Hi guys,

I was playing with ISG today, and everything seems to be working, so now I decided to get rid of the CSR 1000v router in my topology and do all the fancy redirection and services right at the vWLC (running 8.0.133.0 version of code). Please note, no ISE here.

What I got to work so far:

Client connects to the SSID and gets the IP via DHCP.

When the clients connect it triggers radius auth request to the radius (freeradius) server, which matches this request by NAS-Identifier and responds with url-redirect and url-redirect-acl.

These redirect-related pairs are applied to the client session (I can see it on WLC).

Now if the client opens any web page, WLC intercepts the request and redirects the user to the portal to input his credentials.

So far so good.

Now if I understand everything correctly, after the client inputs his username and the password, the portal needs to send COA message to WLC with username and password, which must be checked against the user database on the radius server (please correct me if I am wrong).

My COA consists of the following pairs:

User-Name="test",

User-Password="test",

Calling-Station-Id="ma-ca-dd-re-ss-11",

Cisco-Avpair="subscriber:command=reauthenticate"

COA message sent by the portal hits the WLC and WLC answers with ACK, WLC requests the radius but the request that is sent to the radius server is basically a copy of the initial request, which was sent at the very beginning. I cannot see username or password that I've included in COA, the username and password is still a users's mac address.

What am I doing wrong? How can I differentiate between initial session authentication and actual client authentication with credentials sent by the portal?

Thanks to anyone who is willing to help.