topic Unfortunatly not... An in Network Access Control

Dynamic Authorization Failed: DiconnectNAK

mstraessle — Mon, 11 Mar 2019 04:28:34 GMT

I have WLC 7.6 and ISE 1.2 Patch 6.

My use case is WLAN Guest Access with CWA. I have ISE Appliance 3395 (2 Admin/Mon, 2 PSN). Everything work fine so far.

But from time to time I get these strange message (it does not matter if I do a manual Session termination in the Operations Tab) Everything is configured in the right way, since normal CWA works (CoA is working fine, but not always...).

Here the corresponding Log-Entry:

0000001241 2 0 2014-02-28 11:11:37.241 +01:00 0000106595 5417 NOTICE Dynamic-Authorization: Dynamic Authorization failed, ConfigVersionId=53, Device IP Address=a.b.c.d, Device Port=42121, DestinationIPAddress=a.b.c.d, DestinationPort=1700, RadiusPacketType=DisconnectRequest, Protocol=Radius, RequestLatency=3, NetworkDeviceName=xx-WLC01, NAS-IP-Address=172.16.226.26, Calling-Station-ID=1C:AB:A7:96:7B:99, Acct-Session-Id=53105c2a/1c:ab:a7:96:7b:99/336136, Acct-Terminate-Cause=Admin Reset, Event-Timestamp=1393582297, cisco-av-pair=audit-session-id=ac10e21a00052f6953105f07, AcsSessionID=ise-04/182359788/9392, Step=11044, Step=11017, Step=11100, Step=11101, Step=11048, NetworkDeviceGroups=Location#All Locations#xx_VPN, NetworkDeviceGroups=Device Type#All Device Types#Wireless Devices#WLC Foreign, CPMSessionID=ac10e21a00052f6953105f07, EndPointMACAddress=1C-AB-A7-96-7B-99, Location=Location#All Locations#xx_VPN,

Has anybody ever had the same expirence, or is this a know issue?

Thanks for feedback!

Dynamic Authorization Failed: DiconnectNAK

blenka — Mon, 03 Mar 2014 03:15:38 GMT

Please go through the link below for best practice.

http://www.redelijkheid.com/blog/2013/4/2/cisco-ise-change-of-authorization-coa-not-working

Hi mstraessle, I have also

Pranav Gade — Mon, 23 Feb 2015 11:34:37 GMT

Hi mstraessle,

I have also facing the same issue with wlc 7.6.130 and ISE 1.2.0.899 patch 7 .Do you found any solution for the same.

Not sure if this will help

Stephen Means — Fri, 17 Jul 2015 14:05:37 GMT

Not sure if this will help you in particular, but I was consistently having this issue with ISE 1.3 and WLC running 7.6.

After a device would go through provisioning and then posture assessment ISE would clear them for access. I would get this error and looking on the WLC client detail see that the device was still in Posture_REQ state and would still have the web redirect URL. I could manually 'fix' this by having the device disconnect and reconnect to the wireless, they would then be assigned the proper authz profile and access.

After much troubleshooting and trying to tear out non-existent hair I discovered I had forgotten to check the RFC 3576 box under the radius server entry for ISE on the WLC. As soon as I did CoA started working 100%.

Unfortunatly not... An

mstraessle — Tue, 01 Sep 2015 16:15:20 GMT

Unfortunatly not... An upgrade to 1.4 patch 3 and WLC 8.1 helped finally, for whatever reason...

Did you find any other solution?

Ciao,

ipagliani — Tue, 01 Mar 2016 15:44:05 GMT

Ciao,

with ISE 2.0 patch 2 (2x 3495) and WLC 5508 8.1.131 I've the same problem. On WLC with RADIUS debug activates the CoA is working: but

Received a 'CoA-Request' from 172.17.2.243 port 65393

...

Handling a valid 'CoA-Request' regarding station 64:b8:53:fe:95:03
*radiusCoASupportTransportThread: Feb 10 15:31:33.448: 64:b8:53:fe:95:03 Reauthenticating station 64:b8:53:fe:95:03
*radiusCoASupportTransportThread: Feb 10 15:31:33.448: Sent a 'CoA-Ack' to 172.17.2.243 (port:65393)

but on ISE I received:

5417 Dynamic Authorization failed

11103 RADIUS-Client encountered error during processing flow

On clients everything works fine.

Thanks