RADIUS Accounting is configured on the WLC.

But in a capture I can only see the RADIUS packets for authentication. But no RADIUS accounting packets.

#sh run aaa group server radius
!
aaa group server radius ISE
server name ISE1
server name ISE2
!


#sh wireless profile policy detailed POLICY_PROFILE
!
Policy Profile Name : POLICY_PROFILE
Description : Default Policy Profile
Status : ENABLED
...
Accounting list
Accounting List : ACCT_LIST
...
Interim Accounting Updates : ENABLED
...


aaa accounting identity ACCT_LIST start-stop group ISE

 WLC version 17.15.02
ISE version 3.3

Account is generally configured on the WLC 9800.
RADIUS challenge packets can be seen in the capture from the ISE. But unfortunately no RADIUS accounting packages.
Here is the WLC config for accounting.

#sh run aaa group server radius
!
aaa group server radius ISE
server name ISE1
server name ISE2
!



#sh wireless profile policy detailed POLICY_PROFILE

Policy Profile Name : POLICY_PROFILE
Description : Default Policy Profile
Status : ENABLED
...
Accounting list
Accounting List : ACCT_LIST
...
Interim Accounting Updates : ENABLED
...


aaa accounting identity ACCT_LIST start-stop group ISE

WLC version 17.15.02
ISE version 3.3

If you don't see RADIUS Accounting requests arriving at the ISE node, then you have a problem. Potentially getting blocked by a firewall?  You need to allow destination UDP/1813 on your ISE PSN nodes.

You can also check the status of RADIUS packets on the C9800

show aaa servers

RADIUS Accounting requests should be acknowledged by the (ISE) server - if you see many requests, but 0 ACK, then that confirms Accounting is not working. Get that sorted - without Accounting, most RADIUS solutions are running blind.

While you're at it, if this turns out to be a firewall issue, ensure that you also allow CoA from ISE -> WLC destination UDP/1700 - the CoA is what ISE sends to the WLC to make Guest logins work.

Is your Guest Wi-Fi solution a Foreign/Anchor arrangement?  In that case, on the Anchor WLC talks RADIUS to ISE.

The guest portal is structured in such a way that the guest traffic is tunneled to the WLC with CAPWAP and then decoupled in a separate VLAN. In this VLAN is the ISE with an interface for the guest portal. Our service provider is also placed in this VLAN with his IP address as the default gateway and thus provides the Internet.

There is no firewall between the WLC and the ISE, as they are in the same network area in terms of MGMT. The RADIUS packets are exchanged to the ISE MGMT interface.

In TCPDUMP there is absolutely no sign of port 1813 UDP. The accounting is done exclusively via this port, which in turn uses the ISE as a trigger for the acitive guest counter?
Only packets for 1812 UDP authentication can be seen. It can also be seen here that CoA communication is taking place for a successful authentication of a guest user in the ISE portal. A CoA request is send from the ISE to the WLC. And the WLC sends a CoA-ACK back to the ISE.

The RADIUS servers look good. Accounting packets are also incremented. However, this does not necessarily mean that these have also arrived at the ISE?

#sh aaa servers

RADIUS: id 1, priority 1, host 192.x.x.x, auth-port 1812, acct-port 1813, hostname ISE1
     State: current UP, duration 2070597s, previous duration 0s
     Dead: total time 0s, count 0
     Platform State from SMD: current UP, duration 1870597s, previous duration 0s
     SMD Platform Dead: total time 0s, count 0
...
     Account: request 0, timeouts 0, failover 0, retransmission 0
             Request: start 0, interim 0, stop 0
             Response: start 0, interim 0, stop 0
             Response: unexpected 0, server error 0, incorrect 0, time 0ms
             Transaction: success 0, failure 0
             Throttled: transaction 0, timeout 0, failure 0
             Malformed responses: 0
             Bad authenticators: 0
...

RADIUS: id 2, priority 2, host 192.x.x.x, auth-port 1812, acct-port 1813, hostname ISE2
     State: current UP, duration 2070597s, previous duration 0s
     Dead: total time 0s, count 0
     Platform State from SMD: current UP, duration 1870597s, previous duration 0s
     SMD Platform Dead: total time 0s, count 0
...
     Account: request 12259, timeouts 18, failover 0, retransmission 18
             Request: start 3986, interim 4267, stop 3988
             Response: start 3986, interim 4267, stop 3988
             Response: unexpected 0, server error 0, incorrect 0, time 4ms
             Transaction: success 12241, failure 0
             Throttled: transaction 0, timeout 0, failure 0
             Malformed responses: 0
             Bad authenticators: 0
...

In the ISE I can only find Manage Accounts under Guest Access. All issued user accounts are displayed here, but not whether they are currently active or inactive.

Hi 

Can I see screenshots of 

Home> guest 

Thanks 

MHM

all these are empty or only status ?

MHM

Only in Guest Status is nothing available. The other widgets are filled with data.

If it only guest status then check 

Operation > radius > live sessions 

Or do report for NAS with issue 

Operation > reports > radius accounting 

It can NAS not send account correctly 

MHM

Here are some information from the reports and live log.

Operation -> RADIUS -> Live Logs (Auth Failed & Session for WLC): One entry last for 24 hours say "Dynamic Authorization failed"
Report -> Guest -> Guest Account: Last Entry three weeks ago
Report -> Guest -> My Devices Login and Audit: Register + CoA Reauth from today are displayed
Reports -> Endpoints and Users -> RADIUS Accounting: Last Entry three weeks ago
Reports -> Endpoints and Users -> Current Active Sessions: Current entries from today
Reports -> Diagnostic -> RADIUS Error: No errors for WLC

Operation -> RADIUS -> Live Logs (Auth Failed & Session for WLC): One entry last for 24 hours say "Dynamic Authorization failed" <<- are you sure quest work fine ?

for live log you must see such as below

start-stop-interimUpdate