Re: [WIRELESS-LAN] ISE-NPS-Azure MFA

2021-08-26 Thread Heavrin, Lynn 
You can separate the authentication and the authorization if you want to use 
ISE for controlling authorization.  If your vpn solution is cisco, the ASA can 
talk directly to Azure via SAML and then send authorization requests separately 
to ISE.  For Duo, you can set up a Duo Proxy via ISE and the ASA would only 
talk to ISE, but I’m not sure Azure has that.  I like having ISE in the mix on 
our Anyconnect VPN for auditing and pulling authentication reports, especially 
if you have multiple vpn profiles.

Thanks,

Lynn Heavrin
Network Engineer III | Network Engineering
Washington University in St. Louis
4480 Clayton Ave, St. Louis, MO 63110
Mail stop 8218-45-01
•: 314.935.3877 |  •:lheav...@wustl.edu



From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Jeffrey D. Sessler 

Date: Thursday, August 26, 2021 at 10:15 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] ISE-NPS-Azure MFA
I 2nd Tim’s suggestion.  If the VPN is Cisco-based, they support using SAML 
against AzureAD including MFA.

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/215935-configure-asa-anyconnect-vpn-with-micros.html

Jeff

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Manon Lessard 

Date: Thursday, August 26, 2021 at 7:54 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] ISE-NPS-Azure MFA
We are talking VPN here and for the entire campus…

Manon Lessard
Chargée de programmation et d’analyse
CCNP, CWNE #275, AWA 10, ESCE Design
Direction des technologies de l'information
Pavillon Louis-Jacques-Casault
1055, avenue du Séminaire
Bureau 0403
Université Laval, Québec (Québec)
G1V 0A6, Canada
418 656-2131, poste 412853
Télécopieur : 418 656-7305
manon.less...@dti.ulaval.ca
www.dti.ulaval.ca
Avis relatif à la confidentialité | Notice of 
Confidentiality


From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of James Andrewartha 

Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv 

Date: Thursday, August 26, 2021 at 10:50 AM
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
Subject: Re: [WIRELESS-LAN] ISE-NPS-Azure MFA

Microsoft note this behaviour and have some sort of workaround in their NPS MFA 
extension: 
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension#radius-protocol-behavior-and-the-nps-extension

Really though, doing MFA for RADIUS is a square peg in a round hole, use MFA to 
provision a client cert and do EAP-TLS instead.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Manon Lessard 

Reply to: The EDUCAUSE Wireless Issues Community Group Listserv 

Date: Thursday, 26 August 2021 at 10:20 pm
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
Subject: [WIRELESS-LAN] ISE-NPS-Azure MFA

A question not directly related to Wi-Fi, but related to ISE which seems to be 
something some of you use.

We are currently authenticating a VPN test group via ISE through NPS servers 
(defined as a token server).
The goal is to do MFA with Azure through the Authenticator app on people’s 
phones.
Everything works, but Authenticator pops up for confirmation, sometimes 2 to 3 
times, even if one has accepted the first confirmation…

I would like to have feedback from people who used something like that and have 
solved the multiple Authenticator prompts.

Thank you

Manon Lessard
Chargée de programmation et d’analyse
CCNP, CWNE #275, AWA 10, ESCE Design
Direction des technologies de l'information
Pavillon Louis-Jacques-Casault
1055, avenue du Séminaire
Bureau 0403
Université Laval, Québec (Québec)
G1V 0A6, Canada

Re: PEAP Username format in Domain Joined machines

2021-07-27 Thread Heavrin, Lynn 
I didn’t see anywhere he mentioned this was for eduroam, but after a google 
search it seems Princeton uses it for their primary SSID, so yes that is a good 
point.  That’s one big factor in why we’re moving to EAP-TLS and forcing the 
format instead of trying to accommodate whatever the user decides to type in.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu>
Date: Tuesday, July 27, 2021 at 10:47 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] PEAP Username format in Domain Joined machines
I would not recommend that as the device will not be routable on eduroam 
outside your campus.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Heavrin, Lynn 

Date: Tuesday, July 27, 2021 at 11:41
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] PEAP Username format in Domain Joined machines
Depending on your RADIUS server you could rewrite the identity to whatever you 
want.  Some are more granular than others with what all you can do.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu>
Date: Tuesday, July 27, 2021 at 10:17 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] PEAP Username format in Domain Joined machines
No, it cannot.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Pratik Mehta 

Date: Tuesday, July 27, 2021 at 11:14
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: [WIRELESS-LAN] PEAP Username format in Domain Joined machines
Hello Everyone,

On a Windows 10 device, and when using “Automatically use my windows logon and 
password” for MSCHAPv2 properties of PEAP authentication, the default username 
format that Windows uses in NETBIOS_DOMAIN_NAME\USERNAME.  Does anyone know if 
the default format can be to changed to USERNAME@FQDN (UPN format)?  This is 
obviously for a domain joined machine.

Thank you for your insights and assistance.

