Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Dynamic Authorization Failed: DiconnectNAK

I have WLC 7.6 and ISE 1.2 Patch 6.

My use case is WLAN Guest Access with CWA. I have ISE Appliance 3395 (2 Admin/Mon, 2 PSN). Everything work fine so far.

But from time to time I get these strange message (it does not matter if I do a manual Session termination in the Operations Tab) Everything is configured in the right way, since normal CWA works (CoA is working fine, but not always...).

Here the corresponding Log-Entry:

0000001241 2 0 2014-02-28 11:11:37.241 +01:00 0000106595 5417 NOTICE Dynamic-Authorization: Dynamic Authorization failed, ConfigVersionId=53, Device IP Address=a.b.c.d, Device Port=42121, DestinationIPAddress=a.b.c.d, DestinationPort=1700, RadiusPacketType=DisconnectRequest, Protocol=Radius, RequestLatency=3, NetworkDeviceName=xx-WLC01, NAS-IP-Address=172.16.226.26, Calling-Station-ID=1C:AB:A7:96:7B:99, Acct-Session-Id=53105c2a/1c:ab:a7:96:7b:99/336136, Acct-Terminate-Cause=Admin Reset, Event-Timestamp=1393582297, cisco-av-pair=audit-session-id=ac10e21a00052f6953105f07, AcsSessionID=ise-04/182359788/9392, Step=11044, Step=11017, Step=11100, Step=11101, Step=11048, NetworkDeviceGroups=Location#All Locations#xx_VPN, NetworkDeviceGroups=Device Type#All Device Types#Wireless Devices#WLC Foreign, CPMSessionID=ac10e21a00052f6953105f07, EndPointMACAddress=1C-AB-A7-96-7B-99, Location=Location#All Locations#xx_VPN,

Has anybody ever had the same expirence, or is this a know issue?

Thanks for feedback!

CoA-Problem.png

Everyone's tags (7)
5 REPLIES
New Member

Dynamic Authorization Failed: DiconnectNAK

New Member

Hi mstraessle, I have also

Hi mstraessle,

 

I have also facing the same issue with wlc 7.6.130 and ISE 1.2.0.899 patch 7 .Do you found any solution for the same.

 

 

 

New Member

Unfortunatly not... An

Unfortunatly not... An upgrade to 1.4 patch 3 and WLC 8.1 helped finally, for whatever reason...

Did you find any other solution?

New Member

Ciao,

Ciao,

with ISE 2.0 patch 2 (2x 3495) and WLC 5508 8.1.131 I've the same problem. On WLC with RADIUS debug activates the CoA is working: but

Received a 'CoA-Request' from 172.17.2.243 port 65393

...

Handling a valid 'CoA-Request' regarding station 64:b8:53:fe:95:03
*radiusCoASupportTransportThread: Feb 10 15:31:33.448: 64:b8:53:fe:95:03 Reauthenticating station 64:b8:53:fe:95:03
*radiusCoASupportTransportThread: Feb 10 15:31:33.448: Sent a 'CoA-Ack' to 172.17.2.243 (port:65393)

but on ISE I received:

5417 Dynamic Authorization failed

11103 RADIUS-Client encountered error during processing flow

On clients everything works fine.

Thanks

New Member

Not sure if this will help

Not sure if this will help you in particular, but I was consistently having this issue with ISE 1.3 and WLC running 7.6.

After a device would go through provisioning and then posture assessment ISE would clear them for access. I would get this error and looking on the WLC client detail see that the device was still in Posture_REQ state and would still have the web redirect URL. I could manually 'fix' this by having the device disconnect and reconnect to the wireless, they would then be assigned the proper authz profile and access.

After much troubleshooting and trying to tear out non-existent hair I discovered I had forgotten to check the RFC 3576 box under the radius server entry for ISE on the WLC. As soon as I did CoA started working 100%.

1335
Views
5
Helpful
5
Replies