Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1174
Views
0
Helpful
4
Replies

CoA Failure between ISE 2.1 and WLC 8.0.133

mbowyer
Level 1
Level 1

‎01-12-2017 05:20 AM - edited ‎03-11-2019 12:21 AM

All, I have a distributed ISE deployment (3 PSNs) and three WLC's. The ISE is recording the following errors on all three WLC's "11215 No response has been received from Dynamic Authorization Client in ISE ". The RADIUS configuration on all WLC's includes RFC 3576 (CoA) as "enabled". The devices are not separated by a firewall. Wireless users are authenticated and allowed access and I can see the client change status as the ISE sends the authorization messages back to WLC. We also had wireless guest access working (Web Redirect) which I though for sure used CoA (change client status from webauth to run). Any assistance would be greatly appreciated.

Labels:
0 Helpful
4 Replies 4

nspasov
Cisco Employee
Cisco Employee

‎01-12-2017 09:47 AM

Are you actually seeing any issues with CoA (For instance, is CWA, Posture, etc not working) or you are just seeing the error message?

Also, a couple of questions:

1. what are your "Advanced" settings look like under the SSID

2. Do you have any patches installed on the 2.1 ISE train

3. Are you running FlexConnect

Thank you for rating helpful posts!

0 Helpful

mbowyer
Level 1
Level 1
In response to nspasov

‎01-12-2017 09:55 AM

Neno,

From the bottom up:

  • No flex-connect
  • Patches 1 and 2 (just upgraded from 1.4 this past weekend)
  • Advanced settings include "Override AAA", "RADIUS NAC" and "DHCP Profiling Enabled", plus all of the other default settings
  • Upon further investigation, some of the messages are "CoA-NAK: Session not found" errors, which I guess might be normal if the client simply "left the building" and the wireless session was terminated before the PSN sent the CoA message...

My original querry on the Public Internet and within this forum only found references to old, old ISE (like 1.1, 1.2... yuck!) so I was hoping for some guidance with regards to "real" ISE (i.e. 2x+)

Any thoughts?

0 Helpful

mbowyer
Level 1
Level 1
In response to mbowyer

‎01-12-2017 10:00 AM

Maybe I'm getting worked up over nothing, but the appearance of issues with Change of Authority have folks nervous...

Thanks again, 
Mike

0 Helpful

nspasov
Cisco Employee
Cisco Employee
In response to mbowyer

‎01-12-2017 10:21 AM

I just checked and my home lab matches the versions of code and configuration settings that you have and I have not seen this issue. If you are not having issues with functionality then I would not worry about it :)

Thank you for rating helpful posts!

0 Helpful
Customers Also Viewed These Support Documents