Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2089
Views
5
Helpful
9
Replies

11007 Could not locate Network Device or AAA Client

O_H
Level 1
Level 1

‎05-10-2022 02:12 AM

I have single WLC with ISE Radius setup and operational normally for wireless users since ling time. However, sometimes i notice this message on ISE (11007 Could not locate Network Device or AAA Client). WLC is added properly in ISE with proper IP & Key for sure otherwise nothing will be working. Any clue?

Labels:
0 Helpful
9 Replies 9

marce1000
VIP
VIP

‎05-10-2022 03:25 AM

 

 - Check this thread : https://community.cisco.com/t5/network-access-control/ise-authentication-failing-11007-could-not-locate-network-device/td-p/3684472

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

O_H
Level 1
Level 1
In response to marce1000

‎05-10-2022 05:03 AM - edited ‎05-10-2022 05:04 AM

Thanks. I checked it already, and it is about using the correct IP & key in the network devices. Tha't not my case.

0 Helpful

marce1000
VIP
VIP
In response to O_H

‎05-10-2022 09:08 AM

 

 - Also check versioning compatibility between the ISE version and current WLC software version : 

           https://www.cisco.com/c/en/us/support/security/identity-services-engine/products-device-support-tables-list.html

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

Flavio Miranda
VIP
VIP

‎05-10-2022 03:46 AM

Hi

 It depends on how often you see this message. If this message pops up randomly, I´d say it is normal behavior. Wireless clients may initiate the authentication process with ISE and, for some reason  or tons of different problems it may desapear from the network. That´s message could fit on this situation. 

 But if this message is too often and you are facing any kind of complaining from users about not connecting then further investigation is required.

 Did you see any mac address related to this message? If so, then immediatly aftet the log pop up, take the mac address go to the WLC and check the session time for that specific client.  Make sure it dropped or not from the network.

0 Helpful

O_H
Level 1
Level 1
In response to Flavio Miranda

‎05-10-2022 05:01 AM - edited ‎05-10-2022 05:02 AM

No MAC address is seen from the client in the detailed log. See the attachment. And yes there are some intermittent complains.

ISE NAS Issue.jpg

0 Helpful

Flavio Miranda
VIP
VIP

‎05-10-2022 05:46 AM

Actually this logs is not for Wireless client but related to the WLC as device. You can see that it recommends you to go to Administratio>Network Resources> Network devices. 

   If you are using a Cisco WLC with AIROS, you can go to Monitor Tab, Statistics and Radius Server. There, you can select this Radius server and see hit counters about WLC x Radius communication problem. 

 

0 Helpful

O_H
Level 1
Level 1
In response to Flavio Miranda

‎05-12-2022 01:32 AM

Yes it is related to the WLC itself not a client. As i explained, this is saying that ISE couldn't find WLC in the network device list, which doesn't make sense because this is already working but some intermittient issues for the clients are noticed. I checked the Radius statistics, and nothing weird i could spot. And i don't suspect WLC-ISE communication issue because when the client come and start a EAP-Request, this request comes to the ISE (from WLC), and then the ISE will say (Sorry, this request is comming from a device "WLC" that i have no idea about)! So, this issue looks to me is within ISE.

ISE NAS Issue.jpg

0 Helpful

Arshad Safrulla
VIP Alumni
VIP Alumni

‎05-12-2022 02:22 AM

Is ISE used for DOT1X only or you are using it for device administration as well?

Do you have Radius Server Overwrite interface feature enabled in the WLC? If that's the case you need to add the IP address of the dynamic interface SSID is attached to as a AAA client in ISE as Radius request will be sent to ISE from the dynamic interface SSID is attached to instead of management. If you are using 9800 make sure that u specifically add ip radius source-interface and define the outgoing interface.

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla

O_H
Level 1
Level 1
In response to Arshad Safrulla

‎05-12-2022 04:26 AM

Thanks for response. ISE used for both .1x & Mgmt. 

What do you mean of override interface feature? do u mean AAA Overrride on the SSID? if that, yes enabled, but requests will always be generated using the WLC Mgmt IP. You can validate this here in this example:

https://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/99121-vlan-acs-ad-config.html

 

But anyway i see in the log message on ISE that the network device IP is the WLC mgmt IP where the ISE rejects it. 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card