Wireless Clients reauthentication fails when COA is sent by ISE

PSM · ‎11-21-2025

We have observed a strange issue in our network. For any reason(change in profile) when Cisco ISE send a COA and ask to reauthenticate to an connected client on wireless controller client session is interrupted. Client tries to reconnect and we see client connection is disrupted. If we see ISE logs for one of the such client, 1st event log says "Dynamic authorization succeeded" , in next "Authentication succeeded", in third event "Dynamic Authorization failed" and in 4th event "Dynamic Authorization succeeded" in 5th "Authentication succeeded"

It is EAP-TLS authentication and only Machine authentication is being performed. This is a Win11 machine and has WIFI profile managed from Intune.
For us it looks WLC is not able to reauthenticate the client gracefully or Client it self does not handle reauthentication nicely.

Anyone else here has this kind of observations ? Is COA expected to be disruptive specially for Wireless clients ?

Marcelo Morais · ‎11-23-2025

@PSM ,

in ISE, at Operations > RADIUS > Live Logs, you see the following Events:

Dynamic Authorization Succeeded
Authentication Succeeded
Dynamic Authorization Failed

if you click the Details icon for the 3rd Event (Dynamic Authorization Failed) the likely Failure Reason is

11213 - No response received from Network Access Device after sending a Dynamic Authorization request

Am I correct ?

What appears in the Steps window ? Is there a timeout ?

Hope this helps !

PSM · ‎11-24-2025

@Marcelo Morais see details of one failure.