Regards,
Pratik Mehta


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity=04%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C4072b031cb7c4c371e1508d95114e6c5%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637629972668917488%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000=P8cJtMXFKzjDtllv%2FU93k4f4%2BtoHUi%2BbaKvXue%2Faml4%3D=0>

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity=04%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C4072b031cb7c4c371e1508d95114e6c5%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637629972668927452%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000=D0Y5kzmNhNLJ7cBk3rkMHElNZqi3F9aHlbNJFOt59Ro%3D=0>



The materials in this message are private and may contain Protected Healthcare 
Information or other information of a sensitive nature. If you are not the 
intended recipient, be advised that any unauthorized use, disclosure, copying 
or the taking of any action in reliance on the contents of this information is 
strictly prohibited. If you have received this email in error, please 
immediately notify the sender via telephone or return mail.

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity=04%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C4072b031cb7c4c371e1508d95114e6c5%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637629972668937397%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000=q4Ay9s5CQ8L9E3qs4cUlDDYqF9b1eAnosakUwikwvKg%3D=0>

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation

Re: PEAP Username format in Domain Joined machines

2021-07-27 Thread Heavrin, Lynn 
Depending on your RADIUS server you could rewrite the identity to whatever you 
want.  Some are more granular than others with what all you can do.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu>
Date: Tuesday, July 27, 2021 at 10:17 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] PEAP Username format in Domain Joined machines
No, it cannot.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Pratik Mehta 

Date: Tuesday, July 27, 2021 at 11:14
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: [WIRELESS-LAN] PEAP Username format in Domain Joined machines
Hello Everyone,

On a Windows 10 device, and when using “Automatically use my windows logon and 
password” for MSCHAPv2 properties of PEAP authentication, the default username 
format that Windows uses in NETBIOS_DOMAIN_NAME\USERNAME.  Does anyone know if 
the default format can be to changed to USERNAME@FQDN (UPN format)?  This is 
obviously for a domain joined machine.

Thank you for your insights and assistance.

Regards,
Pratik Mehta


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community


The materials in this message are private and may contain Protected Healthcare 
Information or other information of a sensitive nature. If you are not the 
intended recipient, be advised that any unauthorized use, disclosure, copying 
or the taking of any action in reliance on the contents of this information is 
strictly prohibited. If you have received this email in error, please 
immediately notify the sender via telephone or return mail.

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: [WIRELESS-LAN] ISE Dynamic VLAN redirect with single eduroam WLAN

2021-07-08 Thread Heavrin, Lynn 
Not sure if it was directed at me or the original poster, I think it comes down 
more to an identity management classification and access issue at that point.

  1.  If employees are allowed network access to student resources then  just 
put the employee rule above the student rule in ISE and the access will 
waterfall.
  2.   If employees are restricted from seeing student resources, you may have 
to create another level of access called Student Employees where ISE matches 
the rule if you are a member of the employees group AND the students group, and 
place them in a VLAN that has access to both resources.
  3.  If you don’t want to use VLAN switching, you can use DACLs (find what 
works best for you).  In this scenario, Employees and students get put into the 
same vlan and access is controlled via DACL instead of regular IP firewalling.  
Student-only will get applied a dacl only allowing access to student things.  
Employees-only get only access to employee things.  Student Employees get 
access to both using the same process as #2, except using DACLs instead of VLAN 
switching.

Those are just 3 ways to handle that off the top of my head.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of James Helzerman 

Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv 

Date: Thursday, July 8, 2021 at 2:05 PM
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
Subject: Re: [WIRELESS-LAN] ISE Dynamic VLAN redirect with single eduroam WLAN

Out of curiosity how would you handle someone that has dual appointments such 
as a student that is also an employee?

-Jimmy

On Wed, Jul 7, 2021 at 7:19 PM Heavrin, Lynn 
mailto:lheav...@wustl.edu>> wrote:
Feel free to reach out.  We’re running 2.7 patch 3 with 8540s.  We assign users 
to vlans for some things, but we also like actually using ISE assigned 
interface groups instead that contain multiple interfaces/vlans for more 
scalability.

Thanks,

Lynn Heavrin
Network Engineer III | Network Engineering
Washington University in St. Louis
4480 Clayton Ave, St. Louis, MO 63110
Mail stop 8218-45-01
•: 314.935.3877 |  •:lheav...@wustl.edu<mailto:lheav...@wustl.edu>



From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Manon Lessard 
mailto:manon.less...@dti.ulaval.ca>>
Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Wednesday, July 7, 2021 at 12:28 PM
To: 
"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>" 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] ISE Dynamic VLAN redirect with single eduroam WLAN

Same here, everything done with ISE.

DM if you need help.

