Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1253
Views
0
Helpful
3
Replies

CoA - WLC to ISE in DMZ

robbyde0100
Level 1
Level 1

‎06-18-2020 12:51 AM - edited ‎06-18-2020 12:52 AM

Hello,

 

We have a PSN node in our DMZ that acts as a guest portal for our guest SSID.

I've had reports that when users enter their U&P to the portal it wont connect to the internet i.e. it wont drop the ACL.

 

I've checked the radius logs and can see the following:

 

 11204Received reauthenticate request
 11220Prepared the reauthenticate request
 11100RADIUS-Client about to send request - ( port = 1700 , type = Cisco CoA )
 11104RADIUS-Client request timeout expired (Step latency=10005 ms)
 11213No response received from Network Access Device after sending a Dynamic Authorization request

 

We have UDP port 1700 open on our FW between the WLC and the PSN so I dont think its being blocked but is there a WLC command I can use to check? 

 

Or should/can I tweek the timeout period?

 

Also I'm a little confused if the port needs to be open between the WLC and the PSN or the AP and the PSN?

 

Unfortunatley the site is in a different country so I cant test myself with a device.

 

We're running ISE 2.6 patch 7.

WLC 8.5.161.0

 

Thanks

0 Helpful
3 Replies 3

Mike.Cifelli
VIP Alumni
VIP Alumni

‎06-18-2020 05:27 AM

Not sure if you are using flexconnect or Local mode APs, but here are a couple of things to check/keep in mind if using local mode:
-The acl you want applied needs to be configured on the WLC (Security->Access Control Lists) and then referenced in your ISE authz profile under Airespace ACL Name
-Make sure on your WLAN that you have enabled AAA override option so that dynamic auth is accepted from ISE
-Make sure you enable support for CoA
0 Helpful

robbyde0100
Level 1
Level 1
In response to Mike.Cifelli

‎06-19-2020 12:28 AM

Hello,

 

Thanks for the reply Mike.

 

I'm running flexconnect.  I'm pretty certain my setup is correct and it all works, its just occationally for some devices I get the error.

 

I'm not sure if CoA is just timing out or its something else.

0 Helpful

Damien Miller
VIP Alumni
VIP Alumni

‎06-21-2020 03:19 PM

Check two things.
1. Does the WLC receive the COA sent from ISE? If yes, you would see it in the WLC debugs and a new authentication in the live logs.
2. If the WLC receives the COA, it sends a COA acknowledgement back to ISE, you need to make sure this packet is able to return back or ISE will show that the COA failed even if the COA was successful.
0 Helpful
Customers Also Viewed These Support Documents