Home
Wireless
Cisco ISE Web Redirect Flow – WLC CoA Sequence

Cisco ISE Web Redirect Flow – WLC CoA Sequence

Kerry Cordero
Wireless
4 min read
  1. Client joins SSID

    • Client MAC address
    • SSID / WLAN
    • Client VLAN or policy profile, if already assigned
  2. WLC sends RADIUS Access-Request to ISE

    • WLC / NAD name
    • WLC source IP
    • Called-Station-ID / SSID
    • Calling-Station-ID / client MAC
    • NAS-IP-Address
    • Audit Session ID / Acct Session ID
  3. ISE evaluates the Policy Set, Authentication Policy, and Authorization Policy

    ◄── Authorization Profile is selected here

    • Matched Policy Set
    • Matched Authentication Rule
    • Matched Authorization Rule
    • Selected Authorization Profile
  4. ISE returns Access-Accept with attributes from the Authorization Profile

    ◄── URL redirect instructions are SENT here

    • Redirect URL
    • Redirect ACL name
    • Airespace/Cisco AV-pairs, platform-dependent
    • VLAN, DACL, SGT, or other authorization result, if used
  5. WLC applies redirect policy to that client session

    ◄── URL redirect is HONORED / INSTALLED here

    • Redirect URL visible on WLC client session
    • Redirect ACL applied to client session
    • Central web authentication / URL redirect state active
  6. Client generates web traffic

    • HTTP traffic is best for testing captive portal redirect
    • HTTPS/HSTS traffic may not show the redirect cleanly
  7. WLC intercepts traffic based on the redirect ACL

    ◄── URL redirect is ENFORCED here

    • ACL name must exactly match what ISE sent
    • ACL semantics must be correct for the WLC platform
    • DNS and portal traffic must be allowed as required
  8. Client is redirected to the ISE portal URL

    • Portal FQDN
    • Portal TCP port, such as 443 or 8443
    • Redirect URL should match what ISE generated or what is configured in the Authorization Profile
  9. Client reaches ISE portal through DNS/NAT/firewall

    ◄── Portal FQDN / NAT / firewall reachability tested here

    • Client DNS resolves portal FQDN to expected NAT/VIP IP
    • Client routes toward expected firewall path
    • Palo NAT policy receives hits
    • Traffic translates to the correct ISE PSN or portal VIP
  10. User completes portal flow

    • Guest authentication, BYOD registration, posture, or portal action completes
    • ISE updates endpoint/session state
  11. ISE sends CoA to WLC

    ◄── CoA issue is here

    • ISE PSN source IP
    • WLC destination IP
    • UDP/1700
    • CoA type: Cisco CoA
    • Observed errors: 5417 / 11100 / 11103
  12. WLC processes CoA and reauthorizes client

    • WLC should return CoA-ACK or CoA-NAK
    • Client session must exist on WLC
    • ISE PSN source IP must be configured as valid RADIUS/CoA server on WLC
    • RADIUS shared secret must match
  13. ISE returns final authorization

    • Final Authorization Rule matched
    • Final Authorization Profile returned
    • Redirect removed
    • Final VLAN, ACL, SGT, or access policy applied, if used
  14. Client gets post-portal access

    • Client moves out of redirect/onboarding state
    • Expected network access is applied
© 2025 cordero.me • All Rights Reserved