MR33 COA with ISE not working

Solved
RichardChen1
Getting noticed

MR33 COA with ISE not working

I was doing my lab for CWA - Central Web Authentication with Cisco ISE.

https://documentation.meraki.com/MR/Encryption_and_Authentication/CWA_-_Central_Web_Authentication_w...

 

After entering the correct username/pw on the ISE CWA portal, the COA was sent from ISE to MR33.

However, I encountered the following MSG on ISE, it seems that COA failed because MR33 is not responding.

iseee.jpg

 

I did enabled COA on Dashboard SSID Access control.

 

Is there a way I can verify the COA/port 1700 is enabled on all MR33 AP? Telnet?

 

My AP and ISE are on different subnet, no firewall in between them.

1 Accepted Solution
MerakiDave
Meraki Employee
Meraki Employee

The MR33 is online in Dashboard normally I assume.  Does running a packet capture on the wired interface of the AP reveal anything interesting?  Thinking either the AP is not receiving the CoA in the first place.  And if they're on different subnets, perhaps there's a switch in between that can be another point for a pcap to see if the CoA isn't making it past a certain point.  

View solution in original post

2 Replies 2
MerakiDave
Meraki Employee
Meraki Employee

The MR33 is online in Dashboard normally I assume.  Does running a packet capture on the wired interface of the AP reveal anything interesting?  Thinking either the AP is not receiving the CoA in the first place.  And if they're on different subnets, perhaps there's a switch in between that can be another point for a pcap to see if the CoA isn't making it past a certain point.  

RichardChen1
Getting noticed

Thanks @MerakiDave 

Issue resolved.

 

My lab ISE was running on vmware that bridge to wireless connection.

 

I was able to resolve it by changing from wireless to wired connection.

 

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels