Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1062
Views
5
Helpful
3
Replies

CoA failed on Guest portal

Go to solution
AunSiravit
Level 1
Level 1

‎09-24-2018 08:31 AM

Hi Everyone,

 

I have some problem with Guest Portal. It cannot send CoA after authentication is successful. WLC is not connected directly to ISE. It has to pass Palo Alto. I'm not sure if this the cause of this problem. but when I try to use interface G0 which is not passed Palo Alto its working normally. I create rules on Palo Alto which allow both directions and allow any service and application on ISE IP address.

 

Below is tcpdump on ISE when I try to connect guest portal.

10.110.36.20 - ISE

10.110.36.60 - Palo Alto

I guess on the destination that ISE sends CoA should be WLC than Palo Alto am I right? Please kindly help me I'm new on ISE. Thank you.

guest-CoA-Failed-capture.PNG

Preview file
358 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
paul
Level 10
Level 10
In response to AunSiravit

‎09-24-2018 11:12 AM - edited ‎09-24-2018 11:14 AM

CoA is not going to work with a PAT as PAT is unidirectional.



You have to remember there are 3 RADIUS conversations possible:



1) WLC -> ISE RADIUS Authentication (UDP 1645/1812)- as this is initiated by the WLC it can go through a PAT because the firewall will have a session table entry for the response.

2) WLC -> ISE RADIUS Accounting (UDP 1646/1813)- as this is initiated by the WLC it can go through a PAT again because the firewall has a session table entry for the response.

3) ISE -> WLC RADIUS CoA (UDP 1700)- this cannot go through a PAT because the firewall has no session table entry and will drop the packet.



One to one NAT should work, but honestly you shouldn't be NATting the WLC.


View solution in original post

3 Replies 3

Go to solution
paul
Level 10
Level 10

‎09-24-2018 10:28 AM

Are you NATting the WLC?  ISE should not be talking to the PA at all.  My guess is you have the RADIUS running through a PAT function that is not allowing the CoA traffic from the PSN back to the WLC.  

0 Helpful

Go to solution
AunSiravit
Level 1
Level 1
In response to paul

‎09-24-2018 10:43 AM

Thank you for your reply.

 

So you mean CoA is not supported on PAT right or I misconfigured on PAT. Thank you.

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to AunSiravit

‎09-24-2018 11:12 AM - edited ‎09-24-2018 11:14 AM

CoA is not going to work with a PAT as PAT is unidirectional.



You have to remember there are 3 RADIUS conversations possible:



1) WLC -> ISE RADIUS Authentication (UDP 1645/1812)- as this is initiated by the WLC it can go through a PAT because the firewall will have a session table entry for the response.

2) WLC -> ISE RADIUS Accounting (UDP 1646/1813)- as this is initiated by the WLC it can go through a PAT again because the firewall has a session table entry for the response.

3) ISE -> WLC RADIUS CoA (UDP 1700)- this cannot go through a PAT because the firewall has no session table entry and will drop the packet.



One to one NAT should work, but honestly you shouldn't be NATting the WLC.


Customers Also Viewed These Support Documents