09-24-2018 08:31 AM
Hi Everyone,
I have some problem with Guest Portal. It cannot send CoA after authentication is successful. WLC is not connected directly to ISE. It has to pass Palo Alto. I'm not sure if this the cause of this problem. but when I try to use interface G0 which is not passed Palo Alto its working normally. I create rules on Palo Alto which allow both directions and allow any service and application on ISE IP address.
Below is tcpdump on ISE when I try to connect guest portal.
10.110.36.20 - ISE
10.110.36.60 - Palo Alto
I guess on the destination that ISE sends CoA should be WLC than Palo Alto am I right? Please kindly help me I'm new on ISE. Thank you.
Solved! Go to Solution.
09-24-2018 11:12 AM - edited 09-24-2018 11:14 AM
CoA is not going to work with a PAT as PAT is unidirectional.
You have to remember there are 3 RADIUS conversations possible:
1) WLC -> ISE RADIUS Authentication (UDP 1645/1812)- as this is initiated by the WLC it can go through a PAT because the firewall will have a session table entry for the response.
2) WLC -> ISE RADIUS Accounting (UDP 1646/1813)- as this is initiated by the WLC it can go through a PAT again because the firewall has a session table entry for the response.
3) ISE -> WLC RADIUS CoA (UDP 1700)- this cannot go through a PAT because the firewall has no session table entry and will drop the packet.
One to one NAT should work, but honestly you shouldn't be NATting the WLC.
09-24-2018 10:28 AM
Are you NATting the WLC? ISE should not be talking to the PA at all. My guess is you have the RADIUS running through a PAT function that is not allowing the CoA traffic from the PSN back to the WLC.
09-24-2018 10:43 AM
Thank you for your reply.
So you mean CoA is not supported on PAT right or I misconfigured on PAT. Thank you.
09-24-2018 11:12 AM - edited 09-24-2018 11:14 AM
CoA is not going to work with a PAT as PAT is unidirectional.
You have to remember there are 3 RADIUS conversations possible:
1) WLC -> ISE RADIUS Authentication (UDP 1645/1812)- as this is initiated by the WLC it can go through a PAT because the firewall will have a session table entry for the response.
2) WLC -> ISE RADIUS Accounting (UDP 1646/1813)- as this is initiated by the WLC it can go through a PAT again because the firewall has a session table entry for the response.
3) ISE -> WLC RADIUS CoA (UDP 1700)- this cannot go through a PAT because the firewall has no session table entry and will drop the packet.
One to one NAT should work, but honestly you shouldn't be NATting the WLC.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide