02-28-2014 03:02 AM - edited 03-10-2019 09:28 PM
I have WLC 7.6 and ISE 1.2 Patch 6.
My use case is WLAN Guest Access with CWA. I have ISE Appliance 3395 (2 Admin/Mon, 2 PSN). Everything work fine so far.
But from time to time I get these strange message (it does not matter if I do a manual Session termination in the Operations Tab) Everything is configured in the right way, since normal CWA works (CoA is working fine, but not always...).
Here the corresponding Log-Entry:
0000001241 2 0 2014-02-28 11:11:37.241 +01:00 0000106595 5417 NOTICE Dynamic-Authorization: Dynamic Authorization failed, ConfigVersionId=53, Device IP Address=a.b.c.d, Device Port=42121, DestinationIPAddress=a.b.c.d, DestinationPort=1700, RadiusPacketType=DisconnectRequest, Protocol=Radius, RequestLatency=3, NetworkDeviceName=xx-WLC01, NAS-IP-Address=172.16.226.26, Calling-Station-ID=1C:AB:A7:96:7B:99, Acct-Session-Id=53105c2a/1c:ab:a7:96:7b:99/336136, Acct-Terminate-Cause=Admin Reset, Event-Timestamp=1393582297, cisco-av-pair=audit-session-id=ac10e21a00052f6953105f07, AcsSessionID=ise-04/182359788/9392, Step=11044, Step=11017, Step=11100, Step=11101, Step=11048, NetworkDeviceGroups=Location#All Locations#xx_VPN, NetworkDeviceGroups=Device Type#All Device Types#Wireless Devices#WLC Foreign, CPMSessionID=ac10e21a00052f6953105f07, EndPointMACAddress=1C-AB-A7-96-7B-99, Location=Location#All Locations#xx_VPN,
Has anybody ever had the same expirence, or is this a know issue?
Thanks for feedback!
03-02-2014 07:15 PM
Please go through the link below for best practice.
http://www.redelijkheid.com/blog/2013/4/2/cisco-ise-change-of-authorization-coa-not-working
02-23-2015 03:34 AM
Hi mstraessle,
I have also facing the same issue with wlc 7.6.130 and ISE 1.2.0.899 patch 7 .Do you found any solution for the same.
09-01-2015 09:15 AM
Unfortunatly not... An upgrade to 1.4 patch 3 and WLC 8.1 helped finally, for whatever reason...
Did you find any other solution?
03-01-2016 07:44 AM
Ciao,
with ISE 2.0 patch 2 (2x 3495) and WLC 5508 8.1.131 I've the same problem. On WLC with RADIUS debug activates the CoA is working: but
Received a 'CoA-Request' from 172.17.2.243 port 65393
...
Handling a valid 'CoA-Request' regarding station 64:b8:53:fe:95:03
*radiusCoASupportTransportThread: Feb 10 15:31:33.448: 64:b8:53:fe:95:03 Reauthenticating station 64:b8:53:fe:95:03
*radiusCoASupportTransportThread: Feb 10 15:31:33.448: Sent a 'CoA-Ack' to 172.17.2.243 (port:65393)
but on ISE I received:
5417 Dynamic Authorization failed
11103 RADIUS-Client encountered error during processing flow
On clients everything works fine.
Thanks
07-17-2015 07:05 AM
Not sure if this will help you in particular, but I was consistently having this issue with ISE 1.3 and WLC running 7.6.
After a device would go through provisioning and then posture assessment ISE would clear them for access. I would get this error and looking on the WLC client detail see that the device was still in Posture_REQ state and would still have the web redirect URL. I could manually 'fix' this by having the device disconnect and reconnect to the wireless, they would then be assigned the proper authz profile and access.
After much troubleshooting and trying to tear out non-existent hair I discovered I had forgotten to check the RFC 3576 box under the radius server entry for ISE on the WLC. As soon as I did CoA started working 100%.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide