Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3378
Views
5
Helpful
5
Replies

WLC and ISE guest access COA

Go to solution
joeharb
Level 5
Level 5

‎11-22-2014 06:03 AM - edited ‎07-05-2021 01:59 AM

We are migrating to ISE for guest access and are having problems with the COA being delivered after a successful authentication.  ISE attempts to send it but nothing changes on the WLC.  The message in ISE is Dynamic Authorization failed and a message that ISE didn't receive a response from the NAD, verify communication.  What is odd is the original guest request comes in from the IP address of the service port on the WLC but anything doing with the COA is seen from the management.  I have both IP's defined for the device in ISE.  I am about to do a session reauthentication within ISE and the WLC applies the changes.  I have verified that RFC 3576 is enabled, but the show radius rfc3576 stats shows no values.  The WLC is running 7.6.130.  I have attempted to debug on the WLC side to see if the message is even being delivered but non the debugs i have attempted seem to offer any good information.

Anyone have any suggestions?  

 

Thanks,

 

Joe

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Dhiresh Yadav
Cisco Employee
Cisco Employee
In response to joeharb

‎11-24-2014 05:04 PM

Hi Joe,

Might or might not be. COA is used by the ISE to conmtroller and in the ISE raw capture /logs under Operations>authentication etc and simultaneous debug on the WLC will tell everything. But my point was that the traffic should not reach to the ISE using service port ip address but with the source ip address of the Management ip address. So there should not be any network routes other than the condition when you want service port subnet to be routable.

"The TAC engineer seemed confused on why the ISE see's the COA from the service ip as well"...dont understand this as ISE sends COA to the WLC. I think let the TAC engineer analyze it and comment on this.

 

Regards

Dhiresh

**Please rate helpful posts**

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Dhiresh Yadav
Cisco Employee
Cisco Employee

‎11-24-2014 10:33 AM

Hi Joe,

 

I dont really know what you are trying to do with the COA , as it is used in the CWA solution and BYOD solution as well. But even before trying that , I would advise you to go step by step and solve the n/w issue first. You are able to see the request from service port which should not happen because then the incoming/outgoing traffic takes different path. You must be facing this situation as you might have some network routes matching ISE subnet/Ip address in the GUI>Controller>Network routes as there is no need of those routes. If the service port needs to be used during controller down scenario then use a laptop in the same subnet of Service port ip and connect to the service port.

 

Regards

Dhiresh

**Please rate helpful posts**

Go to solution
joeharb
Level 5
Level 5
In response to Dhiresh Yadav

‎11-24-2014 11:31 AM

All of our routes listed have the default gateway that is on the management segment.  I would expect that after ISE authenticates the user they will need to notify the WLC to change their ACL's run time state of the client, I was under the impression that this was the COA.  I have a TAC case started and they have are looking into the log files.  The TAC engineer seemed confused on why the ISE see's the COA from the service ip as well.  In my research I remember finding either a bug or something about this but can't seem to locate it now...

We have ISE integrated with other WLAN's on this controller it works without issue.

Any other ideas?

Thanks,

Joe

0 Helpful

Go to solution
joeharb
Level 5
Level 5
In response to joeharb

‎11-24-2014 02:27 PM

I was mistaken earlier, it appears that all the routes on the system are using the service interface network address as opposed to the management address, could this be the issue?

 

Thanks,

 

Joe

 

0 Helpful

Go to solution
Dhiresh Yadav
Cisco Employee
Cisco Employee
In response to joeharb

‎11-24-2014 05:04 PM

Hi Joe,

Might or might not be. COA is used by the ISE to conmtroller and in the ISE raw capture /logs under Operations>authentication etc and simultaneous debug on the WLC will tell everything. But my point was that the traffic should not reach to the ISE using service port ip address but with the source ip address of the Management ip address. So there should not be any network routes other than the condition when you want service port subnet to be routable.

"The TAC engineer seemed confused on why the ISE see's the COA from the service ip as well"...dont understand this as ISE sends COA to the WLC. I think let the TAC engineer analyze it and comment on this.

 

Regards

Dhiresh

**Please rate helpful posts**

0 Helpful

Go to solution
joeharb
Level 5
Level 5

‎11-25-2014 02:20 PM

Dhiresh,

 

You were spot on with this, we did have routes to ISE via the service port, once traffic reached ISE from the Management interface for all the traffic (MAB included), the COA worked without issue.

 

Thanks,

 

Joe

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card