Manon Lessard
Chargée de programmation et d’analyse
CCNP, CWNE #275, AWA 10, ESCE Design
Direction des technologies de l'information
Pavillon Louis-Jacques-Casault
1055, avenue du Séminaire
Bureau 0403
Université Laval, Québec (Québec)
G1V 0A6, Canada
418 656-2131, poste 412853
Télécopieur : 418 656-7305
manon.less...@dti.ulaval.ca<mailto:manon.less...@dti.ulaval.ca>
www.dti.ulaval.ca<http://www.dti.ulaval.ca/>
Avis relatif à la confidentialité | Notice of 
Confidentiality<http://www.rec.ulaval.ca/lce/securite/confidentialite.htm>


From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of "Gray, Sean" mailto:sean.gr...@uleth.ca>>
Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Wednesday, July 7, 2021 at 12:52 PM
To: 
"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>" 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: [WIRELESS-LAN] ISE Dynamic VLAN redirect with single eduroam WLAN

Hi Everyone,

We are looking to amalgamate our 3 dot1x WLANs (employees/student/eduroam) into 
a single WLAN (eduroam). Behind the scenes we still need to authenticate and 
route clients to their respective network segment. So to achieve this we need 
to implement dynamic vlan redirects behind the scenes.

Eduroam users from other institutions will be sent out to eduroam to be handled 
appropriately

Authentication will be handled by ISE cluster, running 2.6.0.156
WLC – 5520 (pair) running 8.8.130.0

The process, from a high level should look something like this

  *   Staff/faculty will connect to our new single WLAN, namely Eduroam
  *   They will be caught by the appropriate policy and authenticated against 
AD, validating that they are staff/faculty
  *   Now they will be redirected to the appropriate VLAN


  *   Student will follow the same process, but will be validated that they are 
a student, and redirected to a different VLAN


  *   All others (externals) will be sent to an external RADIUS server for auth 
and then redir

Re: [WIRELESS-LAN] ISE Dynamic VLAN redirect with single eduroam WLAN

2021-07-07 Thread Heavrin, Lynn 
Feel free to reach out.  We’re running 2.7 patch 3 with 8540s.  We assign users 
to vlans for some things, but we also like actually using ISE assigned 
interface groups instead that contain multiple interfaces/vlans for more 
scalability.

Thanks,

Lynn Heavrin
Network Engineer III | Network Engineering
Washington University in St. Louis
4480 Clayton Ave, St. Louis, MO 63110
Mail stop 8218-45-01
•: 314.935.3877 |  •:lheav...@wustl.edu



From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Manon Lessard 

Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv 

Date: Wednesday, July 7, 2021 at 12:28 PM
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
Subject: Re: [WIRELESS-LAN] ISE Dynamic VLAN redirect with single eduroam WLAN

Same here, everything done with ISE.

DM if you need help.

Manon Lessard
Chargée de programmation et d’analyse
CCNP, CWNE #275, AWA 10, ESCE Design
Direction des technologies de l'information
Pavillon Louis-Jacques-Casault
1055, avenue du Séminaire
Bureau 0403
Université Laval, Québec (Québec)
G1V 0A6, Canada
418 656-2131, poste 412853
Télécopieur : 418 656-7305
manon.less...@dti.ulaval.ca
www.dti.ulaval.ca
Avis relatif à la confidentialité | Notice of 
Confidentiality


From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of "Gray, Sean" 

Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv 

Date: Wednesday, July 7, 2021 at 12:52 PM
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
Subject: [WIRELESS-LAN] ISE Dynamic VLAN redirect with single eduroam WLAN

Hi Everyone,

We are looking to amalgamate our 3 dot1x WLANs (employees/student/eduroam) into 
a single WLAN (eduroam). Behind the scenes we still need to authenticate and 
route clients to their respective network segment. So to achieve this we need 
to implement dynamic vlan redirects behind the scenes.

Eduroam users from other institutions will be sent out to eduroam to be handled 
appropriately

Authentication will be handled by ISE cluster, running 2.6.0.156
WLC – 5520 (pair) running 8.8.130.0

The process, from a high level should look something like this

  *   Staff/faculty will connect to our new single WLAN, namely Eduroam
  *   They will be caught by the appropriate policy and authenticated against 
AD, validating that they are staff/faculty
  *   Now they will be redirected to the appropriate VLAN


  *   Student will follow the same process, but will be validated that they are 
a student, and redirected to a different VLAN


  *   All others (externals) will be sent to an external RADIUS server for auth 
and then redirected to yet another different VLAN.

Currently unique policies exist for each of these processes, without the added 
complexities of the VLAN redirect. So my mission is to combine these, filtering 
each client to their auth point, and then upon receiving the authorization, 
assign the appropriate vlan tag, for IP assignment, prior to them getting 
on-net.

I’ve been unable to find any meaningful documentation around how to handle 
internal vs external radius redirection in this scenario.

So has anyone done this, and are they able to share their process, inclusive of 
vlan redirect?

