Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ISE 1.2 - Dynamic Authorization Failed

Hello!

In my design network I use the ISE for CWA with a WLC, but when a client entrer his credentials, the CoA failed with this error : "11213 No response received from Network Access Device after sending a Dynamic Authorization request"

This error is really strange because I can contact the ISE from the WLC. My ISE, and my broadcasted network are in the same VLAN, is it possible that this error come from this network architecture?

My is is patched with the cumulative patch 7 and for information, I can do a "manual CoA" by disconnect/reconnect the client manually and after that the client has a network access.

Used configuration for ISE and WLC : http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116087-configure-cwa-wlc-ise-00.html

 

Thanks in advance if you have the least clue to resolve this issue.

 

Kévin

5 REPLIES
New Member

I had this exact issue due to

I had this exact issue due to "radius service overwrite interface" being checked.  Can you verify this? 

See below info-

On the WLC, navigate to Security > RADIUS > Authentication. Click on the server index number for the associated ISE node. On the edit screen, verify that the Support for RFC 3576 option is enabled.

    On the WLC, navigate to the WLANs tab and click on the WLAN ID for the WLAN in question. On the edit screen, navigate to Security > AAA and make sure the Radius Server Overwrite interface is unchecked. When this option is checked, the WLC will attemp to send client authentication requests and the CoA-Ack/Nak via the dynamic interface assigned to the WLAN vs. the management interface. Because of the below referenced bug, all RADIUS packets except the CoA-Ack/Nak will actually be transmitted via the dynamic interface. As a general rule of thumb, if using the Radius NAC option on a WLAN, you should not configure the Radius Server Overwrite interface feature.

    Bug Info: https://tools.cisco.com/bugsearch/bug/CSCuj42870

New Member

Thanks for your help, but the

Thanks for your help, but the "radius service overwrite interface" option was already unchecked and the Support of RFC 3576 is weel checked.

Another question which can help, is this normal that the "NAS IP Address" are different between the different step of Web Authentication. In the authentication log, service-port and management interface are both used.

 

EDIT : Oops wrong account used frown

New Member

I will perform some

I will perform some additional testing and let you know my results.  I have this setup in the lab now with ISE 1.2 Patch 7 as well.... Since I only have a couple of PC's in the lab, I've noticed that I am unable to terminate the users session manually.  So I usually end up stopping and restarting the services. This is how i clear my live sessions.

Is your setup in a Lab or Production?  If its in a lab can you restart ISE and your WLC.   I know when I first did my "debug client <mac>" My airespace ACL was showing the incorrect ACL ID.  After a reboot of ISE and recreating my WLC ACL it went away.   I haven't noticed my service IP ever showing up in ISE.  I usually see the users MAC address then a john.doe@abc.com "User Authentication" with his IP.  Next its the WLC MNGT Interface and finally the User Authorization again show Authz Internet-Only.

My lab does not always function 100% so I am hoping after we go Live this weekend,  these flaky issues go away.  One of my problems is I don't have internet access.  Just a web server hosting a web page. I'll keep notes on anything I find that hopefully assist you.

New Member

Thanks for your help.I have

Thanks for your help.

I have restarted my WLC and ISE but there is no difference, for the moment my setup is in Lab but it will be in production soon (if this problem is solved).

I also have this kind of message in my WLC log : *radiusCoASupportTransportThread: Apr 17 14:23:38.060: #AAA-3-COA_WRONG_NAS_IP: radiusCoAsupport.c:1023 Received IP address[my_service-port_if] for CoA Packet.

New Member

New thing!I can do a

New thing!

I can do a reauthentication manually via the "Show Live Sessions" page, but still not automatic CoA and my rfc3576 statistics stay at 0 :

Server Index..................................... 1
Server Address................................... 172.30.184.112
Disconnect-Requests.............................. 0
COA-Requests..................................... 0
Retransmitted Requests........................... 0
Malformed Requests............................... 0
Bad Authenticator Requests....................... 0
Other Drops...................................... 0
Sent Disconnect-Ack.............................. 0
Sent Disconnect-Nak.............................. 0
Sent CoA-Ack..................................... 0
Sent CoA-Nak..................................... 0

 

Thanks!

 

781
Views
0
Helpful
5
Replies
CreatePlease to create content