We had a wireless security implementation at a customer site which consisted of the following components:
- Cisco Wireless LAN Controllers
- Cisco Prime Infrastructure
- Cisco Identity Service Engine
The setup included a wireless lan for guest access by using the Cisco ISE guest portal functionality.
We started by configuring the WLC's and ISE environment and having done that everything worked as a charm. A couple of days later we we were not able to connect to the wireless network.
The error reported in the ISE Authentications overview was:
Dynamic Authorization Failed : 11213 No responds received from Network Access Device
Dynamic Authorization Failed : 11213 No responds received from Network Access Device
After some searching, we found out that the support for Change of Authorization (CoA - RFC 3576) was disabled on the Cisco Wireless LAN Controllers (a what you would call a WTF moment).
In this screenshot, the support for RFC 3576 is enabled.
It turned out that the problem got introduced after we started using the Cisco Prime Infrastructure tool to manage the Wireless LAN Controller. Digging through that we found the reason for our problem;
The Prime management tool works with templates. These templates are completely empty. So when you start using a template for your security settings (RADIUS servers), you need to set the support for CoA explicitly in the template.
The Prime templates are empty. To set certain features, you need to set them explicitly. No matter what's configured in the WLAN Controller itself.
So you can set the RFC support on the individual WLC 's, but if the Prime template says otherwise, the feature just gets turned off.