Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2840
Views
10
Helpful
1
Replies

ISE does not send CoA to WLC

morabusa
Level 1
Level 1

‎10-26-2021 10:10 AM

Hi, we are facing a weird issue with out ISE (2.4) and our C9800-CL WLC (17.3.4). We have a Guest WLAN in flexconnect mode with CWA using a sponsor portal. What I have seen so far in my tests:

 

- Users are able to connect to guest SSID and get redirected to the sponsor portal (HTTPS 8443 on ISE).

- Users are able to register in the sponsor portal, administrator are able to accept register, and user receive a mail with username and password.

- When users try to login in with their credentials, they do not receive the success page, and if they try to surfing the Internet, they get redirected again to login page.

- Clients are stuck in Web Authentication Pending in the WLC.

- I run a tcpdump while users try to login, and I cannot see the ISE sending CoA to the WLC, so I think it is the issue. All I can see between WLC and ISE is MAB traffic going through radius (port 1812).

- In live logs I can see users getting authenticated correctly on ISE. Message: 5231 Guest Authentication Passed.

- APs model AIR-AP1832I-E-K9. 

 

Any idea about what could be happening here? Thank you very much.

 

 

 

 

1 person had this problem
1 Reply 1

Arne Bier
VIP
VIP

‎11-25-2021 12:20 PM

Hi @morabusa 

 

Usually CoA is not seen in cases where:

- there is no session created in ISE. e.g. if RADIUS Accounting is not setup on the NAS, or the Accounting does not reach ISE

- PSN1 sends the CoA but you're investigating PSN2 (tcpdump) - PSN1 processed the MAB request, and it will also be responsible for sending the CoA

- the Network Device in ISE does not have the correct UDP port configured (e.g. Cisco is UDP/1700)

- ISE might have a bug ?

 

you have all the usual config on the 9800?

 

!
aaa authentication dot1x default group radius-ise-group
aaa authorization network default group radius-ise-group
aaa accounting identity default start-stop group radius-ise-group
aaa accounting update newinfo periodic 2880
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server attribute 31 mac format ietf upper-case
radius-server attribute 31 send nas-port-detail mac-only 

aaa server radius dynamic-author
client 10.128.142.82 server-key <SUPERSECRETKEY>
client 10.128.142.83 server-key <SUPERSECRETKEY>

 

 

0 Helpful
Customers Also Viewed These Support Documents