Hi, Check if CoA port UDP 1700 is opened from ISE back to WLC. Also, if you have radius interface overwrite and/or ISE is in a subnet where WLC has an interface, some nasty stuff can happen sometime, where the NAS-IP and the source-ip of the radius packet are different, and ISE replies on NAS-IP for CoA, and WLC doesn't like it....
2014-02-25 13:18 GMT+01:00 Bruno Silva <auranpr...@gmail.com>: > Did you debug this Mike? Seems I have the same problem. Could u solve it? > > > 2013-11-23 13:49 GMT-02:00 Bastien Migette <bastien.mige...@gmail.com>: > >> Maybe the CoA ACK from WLC doesn't reach ISE ? Packet capture shoud solve >> the mistery maybe. >> >> >> 2013/11/6 Mike Rojas <mike_c...@hotmail.com> >> >>> >>> >>> ------------------------------ >>> From: mike_c...@hotmail.com >>> To: pio...@ipexpert.com >>> Subject: RE: [OSL | CCIE_Security] ISE authentication for CWA and WLC >>> Date: Wed, 6 Nov 2013 12:23:38 -0600 >>> >>> Hi Piotr; >>> >>> It says: >>> Dynamic Authorization failed : 11213 No response received from Network >>> Access >>> Device<https://10.198.28.29/mntreport/servlet/GenericRedirector?command=submit&__requesttype=immediate&invokeSubmit=true&__executableName=/home/admin/Failure_Reason/Authentication_Failure_Code_Lookup.rptdesign&rptFailureReason=11213+No+response+received+from+Network+Access+Device&__locale=en_US&iportalID=QHLVSY&__masterpage=false&__newWindow=false> >>> Network Device: >>> GUEST_WLC<https://10.198.28.29/mntreport/servlet/GenericRedirector?command=submit&__requesttype=immediate&invokeSubmit=true&__executableName=/home/admin/Network_Device/Network_Device_Authentication_Summary.rptdesign&rptTimeRange=lastMonth&rptNetworkDevice=GUEST_WLC&rptProtocol=RADIUS&__locale=en_US&iportalID=QHLVSY&__masterpage=false&__newWindow=false> >>> : >>> 192.168.200.2<https://10.198.28.29/mntreport/servlet/GenericRedirector?command=submit&__requesttype=immediate&invokeSubmit=true&__executableName=/home/admin/Network_Device/Session_Status_Summary.rptdesign&rptNetworkDeviceIP=192.168.200.2&__locale=en_US&iportalID=QHLVSY&__masterpage=false&__newWindow=false> >>> : >>> >>> However, the Wireless client is set to the corresponding Vlan, it gets >>> an IP on the Employee subnet, and it goes to the employee interface on the >>> WLC. >>> >>> Jan; >>> >>> That's part of the Lab and works like a charm everytime. When the user >>> authenticate on the Guest portal, it does CoA and the new profile is being >>> downloaded from the ISE (based on those credentials). Then a Java applet >>> runs that changes the network parameters on the NIC and starts a new DHCP >>> request for the Employee subnet. >>> >>> >>> Mike. >>> >>> ------------------------------ >>> Date: Wed, 6 Nov 2013 13:26:24 +0100 >>> Subject: Re: [OSL | CCIE_Security] ISE authentication for CWA and WLC >>> From: pio...@ipexpert.com >>> To: mike_c...@hotmail.com >>> >>> Hi >>> >>> I don't recall any failed authentications following CWA. What is the >>> failed message about? >>> >>> Regards, >>> -- >>> Piotr Kaluzny >>> CCIE #25665 (Security), CCSP, CCNP >>> Sr. Technical Instructor - IPexpert, Inc. >>> URL: http://www.IPexpert.com >>> >>> ***Want to win a free iPad mini? Just follow us on >>> Twitter<http://www.twitter.com/ipexpert>or "Like" our >>> Facebook <http://www.facebook.com/ipexpert> page and be entered into a >>> weekly drawing! >>> <http://www.IPexpert.com> >>> >>> >>> On Wed, Nov 6, 2013 at 2:58 AM, Mike Rojas <mike_c...@hotmail.com>wrote: >>> >>> Hi; >>> >>> I did the CWA for the wireless client and everything worked fine. The >>> only thing weird is that I am seeing like 3 or 4 authentication successful >>> and then a fail, but the CoA is being done correctly and the client is >>> being re-assinged to the correct VLAN. >>> >>> Has anybody run into this behavior? Is it normal? >>> >>> Thanks! >>> >>> Mike. >>> >>> _______________________________________________ >>> For more information regarding industry leading CCIE Lab training, >>> please visit www.ipexpert.com >>> >>> Are you a CCNP or CCIE and looking for a job? Check out >>> www.PlatinumPlacement.com >>> >>> >>> >>> _______________________________________________ >>> For more information regarding industry leading CCIE Lab training, >>> please visit www.ipexpert.com >>> >>> Are you a CCNP or CCIE and looking for a job? Check out >>> www.PlatinumPlacement.com >>> >> >> >> _______________________________________________ >> Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos :: >> >> iPexpert on YouTube: www.youtube.com/ipexpertinc >> > > > > -- > Bruno Silva > Network Consultant > Cisco CCNA/CCDA/CCNP/CCDP/CCSP Certified > Arcsight Professional Certified - ACIA/ACSA >
_______________________________________________ Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos :: iPexpert on YouTube: www.youtube.com/ipexpertinc