Thanks

Sean

Sean Gray | B.Sc (Hons)
Voice, Collaboration & Wireless Network Analyst
ITS, University of Lethbridge


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community


The materials in this message are private and may contain Protected Healthcare 
Information or other information of a sensitive nature. If you are not the 
intended recipient, be advised that any unauthorized use, disclosure, copying 
or the taking of any action in reliance on the contents of this information is 
strictly prohibited. If you have received this email in error, please 
immediately notify the sender via telephone or return mail.

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: [WIRELESS-LAN] Eap-tls user experience

2021-06-20 Thread Heavrin, Lynn 
In my experience it tried to connect then the user is greeted with a retry or 
close option if it didn’t succeed.  You can always create a new package just 
for remote users that won’t try to auto-connect if you are concerned about it.  
At the bottom of the profile when you edit it, you can just uncheck things you 
don’t want the package to do.

Thanks,

Lynn Heavrin
Network Engineer III | Network Engineering
Washington University in St. Louis
4480 Clayton Ave, St. Louis, MO 63110
Mail stop 8218-45-01
•: 314.935.3877 |  •:lheav...@wustl.edu



From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Marsen Nuzi 

Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv 

Date: Friday, June 18, 2021 at 4:51 PM
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
Subject: [WIRELESS-LAN] Eap-tls user experience


Hello All,
How is the user experience when trying to onboard remotely with securew2? We 
are still in the testing phase and when users try onboarding remotely they get 
a difficult experience. Since it is looking for an SSID that is not available 
at the time of the process the onboarding keeps failing until after a few times 
then it gets to the last step. Looking to make the onboarding process a little 
easier and less painful for the end users.

Thanks
Marsen Nuzi
Information Technology
71 5TH AVE, ROOM 913C,
NEW YORK, NY 10003
nu...@newschool.edu

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community


The materials in this message are private and may contain Protected Healthcare 
Information or other information of a sensitive nature. If you are not the 
intended recipient, be advised that any unauthorized use, disclosure, copying 
or the taking of any action in reliance on the contents of this information is 
strictly prohibited. If you have received this email in error, please 
immediately notify the sender via telephone or return mail.

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Forcing Client Cert Selection in Windows for EAP-TLS

2021-05-14 Thread Heavrin, Lynn 
Has anyone used EAP-TLS where a Windows device has multiple client certs loaded 
in the personal store?  Is there a way to force it via GPO to choose one cert 
over the other to use for authentication?  The user certs from ADCS don’t 
always contain a private key in the personal store except on the first device a 
user logs into, so we moved to SecureW2 to guarantee it would work.  In Cisco 
ISE I trust both ADCS and SecureW2 CAs.  What is happening and what I’m trying 
to achieve is:


  1.  if a computer happens to have an ADCS User cert private key, it uses that 
one first and I want to try to force it to use the SecureW2 cert via GPO or 
some setting
  2.  For machine auth, I want it to always use the ADCS cert since there’s no 
private key issue.  There is no SecureW2 machine cert.  Due to this I don’t 
think I can just say “only use certs from this Issuer CA” because I need both, 
unless I can do that for user and machine separately.

Thanks,

Lynn Heavrin
Network Engineer III | Network Engineering
Washington University in St. Louis


The materials in this message are private and may contain Protected Healthcare 
Information or other information of a sensitive nature. If you are not the 
intended recipient, be advised that any unauthorized use, disclosure, copying 
or the taking of any action in reliance on the contents of this information is 
strictly prohibited. If you have received this email in error, please 
immediately notify the sender via telephone or return mail.

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: [WIRELESS-LAN] ISE CERT Renewal

2021-04-20 Thread Heavrin, Lynn 
My memory is a little foggy but I believe last time I imported a certificate 
with a private key that was the same as an old cert, it overwrote the old one.  
It pops up a warning saying that the private key exists already but then lets 
you continue.

Generally I just make a new one with a new private key and name it 
“2021” or whatever because if you expect ISE to do something that 
works in any other system it doesn’t work right in ISE.  The cert date must be 
valid though as of the day you activate it for obvious reasons.  I renew all my 
certs before the day they expire but the valid date is always prior to when I 
install it.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Bruce Boardman 
<00f864c74f72-dmarc-requ...@listserv.educause.edu>
Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv 

Date: Tuesday, April 20, 2021 at 7:17 AM
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
Subject: [WIRELESS-LAN] ISE CERT Renewal

We are going through Sectigo to renew RADIUS CERT for our 802.1x auth. 
environment. Cisco is a little bit nebulous regarding the activation and 
acceptance of the CERT with a future CERT valid date. The are  not clear if the 
renewal will take without a CSR (why is a  question to Cisco), but they 
indicate that in that case the private key may need to be uploaded. I don’t 
want to get to the expiration day to find out that the CERT needs to be 
reissued, which would be a lengthy outage for machine auth clients needing a 
push of the new CERT.

