cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1489
Views
0
Helpful
0
Replies

ISE - WLC - Dynamic Auth failed (Event 5417, Failure 11213)

javi.laracil
Level 1
Level 1

Hello, I've been all day going through the internet trying to troubleshoot this but I couldn't fix it.

My setup:

Foreign WLC and Anchor WLC. (5508 and 2504) Software: 8.0.121.0 and ISE 1.2

Guest SSID with this config: https://supportforums.cisco.com/document/110031/central-web-authentication-cwa-guests-ise?page=1

-1 Client associates to SSID. The Foreign WLC does MAC Authentication at this time. ISE replies with access-accept containing URL Redirect and the redirection ACL(ISE-Guest)
-2 Foreign WLC sends Mobility Announce to the Anchor and client gets Anchored to the anchor in WEBAUTH_REQD state
-3 Client does DHCP and get IP address from WLC. DNS is allowed through redirect ACL
-4 Client makes HTTP Request. Foreign forwards it to anchor.
-5 Anchor verify if this HTTP and sens it to ISE. 
-6 Client access ISE URL that contains unique session
-7 After successful login, ISE sends CoA to foreign
Failure 11213 No response received from Network Access Device after sending a Dynamic Authorization request
Check the connectivity between ISE and Network Access Device. Ensure that ISE is defined as Dynamic Authorization Client on Network Access Device and that CoA is supported on device.

There is no firewall between ISE and foreign wlc.

SSID configured like the example above (NAC Radius, AAA override, etc)

WLC AAA config is like the example above. (ISE as Radius Auth server.)

In the ISE the WLC is configured as network device.

So... the user gets the portal, it accepts the policies, but afterwards no "permitaccess" because the CoA fails.

Any Ideas? I will try to attach some screenshots.

0 Replies 0