cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
842
Views
0
Helpful
5
Replies

WLC POSTURE_REQ State Odd Behavior

paul
Level 10
Level 10

I am deploying ISE with posture in monitor mode on wired/wireless/VPN.  When doing posture in monitor mode I usually just deploy a posture ACL to the  network elements that only redirects port 80 traffic to the default gateway while allowing everything else.  This allows clients with the posture module installed to report posture while allowing all others to work normally.

The one side effect of this on the WLCs is that you will have a large number of clients staying in the POSTURE_REQ state but working just fine on the network.  The client I am at is running 8.0.133 and we see some odd behavior with the clients are in POSTURE_REQ state permanently:

1) A client in the POSTURE_REQ state can't manage the WLC from its GUI.  Yes we have management via wireless enabled.  If we installed the posture module and go to the RUN state we can manage the WLC just fine.

2) We are seeing clients getting disconnected every 10 minutes then reconnecting.  It is like the controller is only allowing a client to stay in the POSTURE_REQ state for 10 minutes before it disconnects them.  We are still investigating this angle, but if we install the posture module and go to a RUN state we aren't seeing disconnections.

Has anyone seen this before?  I use this same methodology on wired and VPN without an issue.

1 Accepted Solution

Accepted Solutions

howon
Cisco Employee
Cisco Employee

You may want to ping the wireless team regarding #1, but it makes sense as the endpoint is not fully authenticated from the WLC perspective. In regards to #2, the 10 minute timer is hardcoded timer that is applied to any web-auth-like state. Not sure how large the deployment is but since WLC has limitation on # of sessions that it can have in that state which is 2000, I would recommend getting the agent installed ASAP to limit the # of users in that state.

View solution in original post

5 Replies 5

howon
Cisco Employee
Cisco Employee

You may want to ping the wireless team regarding #1, but it makes sense as the endpoint is not fully authenticated from the WLC perspective. In regards to #2, the 10 minute timer is hardcoded timer that is applied to any web-auth-like state. Not sure how large the deployment is but since WLC has limitation on # of sessions that it can have in that state which is 2000, I would recommend getting the agent installed ASAP to limit the # of users in that state.

Ahh very interesting on #2. I didn’t know that limitation exists. That is too bad because the monitor mode state works on wired and VPN. I have used this on other deployments and don’t remember seeing this behavior. Does this 10 minute timer exist in all version of WLC code? I think my other installs were using 8.2/8.3 code.

Do you know of any limitations on wired or VPN like this? i.e. on the wired switches I have a large number of users that have the posture redirect ACL applied, but it is a very small ACL:

permit tcp any 10.0.0.1 0.255.255.255 eq 80

deny ip any any

This redirects port only to the wired default gateways where the client’s internal network is 10.x.x.x and their gateways are always .1. I haven’t seen any side effects of clients sitting in this state on the wired side.

I use the same concept on VPN.

The beauty of this monitor ACL concept is I can test rolling out the posture module via ISE simply by telling the pilot group for posture to surf to their default gateway IP which will get redirected to the provisioning portal and install the posture module or I can have them install via SCCM and test that process out.

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

howon
Cisco Employee
Cisco Employee

Yes, timer exists but not sure if it is 10 minutes. With WLC 8.0+ we've added command to control web-auth timer that can be configured with following command:

config wlan security web-auth timeout (300-14400 seconds)

Unfortunately above command only affects LWA and not the CWA redirected flow including posture.

I have not checked the ASA, but for the wired switch it also has limit on the number of redirects. You can configure it via following command:

ip http max-connections

The maximum and default number depends on the platform and IOS version. Typically not an issue, however, on a multi stacked switches or high density switch it could be a limiting number.

Yes, the posture monitor mode using default gateway is good as interim stage as you are getting the posture module deployed. But, I would recommend monitoring the number of clients to ensure it does not exceed the limit. This applies to both Wireless and Wired.

Hosuk

Hosuk,

On this command:

ip http max-connections

Doesn’t that limit the number of active http connections the switch can have vs. the number of sessions that can be in the posture redirect state? If I have 100 sessions sitting in the posture monitor redirect, but none of them have the posture module installed there is no fake port 80 traffic generated and no connections to the http server on the switch. Is that logic correct?

Thanks for your quick responses.

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

howon
Cisco Employee
Cisco Employee

Yes, you are correct. Unless there is something that is trying to get to port 80 of the default gateway it should not be consumed. So in your case no issues on the wired endpoints in monitor mode. You can disregard my concern on the wired side for monitor mode clients for posture.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: