cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1447
Views
0
Helpful
4
Replies

CoA errors for disconnected WLAN clients every 4 hours

PErampas
Level 1
Level 1

CoA ist set globally to Reauth in ISE. CoA is working for active wireless clients in WLC.
But we see hundreds '5417 Dynamic Authorization failed' errors every 4 hours on ISE. Investigation on the WLC has shown that these clients have been disconnected from the WLAN for hours or even days.

 

Why is ISE trying to re-authenticate these inactive clients every 4 hours?

Initially there is a CoA request with "CoAReason: Change in status" from ISE.

WLC answers "CoANAK: No valid Session" and "Error-Cause: Unsupported Service".

 

ISE version: 3.0.0.458

WLC version: 17.3.4c

Could this be a config issue on the WLC? Is something specifically needed in the WLC, so ISE is notified about clients removed from the WLAN?

1 Accepted Solution

Accepted Solutions

PErampas
Level 1
Level 1

Turns out, it was the MDM server.
MDM sent a massive list to ISE every 4 hours, containing MAC addresses for non-compliant endpoints.
ISE then used this list and sent CoA to every WLC, without checking if this endpoint has an active session or not.

View solution in original post

4 Replies 4

because the client not send logoff and WLC also not send logoff so the ISE don't know that the client is still attach or not.
config idle timeout in WLC may be it can solve your issue

WLAN idle timeout is set to 5 minutes, the disconnected clients are also quickly removed from the clients view in monitoring on WLC and the WLC replies to ISE "No valid session", so I'm pretty sure the WLC knows that the clients aren't attached anymore.
I'm wondering more about radius config in WLC. Is there something needed like a specific accounting setting?

The only thing is to make sure that interim account updates are enabled
when you configure the AAA settings under the WLAN.

**** please remember to rate useful posts

PErampas
Level 1
Level 1

Turns out, it was the MDM server.
MDM sent a massive list to ISE every 4 hours, containing MAC addresses for non-compliant endpoints.
ISE then used this list and sent CoA to every WLC, without checking if this endpoint has an active session or not.