Anybody renewed on ISE prior to the expiration of the existing CERT using a 
future CERT valid date?  Talk me off the ledge.
Thanks


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community


The materials in this message are private and may contain Protected Healthcare 
Information or other information of a sensitive nature. If you are not the 
intended recipient, be advised that any unauthorized use, disclosure, copying 
or the taking of any action in reliance on the contents of this information is 
strictly prohibited. If you have received this email in error, please 
immediately notify the sender via telephone or return mail.

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: [WIRELESS-LAN] ISE version

2020-12-10 Thread Heavrin, Lynn 
Wait for 2.7 patch 3 at least.  There’s a few major bugs that are being fixed.  
It’s “supposed” to be released in December…but we’re 10 days in already and 
nothing so far.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Craig Eyre 
Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv 

Date: Thursday, December 10, 2020 at 11:53 AM
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
Subject: Re: [WIRELESS-LAN] ISE version

ISE 3.0 is a major licensing change so I'd talk to your SE for the details. I 
believe your current base licenses "which are owned" will expire after a 
certain period of time and you are forced to buy new ones.

I'd stick with 2.7 for the awhile as it seems to be stable

Craig

On Thu, Dec 10, 2020 at 10:27 AM Ethan Grinnell 
mailto:grinn...@pdx.edu>> wrote:
I asked one of our Cisco reps if he had any idea when we should consider 
upgrading to 3.0. He'd been told that 2.7 is supposed to be a long lived 
release. I think we'll be safe there for a while. He also said that they like 
to only have 3 release trains in development.

I havent tried 3.0 yet, but 2.7 has been good so far.
Ethan Grinnell
CCIE R #39723, BS CmpE
Network Engineer
Office of Information Technology, Technology Infrastructure, Networking
Portland State University
503-725-3205

On Thu, Dec 10, 2020, 8:33 AM Christina Klam 
mailto:ck...@ias.edu>> wrote:
All,
We are running 2.6.0.156 version of ISE.We are scheduled to upgrade it over 
the Winter Break.


I see that 3.0 is out.  The demos of it look great.   But it is not Safe Harbor 
yet.   2.7 is still the preferred version in cisco.com. 
We do not want to upgrade to 2.7 to only have to do it again in a month or so.  
But we also cannot risk to go bleeding edge and have eduroam stop working.

Has anyone upgrade to 3.0 and can share their experience?

Christina Klam
Network Engineer
Institute for Advanced Study
1 Einstein Dr
Princeton, NJ 08540
(m) +1 609-751-7899
(o) +1 609-734-8154
ck...@ias.edu

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community


--
Craig Eyre
Network Analyst
IT Services Department
Mount Royal University
4825 Mount Royal Gate SW
Calgary AB T2P 3T5

P. 403.440.5199
E. ce...@mtroyal.ca

"The difference between a successful person and others is not a lack of 
strength, not a lack of knowledge, but rather in a lack of will." Vincent T. 
Lombardi"

MRU IT Services will NEVER ask you for your password or to update or verify 
your email account through an email. DO NOT click any links in an email asking 
you to update or verify your email account.

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community


The materials in this message are private and may contain Protected Healthcare 
Information or other information of a sensitive nature. If you are not the 
intended recipient, be advised that any unauthorized use, disclosure, copying 
or the taking of any action in reliance on the contents of this information is 
strictly prohibited. If you have received this email in error, please 
immediately notify the sender via telephone or return mail.

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] NAC/authentication implementations

2020-04-13 Thread Heavrin, Lynn 
We will have MAB access for devices that don’t support 802.1x.  We will also be 
heavily relying on captive portaling to direct the user where they need to go 
to get a cert via secureW2 and what not.  MAB devices will not receive the full 
access to our highest tier of protected data unless they are specifically 
allowed by infosec and manually placed into a special group on ISE.  Phones and 
other special devices are allowed to get where they need and are permitted as 
long as they profile correctly in ISE.

802.1x devices may receive full access after they onboard with SecureW2 and 
receive their certificate.  Links to the executable are provided via captive 
portal and we will also set up a “how do I connect?” page.  It’s my 
understanding wired needs admin access so this may be tough…but if you’re BYOD 
I guess it’s ok to be a little difficult as long as the process isn’t 
implemented poorly.

SecureW2 is a cloud based portal that BYOD users just run on their own, so you 
have to make sure all your captive portals allow it in the walled garden.  It 
supports SAML auth so users just login and are presented with their university 
credentialing system.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of "Smith, Nayef" 

Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv 

Date: Monday, April 13, 2020 at 2:02 PM
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
Subject: Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] NAC/authentication 
implementations

Hi Lynn,

Curious about your high level service design for NAC with eap-tls coming soon.  
We are in our infancy with NAC and are taking baby steps in our approach 
towards no authentication, no access.  Are you going to a more restrictive 
service model with eap-tls?  Are you thinking about a  "no cert = no access" w/ 
self service onboarding for byod?

