I’m sure you’re aware but you should skip 2.3 (super buggy) and go to 2.4, but 
the policy set UI has totally changed and in my opinion, is much, much harder 
to navigate than 2.2.  That’s the only reason I’m holding off from upgrading 
2.2 to 2.4.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Mathieu Sturm 
<mathieu.st...@hogent.be>
Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Date: Thursday, October 10, 2019 at 3:14 AM
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] WLC & ISE combo issues

Thinking on going to latest ISE version (to get rid of that stupid flash 😊) 
when we have a new maintenance window.

Van: The EDUCAUSE Wireless Issues Community Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Namens Heavrin, Lynn
Verzonden: woensdag 9 oktober 2019 22:23
Aan: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Onderwerp: Re: [WIRELESS-LAN] WLC & ISE combo issues

We have the same 5441 messages and we are on 8.5.135.0 and ISE 2.2 patch 12.   
I don’t have any evidence it’s service impacting but it is annoying.   You need 
to upgrade from patch 5 to address some serious bug and vulnerabilities.  Patch 
15 is out.

We also get the 5441 messages on our VPN auth on ISE so it’s not isolated to 
wifi.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Kitri Waterman <wate...@wwu.edu<mailto:wate...@wwu.edu>>
Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Wednesday, October 9, 2019 at 10:17 AM
To: 
"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] WLC & ISE combo issues

8.3.x? Or 8.5.x?

8.5 will support AP2600’s. We’re currently at 8.5.140.0 (we still have AP3500’s 
to support…) and it’s been fairly stable for AireOS.

8.3 also has some escalation fixes: 
https://www.cisco.com/c/en/us/support/docs/wireless/wireless-lan-controller-software/200046-tac-recommended-aireos.html#anc13<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.cisco.com%2Fc%2Fen%2Fus%2Fsupport%2Fdocs%2Fwireless%2Fwireless-lan-controller-software%2F200046-tac-recommended-aireos.html%23anc13&data=02%7C01%7Cmathieu.sturm%40HOGENT.BE%7C0e0d9fa7f9b84cb5569908d74cf68a44%7C5cf7310e091a4bc5acd726c721d4cccd%7C1%7C0%7C637062494090192545&sdata=1Wea7FcwIHYXTDfd66dK2jonTcxZBlPyzurrvBdd84k%3D&reserved=0>



Kitri
Network Architect/Engineer
Enterprise Infrastructure Services
Western Washington University



From: The EDUCAUSE Wireless Issues Community Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Mathieu Sturm 
<mathieu.st...@hogent.be<mailto:mathieu.st...@hogent.be>>
Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Tuesday, October 8, 2019 at 11:11 PM
To: 
"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] WLC & ISE combo issues

The WLC is on version 8.3.140.0 (we still have 2600 series AP’s that we need to 
replace so we are pretty limited) and ISE is 2.2 (patch 5).

Van: The EDUCAUSE Wireless Issues Community Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
Namens Letts, Richard J
Verzonden: dinsdag 8 oktober 2019 22:41
Aan: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Onderwerp: Re: [WIRELESS-LAN] WLC & ISE combo issues

What version of core on the WLC / what model of AP?

We had an issue at the start of the year with  version of code on cisco 3500 
series AP  where clients would successful authenticate  with the AP, but the 
association would never get passed from the AP through to the controller and 
thence on to the ISE. Clients would get a ‘bad password’ (or similar type of 
error) displayed on their computer which would confuse them, and there would be 
nothing recorded in the WLC or ISE logs.

Authentication and Association isn’t the way around people normally think of 
this.
https://documentation.meraki.com/MR/WiFi_Basics_and_Best_Practices/802.11_Association_process_explained<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocumentation.meraki.com%2FMR%2FWiFi_Basics_and_Best_Practices%2F802.11_Association_process_explained&data=02%7C01%7Cmathieu.sturm%40HOGENT.BE%7C0e0d9fa7f9b84cb5569908d74cf68a44%7C5cf7310e091a4bc5acd726c721d4cccd%7C1%7C0%7C637062494090192545&sdata=OxOm2kKVpG%2FKEQw7McWOqZZP2cGg9o9yaa8ZphNwDw4%3D&reserved=0>

anyway, I think you’re going to need to include version numbers of the ISE and 
WLC code for more help.

