Cisco ISE Web Redirect Flow – WLC CoA Sequence

1. Client joins SSID
   • Client MAC address
   • SSID / WLAN
   • Client VLAN or policy profile, if already assigned
2. WLC sends RADIUS Access-Request to ISE
   • WLC / NAD name
   • WLC source IP
   • Called-Station-ID / SSID
   • Calling-Station-ID / client MAC
   • NAS-IP-Address
   • Audit Session ID / Acct Session ID
3. ISE evaluates the Policy Set, Authentication Policy, and Authorization Policy
   
   ◄── Authorization Profile is selected here
   • Matched Policy Set
   • Matched Authentication Rule
   • Matched Authorization Rule
   • Selected Authorization Profile
4. ISE returns Access-Accept with attributes from the Authorization Profile
   
   ◄── URL redirect instructions are SENT here
   • Redirect URL
   • Redirect ACL name
   • Airespace/Cisco AV-pairs, platform-dependent
   • VLAN, DACL, SGT, or other authorization result, if used
5. WLC applies redirect policy to that client session
   
   ◄── URL redirect is HONORED / INSTALLED here
   • Redirect URL visible on WLC client session
   • Redirect ACL applied to client session
   • Central web authentication / URL redirect state active
6. Client generates web traffic
   • HTTP traffic is best for testing captive portal redirect
   • HTTPS/HSTS traffic may not show the redirect cleanly
7. WLC intercepts traffic based on the redirect ACL
   
   ◄── URL redirect is ENFORCED here
   • ACL name must exactly match what ISE sent
   • ACL semantics must be correct for the WLC platform
   • DNS and portal traffic must be allowed as required
8. Client is redirected to the ISE portal URL
   • Portal FQDN
   • Portal TCP port, such as 443 or 8443
   • Redirect URL should match what ISE generated or what is configured in the Authorization Profile
9. Client reaches ISE portal through DNS/NAT/firewall
   
   ◄── Portal FQDN / NAT / firewall reachability tested here
   • Client DNS resolves portal FQDN to expected NAT/VIP IP
   • Client routes toward expected firewall path
   • Palo NAT policy receives hits
   • Traffic translates to the correct ISE PSN or portal VIP
10. User completes portal flow
    • Guest authentication, BYOD registration, posture, or portal action completes
    • ISE updates endpoint/session state
11. ISE sends CoA to WLC
    
    ◄── CoA issue is here
    • ISE PSN source IP
    • WLC destination IP
    • UDP/1700
    • CoA type: Cisco CoA
    • Observed errors: 5417 / 11100 / 11103
12. WLC processes CoA and reauthorizes client
    • WLC should return CoA-ACK or CoA-NAK
    • Client session must exist on WLC
    • ISE PSN source IP must be configured as valid RADIUS/CoA server on WLC
    • RADIUS shared secret must match
13. ISE returns final authorization
    • Final Authorization Rule matched
    • Final Authorization Profile returned
    • Redirect removed
    • Final VLAN, ACL, SGT, or access policy applied, if used
14. Client gets post-portal access
    • Client moves out of redirect/onboarding state
    • Expected network access is applied