This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
I have WLC 7.6 and ISE 1.2 Patch 6.
My use case is WLAN Guest Access with CWA. I have ISE Appliance 3395 (2 Admin/Mon, 2 PSN). Everything work fine so far.
But from time to time I get these strange message (it does not matter if I do a manual Session termination in the Operations Tab) Everything is configured in the right way, since normal CWA works (CoA is working fine, but not always...).
Here the corresponding Log-Entry:
0000001241 2 0 2014-02-28 11:11:37.241 +01:00 0000106595 5417 NOTICE Dynamic-Authorization: Dynamic Authorization failed, ConfigVersionId=53, Device IP Address=a.b.c.d, Device Port=42121, DestinationIPAddress=a.b.c.d, DestinationPort=1700, RadiusPacketType=DisconnectRequest, Protocol=Radius, RequestLatency=3, NetworkDeviceName=xx-WLC01, NAS-IP-Address=172.16.226.26, Calling-Station-ID=1C:AB:A7:96:7B:99, Acct-Session-Id=53105c2a/1c:ab:a7:96:7b:99/336136, Acct-Terminate-Cause=Admin Reset, Event-Timestamp=1393582297, cisco-av-pair=audit-session-id=ac10e21a00052f6953105f07, AcsSessionID=ise-04/182359788/9392, Step=11044, Step=11017, Step=11100, Step=11101, Step=11048, NetworkDeviceGroups=Location#All Locations#xx_VPN, NetworkDeviceGroups=Device Type#All Device Types#Wireless Devices#WLC Foreign, CPMSessionID=ac10e21a00052f6953105f07, EndPointMACAddress=1C-AB-A7-96-7B-99, Location=Location#All Locations#xx_VPN,
Has anybody ever had the same expirence, or is this a know issue?
Thanks for feedback!
with ISE 2.0 patch 2 (2x 3495) and WLC 5508 8.1.131 I've the same problem. On WLC with RADIUS debug activates the CoA is working: but
Received a 'CoA-Request' from 172.17.2.243 port 65393
Handling a valid 'CoA-Request' regarding station 64:b8:53:fe:95:03
*radiusCoASupportTransportThread: Feb 10 15:31:33.448: 64:b8:53:fe:95:03 Reauthenticating station 64:b8:53:fe:95:03
*radiusCoASupportTransportThread: Feb 10 15:31:33.448: Sent a 'CoA-Ack' to 172.17.2.243 (port:65393)
but on ISE I received:
5417 Dynamic Authorization failed
11103 RADIUS-Client encountered error during processing flow
On clients everything works fine.
Not sure if this will help you in particular, but I was consistently having this issue with ISE 1.3 and WLC running 7.6.
After a device would go through provisioning and then posture assessment ISE would clear them for access. I would get this error and looking on the WLC client detail see that the device was still in Posture_REQ state and would still have the web redirect URL. I could manually 'fix' this by having the device disconnect and reconnect to the wireless, they would then be assigned the proper authz profile and access.
After much troubleshooting and trying to tear out non-existent hair I discovered I had forgotten to check the RFC 3576 box under the radius server entry for ISE on the WLC. As soon as I did CoA started working 100%.