Reason for this are two bugs

acontes · ‎02-27-2014

Hi,

we have an ISE 1.2 (Patch 5), two 5760 Controllers (3.3), one acting as Primary Controller (named WC7) for the APs and the other as Guest Anchor (named WC5).

I have trouble with the CWA. The Guest is redirected and enters the correct credentials. After that, the CoA fails with error-cause(272) 4 Session Context Not Found. I have no idea why....

!

aaa authentication login Webauth_ISE group ISE

aaa authorization network cwa_macfilter group ISE

aaa authorization network Webauth_ISE group ISE

aaa accounting network ISE start-stop group ISE

!

aaa server radius dynamic-author

client 10.232.127.13 server-key 0 blabla

auth-type any

!

radius-server attribute 6 on-for-login-auth

radius-server attribute 31 send nas-port-detail mac-only

!

wlan test4guests 18 test4guests

aaa-override

accounting-list ISE

client vlan 1605

no exclusionlist

mac-filtering cwa_macfilter

mobility anchor

nac

no security wpa

no security wpa akm dot1x

no security wpa wpa2

no security wpa wpa2 ciphers aes

security dot1x authentication-list Webauth_ISE

no shutdown

!

wc5# debug aaa coa

Feb 27 12:19:08.444: COA: 10.232.127.13 request queued

Feb 27 12:19:08.444: RADIUS: authenticator CC 33 26 77 56 96 30 58 - BC 99 F3 1A 3C 61 DC F4

Feb 27 12:19:08.444: RADIUS: NAS-IP-Address [4] 6 10.232.127.11

Feb 27 12:19:08.444: RADIUS: Calling-Station-Id [31] 14 "40f308c3c53d"

Feb 27 12:19:08.444: RADIUS: Event-Timestamp [55] 6 1393503547

Feb 27 12:19:08.444: RADIUS: Message-Authenticato[80] 18

Feb 27 12:19:08.444: RADIUS: 22 F8 CF 1C 61 F3 F9 42 01 E4 36 77 9C 9B CC 56 [ "aB6wV]

Feb 27 12:19:08.444: RADIUS: Vendor, Cisco [26] 41

Feb 27 12:19:08.444: RADIUS: Cisco AVpair [1] 35 "subscriber:command=reauthenticate"

Feb 27 12:19:08.444: RADIUS: Vendor, Cisco [26] 43

Feb 27 12:19:08.444: RADIUS: Cisco AVpair [1] 37 "subscriber:reauthenticate-type=last"

Feb 27 12:19:08.444: RADIUS: Vendor, Cisco [26] 49

Feb 27 12:19:08.444: RADIUS: Cisco AVpair [1] 43 "audit-session-id=0aea2001530f2e1e000003c6"

Feb 27 12:19:08.444: COA: Message Authenticator decode passed

Feb 27 12:19:08.444: ++++++ CoA Attribute List ++++++

Feb 27 12:19:08.444: 92FB84A0 0 00000001 nas-ip-address(600) 4 10.232.127.11

Feb 27 12:19:08.444: 92FB87EC 0 00000081 formatted-clid(37) 12 40f308c3c53d

Feb 27 12:19:08.444: 92FB8820 0 00000001 Event-Timestamp(445) 4 1393503547(530F2D3B)

Feb 27 12:19:08.444: 92FB8854 0 00000001 reauthenticate-type(756) 4 last

Feb 27 12:19:08.444: 92FB8888 0 00000081 audit-session-id(819) 24 0aea2001530f2e1e000003c6

Feb 27 12:19:08.444: 92FB88BC 0 00000081 ssg-command-code(490) 1 32

Feb 27 12:19:08.444:

Feb 27 12:19:08.444: ++++++ Received CoA response Attribute List ++++++

Feb 27 12:19:08.444: 92FB84A0 0 00000001 nas-ip-address(600) 4 10.232.127.11

Feb 27 12:19:08.444: 92FB87EC 0 00000081 formatted-clid(37) 12 40f308c3c53d

Feb 27 12:19:08.444: 92FB8820 0 00000001 Event-Timestamp(445) 4 1393503547(530F2D3B)

Feb 27 12:19:08.444: 92FB8854 0 00000001 reauthenticate-type(756) 4 last

Feb 27 12:19:08.444: 92FB8888 0 00000081 audit-session-id(819) 24 0aea2001530f2e1e000003c6

Feb 27 12:19:08.444: 92FB88BC 0 00000081 ssg-command-code(490) 1 32

Feb 27 12:19:08.444: 92FB88F0 0 00000002 error-cause(272) 4 Session Context Not Found

Feb 27 12:19:08.444:

wc5#

Venkatesh Attuluri · ‎03-03-2014

Try "Evaluate ConfigurationValidator" which can be found under "Operations > Diagnostic Tools

acontes · ‎03-11-2014

Reason for this are two bugs which prevent this from working:

https://tools.cisco.com/bugsearch/bug/CSCul83594

https://tools.cisco.com/bugsearch/bug/CSCun38344

This is embarrassing because this is a really common scenario. QA anyone?

So, with ISE and 5760 CWA is not working at this time.

CWA with ISE and 5760