Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
508
Views
0
Helpful
4
Replies

No response received from NAD after sending a DynamicAuthorization req

KyleA
Level 1
Level 1

‎09-13-2023 01:37 PM

Hello all,

I have multiple regional locations w/ 5520 WLCs. These WLCs are connected to a Nexus 9k (Services) -> Catalyst 9k (CORE) -> Router. The associated APs are connected to access switches -> CORE -> Router. I have a Guest Wireless SSID set up w/ an anchor WLC in the DMZ. Without any ISE involvement, I confirmed successul access to the internet through the DMZ.

However, I am experiencing the following error during the Guest Flow - where users create their Guest account and sign-on:

11213 : No response received from Network Access Device after sending a Dynamic Authorization request - DYNAMIC AUTHORIZATION FAILING

From the Guest perspective, they connect to the SSID -> redirect successfully to ISE Sponsor Portal -> Create account -> Accept AUP -> Click "sign-on"............. afterwards, they are unable to connect to the internet.

ISE is showing the above error and as a result not placing them in the correct policy. I have been working w/ TAC on this issue for ~2 months to no avail. We have confirmed ISE is sending the CoA but receiving nothing back. I have confirmed the following:

-Confirmed shared secret on AAA server on WLC

-Confirmed CoA Support setting enabled on WLC

-Most up-to-date iOS version

-Guest SSID settings are correct - including mac filtering, ISE Default settings, AAA override, ISE NAC, etc.

-No firewall blocks in between ISE and WLC blocking traffic (CoA - port 1700)

Any advise would be appreciate. I am lost on where to go from here.

Labels:
0 Helpful
4 Replies 4

Dustin Anderson
VIP
VIP

‎09-13-2023 02:02 PM

Ok, so the guest succeeds, but CoA fails so I'm guessing the redirect ACL is never removed. does the user get access if they cycle their wireless? and does this happen every time, or randomly?

you said CoA support setting enabled on the WLC, this is the selection under the radius server? Do you see CoA fail for other things like reauth etc?

Screenshot 2023-09-13 160101.jpg

0 Helpful

KyleA
Level 1
Level 1
In response to Dustin Anderson

‎09-13-2023 04:22 PM

Thanks for the response. This happens every time a user connect to the guest network on one of the 5520 WLCs. I also have two 8540 WLCs in our 2 main locations set up with the same configuration and they work successfully. Yes, I have the setting you underlined in the screenshot enabled. 

0 Helpful

Dustin Anderson
VIP
VIP

‎09-14-2023 06:27 AM

Yeah, definitely sounds like a bug or something if it's only the 5520's and the 8540's are fine. What code is the 5520 on and what model APs?

Just wondering is we run 5520's on version 8.10.183.0 and our APs are 2802I and 4800s.

0 Helpful

KyleA
Level 1
Level 1
In response to Dustin Anderson

‎09-18-2023 03:12 PM

Code version is 8.10.185.0.

APs are mostly 4800s. I have no idea why is this is still occurring. Hopefully someone with more expertise can chime in.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card