Nayef Z. Smith | Emory LITS Network Services | Suite 1700 | 1762 Clifton Road | 
Atlanta GA 30322 | Voice: 404-727-6019

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Heavrin, Lynn 

Sent: Monday, April 13, 2020 10:42 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: [External] Re: [WIRELESS-LAN] NAC/authentication implementations


We aren’t doing eap-tls other than our lab testing right now but talking to 
multiple other universities, we decided to go with SecureW2 to do the 
certificate creation and BYOD onboarding.  It works great so far in our testing 
and we plan to use it on our wired NAC.  There’s the option to use the cert for 
VPN as well.  SecureW2 has hooks into JAMF, Windows management, and Airwatch 
systems to onboard university managed devices, and it also has the BYOD 
dissolvable agent.



Thanks,



Lynn Heavrin

Network Engineer II | Network Engineering

Washington University in St. Louis

4480 Clayton Ave, St. Louis, MO 63110

Mail stop 8218-45-1200
•: 314.935.3877 |  •:lheav...@wustl.edu<mailto:lheav...@wustl.edu>







From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of "Brady J. Ballstadt" 

Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv 

Date: Monday, April 13, 2020 at 9:24 AM
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
Subject: [WIRELESS-LAN] NAC/authentication implementations



Hello everyone,



Have a few questions as we do some research to add on to our NAC implementation 
and trying to avoid issues or at least minimize them.



  1.  If you have a NAC solution do you do port based auth?
  2.  If you have a NAC solution do you do eap-tls? If so how are you handling 
the certification “push” to devices?
  3.  What were the major pain points during implementation?
  4.  What were the major use cases you were resolving/resolved?
  5.  Anything you would do differently if you do it again?



Any extra information would be great as well.



Thank you,



Brady Ballstadt

University of Arkansas

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community





The materials in this message are private and may contain Protected Healthcare 
Information or other information of a sensitive nature. If you are not the 
intended recipient, be advised that any unauthorized use, disclosure, copying 
or the taking of any action in reliance on the contents of this information is 
strictly prohibited. If you have received this email in error, please 
immediately notify the sender via telephone or return mail.

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the

Re: [WIRELESS-LAN] NAC/authentication implementations

2020-04-13 Thread Heavrin, Lynn 
We aren’t doing eap-tls other than our lab testing right now but talking to 
multiple other universities, we decided to go with SecureW2 to do the 
certificate creation and BYOD onboarding.  It works great so far in our testing 
and we plan to use it on our wired NAC.  There’s the option to use the cert for 
VPN as well.  SecureW2 has hooks into JAMF, Windows management, and Airwatch 
systems to onboard university managed devices, and it also has the BYOD 
dissolvable agent.

Thanks,

Lynn Heavrin
Network Engineer II | Network Engineering
Washington University in St. Louis
4480 Clayton Ave, St. Louis, MO 63110
Mail stop 8218-45-1200
•: 314.935.3877 |  •:lheav...@wustl.edu



From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of "Brady J. Ballstadt" 

Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv 

Date: Monday, April 13, 2020 at 9:24 AM
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
Subject: [WIRELESS-LAN] NAC/authentication implementations

Hello everyone,

Have a few questions as we do some research to add on to our NAC implementation 
and trying to avoid issues or at least minimize them.


  1.  If you have a NAC solution do you do port based auth?
  2.  If you have a NAC solution do you do eap-tls? If so how are you handling 
the certification “push” to devices?
  3.  What were the major pain points during implementation?
  4.  What were the major use cases you were resolving/resolved?
  5.  Anything you would do differently if you do it again?

Any extra information would be great as well.

Thank you,

Brady Ballstadt
University of Arkansas

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community


The materials in this message are private and may contain Protected Healthcare 
Information or other information of a sensitive nature. If you are not the 
intended recipient, be advised that any unauthorized use, disclosure, copying 
or the taking of any action in reliance on the contents of this information is 
strictly prohibited. If you have received this email in error, please 
immediately notify the sender via telephone or return mail.

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

[WIRELESS-LAN] EAP-TLS using ADCS and/or SecureW2

2020-02-06 Thread Heavrin, Lynn 
We’re planning to migrate our PEAP MSCHAPv2 wifi to EAP-TLS.  At the 
recommendation of a couple big universities we talked with, we are looking at 
using SecureW2.  We have demoed it and it works great provisioning the clients 
and enrolling user certificates to their cloud PKI.  After bringing it up with 
our AD team, some questions were asked about possibly just using our ADCS.  We 
know we can use the ADCS with or without SecureW2 and will likely leverage 
SecureW2 anyway to point to it for nice features like OS detection and 
provisioning and a good dissolvable agent.  We use Cisco ISE for our RADIUS 
server and I much prefer SecureW2’s agent over ISE.

I was asked a couple questions and I may or may not already know the answer, 
but it’d be great if someone with a little more PKI background could clarify:

Private PKI questions:

  1.  Does every Managed and BYOD device have to trust the full chain of the 
certificate?
  2.  How do you install the trusted root and intermediate on a BYOD device?
  3.  For a private PKI with a self-signed cert do we need an HSM?  If we use 
incommon root, would we need the HSM?