Thank you

Richard Letts

From: The EDUCAUSE Wireless Issues Community Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Mathieu Sturm
Sent: Tuesday, October 8, 2019 2:50 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: [WIRELESS-LAN] WLC & ISE combo issues

Hello, since the start of the new academic year we’ve been having some troubles 
with our Cisco setup. We have 3 Cisco WLC 5520’s (one of these is standby), 
around 850ap’s and 5 Cisco ISE’s (1 admin node, 1 monitor node and 3 
radius-only nodes).

We have this setup since 2018. There were some problems sometimes but nothing 
major. Now recently it’s taking a long time for people to get connected. We 
have around 20k students and 3K staff with peaks to nearly 9K associations.

The problem is that it is difficult to get connected sometimes. I see the user 
trying to connect in the WLC’s but don’t see them trying in the ISE’s (it looks 
like the attempt gets lost somewher).
I can see the following worrying log message in the wlc:

RADIUS auth-server X.X.X.X unavailable

Or

These logs in the ISE

5441 Endpoint started new session while the packet of previous session is being 
processed. Dropping new session.
12930 Supplicant stopped responding to ISE after sending it the first PEAP 
message


It looks like there is some sort of bottleneck between WLC and ISE.

Further information: the identity store is a bunch of Windows Domain 
Controllers (6 in total).

Any ideas?

Mathieu Sturm
Hoofdmedewerker Netwerkbeheer

[cid:image001.png@01D57F44.B0467990]

Directie Financiën, Infrastructuur en IT
Afdeling Netwerkbeheer
Campus Schoonmeerssen - Gebouw B  Lokaal B0.75
Valentin Vaerwyckweg 1 - 9000 Gent
+32 9 243 35 23
www.hogent.be<https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.hogent.be%2F&data=02%7C01%7Cmathieu.sturm%40HOGENT.BE%7C0e0d9fa7f9b84cb5569908d74cf68a44%7C5cf7310e091a4bc5acd726c721d4cccd%7C1%7C0%7C637062494090202543&sdata=2ZMG1v7%2BiDgFPzPht0bWXVa4hUt1JNnWLlykp%2FgaQPw%3D&reserved=0>


**********
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cmathieu.sturm%40HOGENT.BE%7C0e0d9fa7f9b84cb5569908d74cf68a44%7C5cf7310e091a4bc5acd726c721d4cccd%7C1%7C0%7C637062494090202543&sdata=lUZPI5OhyEtWPJfdIgRgaNZqwT3Dqz16Bn7MFGFocFE%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cmathieu.sturm%40HOGENT.BE%7C0e0d9fa7f9b84cb5569908d74cf68a44%7C5cf7310e091a4bc5acd726c721d4cccd%7C1%7C0%7C637062494090212539&sdata=3BPQpanC0NCbGQK0qc6cbLaQrLTTUVlnhqXPmvMMbq0%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cmathieu.sturm%40HOGENT.BE%7C0e0d9fa7f9b84cb5569908d74cf68a44%7C5cf7310e091a4bc5acd726c721d4cccd%7C1%7C0%7C637062494090212539&sdata=3BPQpanC0NCbGQK0qc6cbLaQrLTTUVlnhqXPmvMMbq0%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cmathieu.sturm%40HOGENT.BE%7C0e0d9fa7f9b84cb5569908d74cf68a44%7C5cf7310e091a4bc5acd726c721d4cccd%7C1%7C0%7C637062494090222534&sdata=qOE1saE7DrplFk8wojbhVXneLrVRiP0HBZu423AoAuk%3D&reserved=0>


________________________________
The materials in this message are private and may contain Protected Healthcare 
Information or other information of a sensitive nature. If you are not the 
intended recipient, be advised that any unauthorized use, disclosure, copying 
or the taking of any action in reliance on the contents of this information is 
strictly prohibited. If you have received this email in error, please 
immediately notify the sender via telephone or return mail.

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cmathieu.sturm%40HOGENT.BE%7C0e0d9fa7f9b84cb5569908d74cf68a44%7C5cf7310e091a4bc5acd726c721d4cccd%7C1%7C0%7C637062494090222534&sdata=qOE1saE7DrplFk8wojbhVXneLrVRiP0HBZu423AoAuk%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

________________________________
The materials in this message are private and may contain Protected Healthcare 
Information or other information of a sensitive nature. If you are not the 
intended recipient, be advised that any unauthorized use, disclosure, copying 
or the taking of any action in reliance on the contents of this information is 
strictly prohibited. If you have received this email in error, please 
immediately notify the sender via telephone or return mail.

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Reply via email to