Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1977
Views
0
Helpful
6
Replies

Dynamic Authorization Failed - Posture with Guest Portal - ISE - WLC

Abdallah Anouar
Level 1
Level 1

‎04-30-2015 12:31 PM - edited ‎03-10-2019 10:42 PM

Hello everybody,

I'm implementing a NAC solution based on Cisco ISE. Unfortunately, I'm facing a problem related to the CoA (Change of Authorization).

The guest can authenticate successfully via portal and then he is redirected to the page of client provisioning.

When he is compliant with the policy he gets access without any problem and this means that CoA works perfectly. The issue occurs when he has to remediate (download the file from ISE and install it). In this case, we need a change of authorization profile.

The authentication logs show that the posture status changed from non-compliant to compliant but the users doesn't obtain access .

Here are details :

Authentication Details

Source Timestamp

2015-04-30 18:43:13.179

Received Timestamp

2015-04-30 18:43:13.18

Policy Server

ISE-CISCO

Event

5417 Dynamic Authorization failed

Failure Reason

11213 No response received from Network Access Device after sending a Dynamic Authorization request

Resolution

Check the connectivity between ISE and Network Access Device. Ensure that ISE is defined as Dynamic Authorization Client on Network Access Device and that CoA is supported on device.

Root cause

No response received from Network Access Device after sending a Dynamic Authorization request

Username

 

User Type

 

Endpoint Id

E0:9D:31:07:**:**

Endpoint Profile

 

IP Address

 

Identity Store

 

Identity Group

 

Audit Session Id

ca0019ac00000003ae674255

Authentication Method

 

Authentication Protocol

 

Service Type

 

Network Device

WLC-1

Device Type

 

Location

 

NAS IP Address

172.25.0.202

NAS Port Id

 

NAS Port Type

 

Authorization Profile

 

Posture Status

Compliant

Security Group

 

Response Time

15002

 

Other Attributes

ConfigVersionId

4

RadiusPacketType

CoARequest

Event-Timestamp

1430415778

AcsSessionID

50149c2f-08fb-4f9d-b1b5-f655e71d039f

StepLatency

3=15001

Device IP Address

172.25.0.202

CiscoAVPair

subscriber:command=reauthenticate

audit-session-id

ca0019ac00000003ae674255

 

Session Events

2015-04-30 18:43:13.18

Dynamic Authorization failed

2015-04-30 18:41:44.159

Dynamic Authorization failed

2015-04-30 18:35:42.64

Guest Authentication Passed

2015-04-30 18:34:39.214

RADIUS Accounting start request

3 people had this problem
Labels:
0 Helpful
6 Replies 6

Abdallah Anouar
Level 1
Level 1

‎05-06-2015 12:20 PM

any help please ?

I point out that I'm using a vWLC version 8.

0 Helpful

ndemers
Cisco Employee
Cisco Employee

‎08-05-2015 03:59 PM

Bump.

 

I am having a similar issue.  Guest accounts login successfully and NAD WLC does not respond to the CoA.  

0 Helpful

alberx
Level 1
Level 1

‎08-19-2015 04:16 AM

Any ideas about this? I have the same problem.

0 Helpful

Abdallah Anouar
Level 1
Level 1
In response to alberx

‎08-19-2015 06:13 AM

Personally, I didn't find any solution. Just guests login again after session expiration. By the way, you are using a virtual appliance or hardware (WLC)?
 

0 Helpful

alberx
Level 1
Level 1
In response to Abdallah Anouar

‎08-19-2015 07:01 AM

I'm using hardware wlc 5508, and I tryed versions 7.6 and 8.1 with same result. ISE is virtual appliance in version 1.4.

0 Helpful

islow1303
Level 1
Level 1

‎08-30-2016 05:53 AM

Did you find an answer by now.....?

I'm having the same issue.

0 Helpful
Customers Also Viewed These Support Documents