SecureW2 Questions:

  1.  Does the SecureW2 JoinNow MultiOS dissolvable agent install the root and 
intermediate on a BYOD device during enrollment?  If so then it shouldn’t 
matter if we use a self-signed root or incommon public root right?
  2.  We are also an incommon partner and can get root signed certs from them.  
If we used incommon root but pointed securew2 to our ADCS, would that be an 
unnecessary step rather than just pointing SecureW2 straight to incommon like 
we’re doing in our demo?
  3.  Would you recommend we use an incommon public signed cert even if we’re 
able to have every BYOD client install our self-signed cert?  We have unlimited 
incommon certs.  We may already have been issuing user certs to all our managed 
devices, just not doing anything with them.  One thing I thought was that any 
BYOD could be incommon, and all managed would be self-signed and I could just 
set ISE to trust both.

Thanks,

Lynn Heavrin
Network Engineer II | Network Engineering
Washington University in St. Louis
4480 Clayton Ave, St. Louis, MO 63110
Mail stop 8218-45-1200
•: 314.935.3877 |  •:lheav...@wustl.edu


The materials in this message are private and may contain Protected Healthcare 
Information or other information of a sensitive nature. If you are not the 
intended recipient, be advised that any unauthorized use, disclosure, copying 
or the taking of any action in reliance on the contents of this information is 
strictly prohibited. If you have received this email in error, please 
immediately notify the sender via telephone or return mail.

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: [WIRELESS-LAN] WLC & ISE combo issues

2019-10-10 Thread Heavrin, Lynn 
I’m sure you’re aware but you should skip 2.3 (super buggy) and go to 2.4, but 
the policy set UI has totally changed and in my opinion, is much, much harder 
to navigate than 2.2.  That’s the only reason I’m holding off from upgrading 
2.2 to 2.4.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Mathieu Sturm 

Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv 

Date: Thursday, October 10, 2019 at 3:14 AM
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
Subject: Re: [WIRELESS-LAN] WLC & ISE combo issues

Thinking on going to latest ISE version (to get rid of that stupid flash ) 
when we have a new maintenance window.

Van: The EDUCAUSE Wireless Issues Community Group Listserv 
 Namens Heavrin, Lynn
Verzonden: woensdag 9 oktober 2019 22:23
Aan: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Onderwerp: Re: [WIRELESS-LAN] WLC & ISE combo issues

We have the same 5441 messages and we are on 8.5.135.0 and ISE 2.2 patch 12.   
I don’t have any evidence it’s service impacting but it is annoying.   You need 
to upgrade from patch 5 to address some serious bug and vulnerabilities.  Patch 
15 is out.

We also get the 5441 messages on our VPN auth on ISE so it’s not isolated to 
wifi.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Kitri Waterman mailto:wate...@wwu.edu>>
Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Wednesday, October 9, 2019 at 10:17 AM
To: 
"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>" 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] WLC & ISE combo issues

8.3.x? Or 8.5.x?

8.5 will support AP2600’s. We’re currently at 8.5.140.0 (we still have AP3500’s 
to support…) and it’s been fairly stable for AireOS.

8.3 also has some escalation fixes: 
https://www.cisco.com/c/en/us/support/docs/wireless/wireless-lan-controller-software/200046-tac-recommended-aireos.html#anc13<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.cisco.com%2Fc%2Fen%2Fus%2Fsupport%2Fdocs%2Fwireless%2Fwireless-lan-controller-software%2F200046-tac-recommended-aireos.html%23anc13=02%7C01%7Cmathieu.sturm%40HOGENT.BE%7C0e0d9fa7f9b84cb5569908d74cf68a44%7C5cf7310e091a4bc5acd726c721d4cccd%7C1%7C0%7C637062494090192545=1Wea7FcwIHYXTDfd66dK2jonTcxZBlPyzurrvBdd84k%3D=0>



Kitri
Network Architect/Engineer
Enterprise Infrastructure Services
Western Washington University



From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Mathieu Sturm 
mailto:mathieu.st...@hogent.be>>
Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Tuesday, October 8, 2019 at 11:11 PM
To: 
"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>" 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] WLC & ISE combo issues

The WLC is on version 8.3.140.0 (we still have 2600 series AP’s that we need to 
replace so we are pretty limited) and ISE is 2.2 (patch 5).

Van: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
Namens Letts, Richard J
Verzonden: dinsdag 8 oktober 2019 22:41
Aan: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Onderwerp: Re: [WIRELESS-LAN] WLC & ISE combo issues

What version of core on the WLC / what model of AP?

We had an issue at the start of the year with  version of code on cisco 3500 
series AP  where clients would successful authenticate  with the AP, but the 
association would never get passed from the AP through to the controller and 
thence on to the ISE. Clients would get a ‘bad password’ (or similar type of 
error) displayed on their computer which would confuse them, and there would be 
nothing recorded in the WLC or ISE logs.

