04-16-2014 04:32 PM - edited 03-10-2019 09:38 PM
I configured a centralized web authentication with users in the Active Directory. The problem is CoA, but it is enable in the ISE and WLC.
CoA Problem:
WLC :
(Cisco Controller) >show radius rfc3576 statistics
RFC-3576 Servers:
Server Index..................................... 1
Server Address................................... 192.168.73.210
Disconnect-Requests.............................. 0
COA-Requests..................................... 0
Retransmitted Requests........................... 0
Malformed Requests............................... 0
Bad Authenticator Requests....................... 0
Other Drops...................................... 0
Sent Disconnect-Ack.............................. 0
Sent Disconnect-Nak.............................. 0
Sent CoA-Ack..................................... 0
Sent CoA-Nak..................................... 0
Server Index..................................... 2
04-17-2014 06:46 AM
I have exactly the same problem. In your logging do you have also this kind of message :
*radiusCoASupportTransportThread: Apr 17 14:23:38.060: #AAA-3-COA_WRONG_NAS_IP: radiusCoAsupport.c:1023 Received IP address[xx.xx.xx.xx] for CoA Packet.
I have tried lot of different configuration but nothing works, I have to do a "Session reauthentication" manually in the live sessions page.
04-18-2014 04:52 AM
check the following discussion
https://supportforums.cisco.com/discussion/11679106/ise-dynamic-authorization-failed
https://supportforums.cisco.com/discussion/11602806/dynamic-authorization-failed
04-18-2014 05:33 AM
Thanks for your help, but already seen for my part.
If gustavoponce has the same problem as I have, manually reauthentication works fine, so I don't think it's a network issue, I'm thinking more of a parameters missing in WLC and/or ISE.
04-21-2014 08:57 AM
Thanks everyone! but I could not solved it.
The scenario is as follows:
I configured a SSID : CAMPUS in a university with centralized web authentication. When an Active directory user login (students) will be redirect to vlan 101 and if is a guest user to vlan 102. The authentication is good! (ISE Log, pimage above) but I think Guest flow is not working because the authentication web appear again after login.
*AD/guest sequence for Guest Portal Authentication.
In WLC Nac state: Radius Nac, Allow AAA override and rfc 3576 is enable in ISE (reauth) and WLC, the versions are : ISE 1.2 PATCH 7 and WLC 7.4.121.
05-13-2015 12:32 AM
I'm having this problem as well, were you able to solve it eventually?
11-22-2019 08:19 PM
Don't use the service interface. Use the management interface.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide