While doing my studies and fooling around with the 3850 in my lab I stumbled upon a strange thing in regards to CWA with the Cisco Converged Access platform.

On the AirOS WLCs there is an option to set the format of the Called-Station-Id so that you can match with ISE on the SSID Name. This is more or less a standard procedure for BYOD and Guest Portals but after downgrading to 3.6.03 my ISE policies didn’t match anymore.

The reason was that the switch sent his MGMT interface IP as called-station-id instead of the ap-mac:SSID. While trying to straighten this behavior with “dot1x radius mac-authentication call-station-id ap-macaddress-ssid” I just got the error message “Constraint failed for property: apfRadiusAuthCallStationIdType”. It sounded like a coding issue and it is indeed: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuw12199

Upgrading to a more recent code (3.7.x) will fix this issue. And if you’re searching how to modify the content of the called-station-id you can now issue the dot1x radius mac-authentication command.


Go top