Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2507
Views
20
Helpful
5
Replies

5520 WLC & ISE CoA Issue

Mike.Cifelli
VIP Alumni
VIP Alumni

‎03-22-2021 11:01 AM - edited ‎07-05-2021 01:01 PM

I am currently in the process of implementing ISE posture assessment on wireless nets.  I am seeing an issue when clients connect and posture status goes from Unknown -> Compliant.  The CoA sent from ISE to WLC is failing due to 'NAS Identification Mismatch'.  I have noticed that when clients first connect (status unknown) the NAS IPv4 Address depicted in radius live logs is that of the management interface from the WLC.  Then come time for ISE to issue the CoA after deeming a client compliant I see the NAS IPv4 Address depicted in the logs as the actual service-port IP of the WLC controller, which is used for actual device management (ssh/ui access, etc.).  This unfortunately is causing issues with clients moving from netA to netB upon posture change.  I am currently working the issue with TAC which is still unresolved atm.  However, I am seeking some guidance here on the following as both AAA TAC & I think the issue is due to WLC config:

-Is it possible to tweak a setting on WLC side so that radius packets are sourced from the actual MGMT interface(service-port), which would potentially aide in solving the NAS mismatch error?

FYSA: ISE2.7p3; WLC 5520 ver: 8.5.161.0; AAA & CoA is configured on WLC.  In non-postured scenarios client onboarding for eap-fast works perfectly fine.

 

5 Replies 5

Rich R
VIP
VIP

‎03-23-2021 07:43 AM

My first thought (but might not be relevant) ... do you have an explicit network route to the ISE via the MGMT interface?

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
0 Helpful

Mike.Cifelli
VIP Alumni
VIP Alumni

‎03-23-2021 08:51 AM - edited ‎03-23-2021 08:51 AM

Good thought, thanks.  So we do have a rather large /16 prefix that encompasses ISE as a static route using the service-port (MGMT access).  I literally just realized that you can only add static routes that use service port gateway otherwise the WLC complains.  The thinking now is to to make more specific routes for MGMT purposes, delete the /16, and enable per-WLAN radius support to see if this aides in solving the NAS IP mismatch issue.

Mike.Cifelli
VIP Alumni
VIP Alumni

‎03-25-2021 06:53 AM - edited ‎03-25-2021 06:55 AM

So enabling the radius server overwrite interface with the WLAN setting did not resolve our issue.  However, using the AP group does fix the CoA issue.  The kicker is if you use this configuration you must add each respective vlan data WLC interface IP as an additional IP in the NAD defined in ISE otherwise users will not be able to onboard successfully.  So for example, vlan 20 WLC data IP is 2.2.2.2, then 2.2.2.2 must be added in ISE with radius enabled to support CoA.  IMO this is sufficient, but TAC is trying to determine if there is a bug.

Mike.Cifelli
VIP Alumni
VIP Alumni

‎04-16-2021 06:15 AM

FYSA per TAC ISE & WLC service port should not be in the same subnet.  When they are the radius packets from WLC are going to be sourced via service port & use this interface.  They sent the following bugs:

 

Bug Search (cisco.com)

Bug Search (cisco.com)

 

The suggested fix is either the workaround I mentioned above, or re-IP ISE or the WLC service port.

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to Mike.Cifelli

‎04-16-2021 08:52 AM

Mike,

The service port is suppose to be only for OOB and since the early AireOS day's, the guides always stated not to have that connected to the network in which there is connectivity to the management.  There has been more issues with this design, so just be aware.  In all my deployments, I have never connected up the service port, except for in a lab environment and that port was isolated.

-Scott
*** Please rate helpful posts ***
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card