Showing results for 
Search instead for 
Did you mean: 

WLAN Guest - ISE sending CoA to foreign disassociates (some) clients

Level 1
Level 1

Hi all,


We have a funny behavior on one customer's guest access.


The solution has web authentication (L3), the login page is stored locally to the anchor controllers (Local Web Authentication) and Cisco ISE v1.2.0.899, patch 6, hosts the sponsor portal and authenticates clients via CHAP/RADIUS.


Recently we implemented a foreign + anchors architecture and upgraded to 7.6.130 (from 7.3).


As stated on Cisco’s Enterprise Mobility 7.3 Design Guide, the wlan’s security parameters are configured exactly the same on both the foreign and the anchors, including the authentication and accounting servers (acct+auth are active on both foreign and anchors, with the same radius servers - the ISE PSNs).


This generates double accounting, where the foreign send acct start with username = mac as soon as the client associates and the anchor acct start with username=username after the user authenticates. The "live sessions" on ISE indicate the foreign IP as the NAS associated to these guest users.



On certain clients (didn’t catch yet the trigger) ISE sends a CoA Admin Reset to the foreign after the user is successfully authenticated by the anchor and the user is dissociated. The workaround is to disable RFC3576 (CoA feature) on the radius servers configuration of the foreign – ISE sends the CoA but the WLC rejects it and everybody is happy (except from a "dynamic authorization failed" alarm on ISE).


When I disable the "Allow only one guest sessions per user" option on ISE, this behavior stops, which seems to indicate that ISE is somehow counting sessions twice. My theory at this point is that ISE understands that the accounting from the foreign (with the device mac) is actually from the same user as the one on the anchor and disconnects the older session (as expected), being this the one on the foreign because it is created as soon as the client associates.


One solution is, of course, to disable accounting (and maybe even authentication) on the foreign but: first, I don't know if this will break the anchoring at some point; second, because I don't want to diverge from the design guides on a productive environment.


Is anyone seeing the same behavior? What is your opinion on this?


Thanks in advance.

0 Replies 0
Review Cisco Networking products for a $25 gift card