Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
820
Views
0
Helpful
4
Replies

CoA errors for disconnected WLAN clients every 4 hours

Go to solution
PErampas
Beginner
Beginner

‎06-07-2022 09:43 AM

CoA ist set globally to Reauth in ISE. CoA is working for active wireless clients in WLC.
But we see hundreds '5417 Dynamic Authorization failed' errors every 4 hours on ISE. Investigation on the WLC has shown that these clients have been disconnected from the WLAN for hours or even days.

 

Why is ISE trying to re-authenticate these inactive clients every 4 hours?

Initially there is a CoA request with "CoAReason: Change in status" from ISE.

WLC answers "CoANAK: No valid Session" and "Error-Cause: Unsupported Service".

 

ISE version: 3.0.0.458

WLC version: 17.3.4c

Could this be a config issue on the WLC? Is something specifically needed in the WLC, so ISE is notified about clients removed from the WLAN?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
PErampas
Beginner
Beginner

‎12-15-2022 06:03 AM

Turns out, it was the MDM server.
MDM sent a massive list to ISE every 4 hours, containing MAC addresses for non-compliant endpoints.
ISE then used this list and sent CoA to every WLC, without checking if this endpoint has an active session or not.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
MHM Cisco World
VIP Mentor VIP Mentor
VIP Mentor

‎06-07-2022 10:09 AM

because the client not send logoff and WLC also not send logoff so the ISE don't know that the client is still attach or not.
config idle timeout in WLC may be it can solve your issue

0 Helpful

Go to solution
PErampas
Beginner
Beginner
In response to MHM Cisco World

‎06-07-2022 10:25 PM

WLAN idle timeout is set to 5 minutes, the disconnected clients are also quickly removed from the clients view in monitoring on WLC and the WLC replies to ISE "No valid session", so I'm pretty sure the WLC knows that the clients aren't attached anymore.
I'm wondering more about radius config in WLC. Is there something needed like a specific accounting setting?

0 Helpful

Go to solution
Mohammed al Baqari
VIP Advisor VIP Advisor
VIP Advisor
In response to PErampas

‎06-08-2022 02:48 AM

The only thing is to make sure that interim account updates are enabled
when you configure the AAA settings under the WLAN.

**** please remember to rate useful posts
0 Helpful

Go to solution
PErampas
Beginner
Beginner

‎12-15-2022 06:03 AM

Turns out, it was the MDM server.
MDM sent a massive list to ISE every 4 hours, containing MAC addresses for non-compliant endpoints.
ISE then used this list and sent CoA to every WLC, without checking if this endpoint has an active session or not.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers
Spotlight Award Nomination
Customers Also Viewed These Support Documents