Zum Hauptinhalt springen

Cisco ISE / WLC

The Cisco adapter uses RADIUS CoA/DM per RFC 5176 with Cisco-specific Vendor-Specific Attributes (VSAs) to terminate guest WiFi sessions. Cisco's CoA implementation requires additional attributes beyond the base RFC.

Prerequisites

  • Cisco WLC (Wireless LAN Controller) or Cisco ISE managing guest WiFi.
  • A CoA shared secret configured on the WLC/ISE.
  • UDP port 3799 (or 1700 on older WLC firmware) open from the Atrium Agent to the controller.

Cisco WLC configuration

  1. Configure the Atrium Agent as a RADIUS server on the WLC (for authentication and accounting).
  2. Enable CoA: On the WLC, navigate to Security → AAA → RADIUS → Authentication and ensure "RFC 3576" (the predecessor to RFC 5176, but the WLC uses this label) is enabled for the Agent's RADIUS entry.
  3. Set the CoA port: Modern WLC firmware uses port 3799. Older versions (pre-8.0) use port 1700. Check your firmware version.
  4. Configure Accounting: Ensure the guest WLAN sends RADIUS Accounting to the Agent.

Cisco ISE configuration

If you're using ISE as a RADIUS proxy:

  1. Add the Atrium Agent as an external RADIUS server in ISE.
  2. Configure the guest portal to use this RADIUS server for authentication.
  3. Enable CoA in the network device profile for your WLC.
  4. Set the CoA shared secret to match the Agent's configuration.

Agent configuration

VariableValue
FIREWALL_ADAPTERcisco
FIREWALL_HOSTIP of the WLC or ISE
FIREWALL_COA_SECRETCoA shared secret
FIREWALL_COA_PORT3799 (or 1700 for older WLC firmware)

Cisco-specific VSAs

Cisco's CoA implementation requires vendor-specific attributes (Cisco AVPair) in the Disconnect-Message. The Atrium Agent includes these automatically:

  • Cisco-AVPair: subscriber:command=disconnect-request
  • Cisco-AVPair: subscriber:audit-session-id=<session-id>

The audit-session-id is obtained from RADIUS Accounting messages. If Accounting is not configured, the adapter falls back to User-Name + NAS-IP-Address matching, which may be less reliable on Cisco controllers.

Troubleshooting

IssuePossible cause
Wrong CoA portOlder WLC uses 1700, newer uses 3799. Check firmware version and set FIREWALL_COA_PORT accordingly.
Missing audit-session-idRADIUS Accounting not configured on the WLC. The adapter needs the Acct-Session-Id from Accounting Start messages.
CoA rejected by ISEThe network device profile in ISE may not have CoA enabled, or the shared secret doesn't match.
Session terminates but re-authenticatesThe WLC may re-authenticate the device via cached credentials. Ensure voucher revocation on the Agent has completed before sending CoA.