topic Re: Hi, in Network Access Control

Cisco ISE error Dynamic Authorization failed

technicalit10001 — Mon, 11 Mar 2019 07:33:49 GMT

Hi,

I am having two types of below errors with some similarities from Cisco ISE summary reports for added sites. can any one let me know the fix and what can be the impact or risk of this error? is low or medium or high??? Thanks.

Event	5417 Dynamic Authorization failed
Failure Reason	11213 No response received from Network Access Device after sending a Dynamic Authorization request
Resolution	Check the connectivity between ISE and Network Access Device. Ensure that ISE is defined as Dynamic Authorization Client on Network Access Device and that CoA is supported on device.
Root cause	No response received from Network Access Device after sending a Dynamic Authorization request

Second type is as below.

Event	5417 Dynamic Authorization failed
Failure Reason	11215 No response has been received from Dynamic Authorization Client in ISE
Resolution	Check the connectivity between the following: ISE running Log Collector and Dynamic Authorization Client in ISE ; Dynamic Authorization Client in ISE and Network Access Device.
Root cause	No response has been received from Dynamic Authorization Client in ISE.

Have you configured the CoA

Thibault BRISSE — Fri, 12 May 2017 16:00:37 GMT

Have you configured the CoA on your switches ?

aaa server radius dynamic-author

Hi,

Marco Aresu — Fri, 21 Jul 2017 09:43:20 GMT

Hi,

same issue. Radius dynamic-author configured but i received the follow error :

11204 Received reauthenticate request

11220 Prepared the reauthenticate request

11100 RADIUS-Client about to send request - ( port = 1700 , type = Cisco CoA )

11104 RADIUS-Client request timeout expired ( Step latency=10003 ms)

11213 No response received from Network Access Device after sending a Dynamic Authorization request

any idea?

thanks

Marco

Re: Cisco ISE error Dynamic Authorization failed

obadillaa — Tue, 23 Oct 2018 14:42:54 GMT

Hi, I have the same issue when configuring easyconnect:

11204 Received reauthenticate request
11220 Prepared the reauthenticate request
11211 Proxying request to Dynamic Authorization Client ISE
11100 RADIUS-Client about to send request - ( port = 1700 , type = Cisco CoA )
11104 RADIUS-Client request timeout expired (step latency=10001 ms Step latency=10001 ms)
11215 No response has been received from Dynamic Authorization Client in ISE

I have configured CoA in my switch:

aaa server radius dynamic-author

Client remains with LimitedAccess ACL applied no matter it log-in successfully into domain. Any ideas?

thks

Re: Cisco ISE error Dynamic Authorization failed

gbekmezi-DD — Tue, 23 Oct 2018 15:01:25 GMT

Do you have servers (client) defined within the aaa server radius dynamic-author section?

Re: Cisco ISE error Dynamic Authorization failed

hslai — Sun, 28 Oct 2018 18:13:45 GMT

See RADIUS Change of Authorization. In particular, it has a section Monitoring and Troubleshooting RADIUS Change of Authorization, which might help.

Re: Cisco ISE error Dynamic Authorization failed

obadillaa — Mon, 29 Oct 2018 17:05:02 GMT

Thks gbekmezi and hslai for your replies,

Let me start answering that yes, I have two servers configured in that section.

Now let me re-phrase my issue providing a little more info.

When I connect my test-laptop to the switch, it applies the limited
connection profile as expected:

switch#sho authe sess int gi1/0/2 det
Interface: GigabitEthernet1/0/2
IIF-ID: 0x101B180000000BB
MAC Address: 8cdc.d4cd.8a8f
IPv6 Address: Unknown
IPv4 Address: 172.20.40.100
User-Name: 8C-DC-D4-CD-8A-8F
Status: Authorized
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Session timeout: N/A
Common Session ID: AC1428F70000107F7EEE74B2
Acct Session ID: 0x000016C6
Handle: 0x9F00002B
Current Policy: POLICY_Gi1/0/2

Server Policies:
Vlan Group: Vlan: {vlan-id}
ACS ACL: xACSACLx-IP-EASYCONNECT_ACL-5b3409b5

Method status list:
Method State
mab Authc Success

But no matter I login successfully into domain, profile does not change to full-access.

I have noticed that full-access authorization policy inside my EZConnect policy does not get any matches, the condition for this policy is

"{myDomain} ExternalGroups EQUALS {myDomain}/Users/Domain Users".

All matches go to default policy which has the limited-connection profile.

"Domain Users" group was included in "Network Access>Ext Id Sources>Active Directory>Groups"

I am using default CoA port (1700), my ISE servers are behind a firewall as expected, but I could not see any packets going in that port (on both FW´s interfaces) just 1812-1813 packets.

FW has policies to allow CoA traffic to reach ISE servers.

I am not pretty sure who triggers the CoA (the switch or the ISE server) and I have checked connection between ISE servers an AD and all test passed.

Re: Cisco ISE error Dynamic Authorization failed

hslai — Mon, 29 Oct 2018 21:03:24 GMT

I am using default CoA port (1700), my ISE servers are behind a firewall as expected, but I could not see any packets going in that port (on both FW´s interfaces) just 1812-1813 packets.

FW has policies to allow CoA traffic to reach ISE servers.

I am not pretty sure who triggers the CoA (the switch or the ISE server) and I have checked connection between ISE servers an AD and all test passed.

For CoA interactions, the switch (NAD) is the CoA server and the ISE is the CoA client so that NAD listening on the CoA port (UDP 1700 or other port) and ISE makes the CoA requests to NAD. The packets would be from ISE outbound to NAD on UDP 1700.

Once CoA succeeds, NAD will trigger a re-authentication request for the endpoint to ISE and ISE will merge the Passive ID identity into the RADIUS MAB session and authorize with the endpoint with the matched AD group.

Re: Hi,

Sri Harsha Dasari — Wed, 30 Jun 2021 01:32:22 GMT

Hi, Did you check if traffic from ISE server to NAD is allowed on port UDP 1700 if NAD is a Cisco Device ?

Re: Cisco ISE error Dynamic Authorization failed

Sri Harsha Dasari — Wed, 30 Jun 2021 01:34:40 GMT

It only matters if you are pushing any dynamic attributes in authorization policy like dACL's or VLAN changes.

Check if traffic from ISE server to NAD is allowed on port UDP/1700 if NAD is a Cisco Device.

Re: Cisco ISE error Dynamic Authorization failed

rene_braun — Wed, 25 Aug 2021 07:05:06 GMT

Hello together

Please check double check the shared secret for the RADIUS Server on the NAD. You may check this by debugging aaa events.

e.g.

(wlc) >debug aaa events enable

*radiusCoASupportTransportThread: Aug 01 16:07:30.310: [SA] Invalid message authenticator received in 'CoA-Request' from 8.8.8.8 port 41396

Problem is that an wlc e.g. silently drops a CoA if the shared secret is wrong.

Best regards

Re: Cisco ISE error Dynamic Authorization failed

Faruzzi — Tue, 14 May 2024 06:51:33 GMT

Hello,

Try enabling IP Tracking on the switch. Example (device tracking policy attacked to easy connect configured port):

device-tracking policy IP-TRACKING
limit address-count 4
security-level glean
no protocol ndp
no protocol dhcp6
no protocol udp
tracking enable reachable-lifetime 30

interface ge 1/0/X

device-tracking attach-policy IP-TRACKING

Hope this helps.

Re: Cisco ISE error Dynamic Authorization failed

bohumil-danilak — Thu, 11 Jul 2024 12:53:51 GMT

Hey guys,

having same issue...I believe it may be due to the distributed deployment, where PAN nodes initiate CoA requests not the PSN nodes! at least in my case. ALSOPAN sends CoA