My use case is WLAN Guest Access with CWA. I have ISE Appliance 3395 (2 Admin/Mon, 2 PSN). Everything work fine so far.
But from time to time I get these strange message (it does not matter if I do a manual Session termination in the Operations Tab) Everything is configured in the right way, since normal CWA works (CoA is working fine, but not always...).
with ISE 2.0 patch 2 (2x 3495) and WLC 5508 8.1.131 I've the same problem. On WLC with RADIUS debug activates the CoA is working: but
Received a 'CoA-Request' from 172.17.2.243 port 65393
Handling a valid 'CoA-Request' regarding station 64:b8:53:fe:95:03 *radiusCoASupportTransportThread: Feb 10 15:31:33.448: 64:b8:53:fe:95:03 Reauthenticating station 64:b8:53:fe:95:03 *radiusCoASupportTransportThread: Feb 10 15:31:33.448: Sent a 'CoA-Ack' to 172.17.2.243 (port:65393)
but on ISE I received:
5417 Dynamic Authorization failed
11103 RADIUS-Client encountered error during processing flow
Not sure if this will help you in particular, but I was consistently having this issue with ISE 1.3 and WLC running 7.6.
After a device would go through provisioning and then posture assessment ISE would clear them for access. I would get this error and looking on the WLC client detail see that the device was still in Posture_REQ state and would still have the web redirect URL. I could manually 'fix' this by having the device disconnect and reconnect to the wireless, they would then be assigned the proper authz profile and access.
After much troubleshooting and trying to tear out non-existent hair I discovered I had forgotten to check the RFC 3576 box under the radius server entry for ISE on the WLC. As soon as I did CoA started working 100%.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...