Maybe the CoA ACK from WLC doesn't reach ISE ? Packet capture shoud solve the mistery maybe.
2013/11/6 Mike Rojas <mike_c...@hotmail.com> > > > ------------------------------ > From: mike_c...@hotmail.com > To: pio...@ipexpert.com > Subject: RE: [OSL | CCIE_Security] ISE authentication for CWA and WLC > Date: Wed, 6 Nov 2013 12:23:38 -0600 > > Hi Piotr; > > It says: > Dynamic Authorization failed : 11213 No response received from Network > Access > Device<https://10.198.28.29/mntreport/servlet/GenericRedirector?command=submit&__requesttype=immediate&invokeSubmit=true&__executableName=/home/admin/Failure_Reason/Authentication_Failure_Code_Lookup.rptdesign&rptFailureReason=11213+No+response+received+from+Network+Access+Device&__locale=en_US&iportalID=QHLVSY&__masterpage=false&__newWindow=false> > Network Device: > GUEST_WLC<https://10.198.28.29/mntreport/servlet/GenericRedirector?command=submit&__requesttype=immediate&invokeSubmit=true&__executableName=/home/admin/Network_Device/Network_Device_Authentication_Summary.rptdesign&rptTimeRange=lastMonth&rptNetworkDevice=GUEST_WLC&rptProtocol=RADIUS&__locale=en_US&iportalID=QHLVSY&__masterpage=false&__newWindow=false> > : > 192.168.200.2<https://10.198.28.29/mntreport/servlet/GenericRedirector?command=submit&__requesttype=immediate&invokeSubmit=true&__executableName=/home/admin/Network_Device/Session_Status_Summary.rptdesign&rptNetworkDeviceIP=192.168.200.2&__locale=en_US&iportalID=QHLVSY&__masterpage=false&__newWindow=false> > : > > However, the Wireless client is set to the corresponding Vlan, it gets an > IP on the Employee subnet, and it goes to the employee interface on the > WLC. > > Jan; > > That's part of the Lab and works like a charm everytime. When the user > authenticate on the Guest portal, it does CoA and the new profile is being > downloaded from the ISE (based on those credentials). Then a Java applet > runs that changes the network parameters on the NIC and starts a new DHCP > request for the Employee subnet. > > > Mike. > > ------------------------------ > Date: Wed, 6 Nov 2013 13:26:24 +0100 > Subject: Re: [OSL | CCIE_Security] ISE authentication for CWA and WLC > From: pio...@ipexpert.com > To: mike_c...@hotmail.com > > Hi > > I don't recall any failed authentications following CWA. What is the > failed message about? > > Regards, > -- > Piotr Kaluzny > CCIE #25665 (Security), CCSP, CCNP > Sr. Technical Instructor - IPexpert, Inc. > URL: http://www.IPexpert.com > > ***Want to win a free iPad mini? Just follow us on > Twitter<http://www.twitter.com/ipexpert>or "Like" our > Facebook <http://www.facebook.com/ipexpert> page and be entered into a > weekly drawing! > <http://www.IPexpert.com> > > > On Wed, Nov 6, 2013 at 2:58 AM, Mike Rojas <mike_c...@hotmail.com> wrote: > > Hi; > > I did the CWA for the wireless client and everything worked fine. The only > thing weird is that I am seeing like 3 or 4 authentication successful and > then a fail, but the CoA is being done correctly and the client is being > re-assinged to the correct VLAN. > > Has anybody run into this behavior? Is it normal? > > Thanks! > > Mike. > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com > > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com >
_______________________________________________ Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos :: iPexpert on YouTube: www.youtube.com/ipexpertinc