06-07-2022 09:43 AM
CoA ist set globally to Reauth in ISE. CoA is working for active wireless clients in WLC.
But we see hundreds '5417 Dynamic Authorization failed' errors every 4 hours on ISE. Investigation on the WLC has shown that these clients have been disconnected from the WLAN for hours or even days.
Why is ISE trying to re-authenticate these inactive clients every 4 hours?
Initially there is a CoA request with "CoAReason: Change in status" from ISE.
WLC answers "CoANAK: No valid Session" and "Error-Cause: Unsupported Service".
ISE version: 3.0.0.458
WLC version: 17.3.4c
Could this be a config issue on the WLC? Is something specifically needed in the WLC, so ISE is notified about clients removed from the WLAN?
Solved! Go to Solution.
12-15-2022 06:03 AM
Turns out, it was the MDM server.
MDM sent a massive list to ISE every 4 hours, containing MAC addresses for non-compliant endpoints.
ISE then used this list and sent CoA to every WLC, without checking if this endpoint has an active session or not.
06-07-2022 10:09 AM
because the client not send logoff and WLC also not send logoff so the ISE don't know that the client is still attach or not.
config idle timeout in WLC may be it can solve your issue
06-07-2022 10:25 PM
WLAN idle timeout is set to 5 minutes, the disconnected clients are also quickly removed from the clients view in monitoring on WLC and the WLC replies to ISE "No valid session", so I'm pretty sure the WLC knows that the clients aren't attached anymore.
I'm wondering more about radius config in WLC. Is there something needed like a specific accounting setting?
06-08-2022 02:48 AM
12-15-2022 06:03 AM
Turns out, it was the MDM server.
MDM sent a massive list to ISE every 4 hours, containing MAC addresses for non-compliant endpoints.
ISE then used this list and sent CoA to every WLC, without checking if this endpoint has an active session or not.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide