Hello,
I was having the same problem until I switched the WLC NAD port on CPPM to 1700. As soon as that was done, CoA started working. You don't need to add the audit session ID (the calling station ID is just what is needed, nor the reauthenticate last)
let me just add for reference all that I did in an attached PDF, it may help someone... If anyone has a better way of doing this I'm all hears (I'm really starting to put my hands in CPPM, so I'm probably still doing lots of mistakes...)
Enjoy and comment!
Flow is:
Endpoint associates, tries MAC Auth and generates RADIUS request to CPPM - 1st pass on mac auth service (allow all mac)
On CPPM endpoint is unknown - gets returned an access-acept plus an URL redirect
Person using endpoint goes to web browser and gets redirected to CPPM portal and authenticates
This authentication is processed in CPPM via a webauth service that will:
Map a role to the endpoint
Generate a coa for the controller to reauthenticate the user (new mac auth - 2nd pass)
This 2nd pass will then be catched by the same mac auth service, but this time (during 5 minutes after accounting start) the endpoint will have roles in its policy cache. These roles will be matched and the appropriate RADIUS attributes will be returned (specific dacl's for instance)
When user disconnects:
Controller will need to time out the endpoint, then send accounting stop to CPPM. CPPM will keep endpoint policy cache in during 5 minutes and then purge it. Next time user associates ---> start all over again.