01/2011 - 02:30
User Badges:

great videos

I could be authenticated ,however, I couldn't get to popup agent or even the posture through the web, why ?

vishalwaghmare Thu, 12/01/2011 - 03:08
User Badges:

Hi Harsh,

1. Yes I have loaded the agent. In fact I have tried with both web agent and NAC agent as a test.

2. Where is the DNS server setting on ISE?

3. I do not think there is any problem in terms of DNS as on the client I could get the certificate (self-sign) from ISE. The url is ISEIP:port/uri and it then changes to Is this OK? I checked your second video and it shows shows too.

hkumarsh Thu, 12/01/2011 - 05:14
User Badges:

Hi Vishal,

You need DNS to resolve the URL that ISE return when client first time associate.....

configuration of DNS -

1. when you Intall ISE first time (wizard configuration).

2. there is a CLI on ISE - IP name-server ( like router/switch).

Please add ISE ip and name to Host file...then the client will get redirected page...


yhamoudah Sat, 12/03/2011 - 02:07
User Badges:

Hi Harsh,

that is really good and thnks for the videos it worked with me perfectlyI am trying something else here, I am trying to do a guest access configuration between WLC and ISE. everything seems to be fine and I could get the guest portal, entering the username and password but after I login it again redirected me to the same login guest page !!!!!

it seems that everytime it goes to the WLC and do the redirection to the main login page for the guest, how can I solve the issue ?


hkumarsh Mon, 12/05/2011 - 01:26
User Badges:


sorry for delayed response....

1. are you able to solve the prob ?

2. are you using local database of ISE or AD ?

3. any error on web page ?

4. plz share ISE logs --- monitor ---> authentication.. ?


Eric Lindsey Mon, 04/09/2012 - 05:05
User Badges:

I have the evaluation version of the ISE running but under the Authorization Pofiles > Common Tasks I do not have an option for posture discovery or WLC.  Am I missing something?

hkumarsh Mon, 04/09/2012 - 05:39
User Badges:

Hi Eric,

the option has been renamed. i hope you are using ISE 1.1

1. The option is called now "web authentication" ----> select Posture Discovery.

2. WLC (ACL) is renamed with "Airespace ACL Name"


Eric Lindsey Mon, 04/09/2012 - 08:36
User Badges:

Wow.  That worked perfectly.  Thank you for the quick response.  This video was great and very helpful.

Eric Lindsey Mon, 04/09/2012 - 12:45
User Badges:

is there a quick and easy way to make a rule stating that all iphones are allowed or denied access?

hkumarsh Sun, 04/15/2012 - 12:55
User Badges:

hey sorry for delayed response...hope you would have done then if not then you can try this -

1. Policy -- > Profiling --> Apple-Devices --> iPhone --> enable "Create Matching Identity Group".

2. Policy -- > Authorization --> make a rule on top of all rules for iPhone ---

Name - iPhone

Group - Apple-iPhone (it will be under end-points identity group-->profiled)

condition - leave it default

Permission - use "Deny profile"

let me know if it's not working

edondurguti Fri, 06/08/2012 - 07:45
User Badges:

UPDATE: sorry for not reading your response to prevoius questions.

I see they are renamed... it kinda sucks but anyway.


Thanks for the video.

One question:

on: Policy - Policy Elements - Results - Authorization - Authorization profile..

When i add something and want to apply a task under COMMON TASKS - I don't see POSTURE DISCOVERY :s

I am running a demo on a VM?

any suggesstion?

bilal-javed1 Mon, 02/04/2013 - 22:09
User Badges:


I am new to ISE and ordering one with Cisco

Can you please give me idea what devices i should have already and what i need ?

Do i need to order WLC also with ISE or standalone Wifi AiroAP 2600 will be sufficient whose request are coming through LAN switch 3550?

Also if we dont need WLC, then should we apply three ACLs which Cisco recommends for Posture assessment on ethernet switch?

Please let me know. Thanks

hkumarsh Fri, 02/08/2013 - 03:37
User Badges:

Hi Bilal,

sorry i am not much aware of Standalone AP. You probably go through config guide of standalone AP. mean while i will also try findout if it's supported.


0 votes


This Video

Related Content



Trending Topics - Security & Network