Authentication and Association isn’t the way around people normally think of 
this.
https://documentation.meraki.com/MR/WiFi_Basics_and_Best_Practices/802.11_Association_process_explained<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocumentation.meraki.com%2FMR%2FWiFi_Basics_and_Best_Practices%2F802.11_Association_process_explained=02%7C01%7Cmathieu.sturm%40HOGENT.BE%7C0e0d9fa7f9b84cb5569908d74cf68a44%7C5cf7310e091a4bc5acd726c721d4cccd%7C1%7C0%7C637062494090192545=OxOm2kKVpG%2FKEQw7McWOqZZP2cGg9o9yaa8ZphNwDw4%3D=0>

anyway, I think you’re going to need to include version numbers of the ISE and 
WLC code for more help.

Thank you

Richard Letts

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Mathieu Sturm
Sent: Tuesday, October 8, 2019 2:50 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto

Re: [WIRELESS-LAN] WLC & ISE combo issues

2019-10-09 Thread Heavrin, Lynn 
We have the same 5441 messages and we are on 8.5.135.0 and ISE 2.2 patch 12.   
I don’t have any evidence it’s service impacting but it is annoying.   You need 
to upgrade from patch 5 to address some serious bug and vulnerabilities.  Patch 
15 is out.

We also get the 5441 messages on our VPN auth on ISE so it’s not isolated to 
wifi.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Kitri Waterman 

Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv 

Date: Wednesday, October 9, 2019 at 10:17 AM
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
Subject: Re: [WIRELESS-LAN] WLC & ISE combo issues

8.3.x? Or 8.5.x?

8.5 will support AP2600’s. We’re currently at 8.5.140.0 (we still have AP3500’s 
to support…) and it’s been fairly stable for AireOS.

8.3 also has some escalation fixes: 
https://www.cisco.com/c/en/us/support/docs/wireless/wireless-lan-controller-software/200046-tac-recommended-aireos.html#anc13



Kitri
Network Architect/Engineer
Enterprise Infrastructure Services
Western Washington University



From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Mathieu Sturm 

Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv 

Date: Tuesday, October 8, 2019 at 11:11 PM
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
Subject: Re: [WIRELESS-LAN] WLC & ISE combo issues

The WLC is on version 8.3.140.0 (we still have 2600 series AP’s that we need to 
replace so we are pretty limited) and ISE is 2.2 (patch 5).

Van: The EDUCAUSE Wireless Issues Community Group Listserv 
 Namens Letts, Richard J
Verzonden: dinsdag 8 oktober 2019 22:41
Aan: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Onderwerp: Re: [WIRELESS-LAN] WLC & ISE combo issues

What version of core on the WLC / what model of AP?

We had an issue at the start of the year with  version of code on cisco 3500 
series AP  where clients would successful authenticate  with the AP, but the 
association would never get passed from the AP through to the controller and 
thence on to the ISE. Clients would get a ‘bad password’ (or similar type of 
error) displayed on their computer which would confuse them, and there would be 
nothing recorded in the WLC or ISE logs.

Authentication and Association isn’t the way around people normally think of 
this.
https://documentation.meraki.com/MR/WiFi_Basics_and_Best_Practices/802.11_Association_process_explained

anyway, I think you’re going to need to include version numbers of the ISE and 
WLC code for more help.

Thank you

Richard Letts

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Mathieu Sturm
Sent: Tuesday, October 8, 2019 2:50 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] WLC & ISE combo issues

Hello, since the start of the new academic year we’ve been having some troubles 
with our Cisco setup. We have 3 Cisco WLC 5520’s (one of these is standby), 
around 850ap’s and 5 Cisco ISE’s (1 admin node, 1 monitor node and 3 
radius-only nodes).

We have this setup since 2018. There were some problems sometimes but nothing 
major. Now recently it’s taking a long time for people to get connected. We 
have around 20k students and 3K staff with peaks to nearly 9K associations.

The problem is that it is difficult to get connected sometimes. I see the user 
trying to connect in the WLC’s but don’t see them trying in the ISE’s (it looks 
like the attempt gets lost somewher).
I can see the following worrying log message in the wlc:

RADIUS auth-server X.X.X.X unavailable

Or

These logs in the ISE

5441 Endpoint started new session while the packet of previous session is being 
processed. Dropping new session.
12930 Supplicant stopped responding to ISE after sending it the first PEAP 
message


It looks like there is some sort of bottleneck between WLC and ISE.

Further information: the identity store is a bunch of Windows Domain 
Controllers (6 in total).

Any ideas?

Mathieu Sturm
Hoofdmedewerker Netwerkbeheer

[cid:image001.png@01D57EB5.7BF03DA0]

Directie Financiën, Infrastructuur en IT
Afdeling Netwerkbeheer
Campus Schoonmeerssen - Gebouw B  Lokaal B0.75
Valentin Vaerwyckweg 1 - 9000 Gent
+32 9 243 35 23
www.hogent.be


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only