CoA Issue between ISE and WLC

fatalXerror · ‎08-22-2016

Hi Guys,

Good Day!

Just wondering if you have any idea or if you encountered this issue.

I have an ISE in distributed deployment and a WLC using 8.1 version, we can authenticate and all other stuffs (BYOD, Guest, 802.1x) but when it comes to CoA it failed. We already captures some packets where the ISE and where the WLC are connected in the network and it shows that there are CoA exchange (CoA-Request & CoA-Ack) between the ISE and WLC. However, when we check the radius stats in WLC's CLI using "show radius rfc3576 statistic" all counters are zero meaning it doesn't sending CoA-Ack to ISE.

As we all know, we need this CoA for the endpoint to become fully authorize.

Thanks for the help in advance.

jkring001 · ‎08-26-2016

I have been experiencing this problem. I created a TAC case on this at one time on the ISE side and they couldn't figure it out after upgrades and tweaks. They then suggested to have the team that looks at WLC to check it out, but I was working on other things at the time.

brobinb · ‎08-15-2017

Enable 'support for RFC 3576' in Authentication server config in WLC.

javi.laracil · ‎11-18-2016

Same problem here with ISE 1.2 and 8.0.121.0

Everything works until CoA exchange.

Then I get: 11213 No response received from Network Access Device after sending a Dynamic
Authorization request

without any firewall in the middle and everything configured.

J Hicks · ‎03-14-2019

Realize this is old thread, but seeing as no solution was posted - I have run into this scenario, where the WLC service port and ISE PSN exist on the same LAN. The service port does not accept radius requests on port 1700. Need to change the service port address so all auth sessions process through the management interface instead.

Alan_4 · ‎11-25-2019

its comments like these that help out big time, appreciate it.