https://community.cisco.com/t5/network-access-control/authorization-issue-with-802-1x/m-p/4613697#M574895 <P>Hi&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1352589">@citestsco</a>&nbsp;</P> <P>&nbsp;</P> <P>regarding the CoA failing, it sounds as if the switch's RADIUS config is either incomplete or the shared secret in the switch's Dynamic Authorization config section is wrong. if you have two ISE PSN's, then you must enter each ISE node's IP address as a client, and also ensure that the RADIUS shared secret is the same as defined in ISE for that switch's IP address</P> <P>&nbsp;</P> <PRE>aaa server radius dynamic-author client 10.x.x.x server-key 0 RADIUS_SHARED_SECRET client 10.x.x.y server-key 0 RADIUS_SHARED_SECRET </PRE> <P>&nbsp;</P> Fri, 20 May 2022 05:58:37 GMT Arne Bier 2022-05-20T05:58:37Z https://community.cisco.com/t5/network-access-control/authorization-issue-with-802-1x/m-p/4612247#M574838 <P>Hi ,</P><P>&nbsp;</P><P>Recently we have connected our switch to&nbsp; a nac with dot1x .</P><P>We have implemented all the best practice of cisco to connect the switch to our radius server .</P><P>The clients authenticating successfully but as for the authorization side we are facing a problem.</P><P>Once the client is authenticated and authorized we cannot implement any authorization step.</P><P>Which means from the radius we cannot procedure an action which related to authorization such as:</P><P>Reauthenticate</P><P>Vlan assignment</P><P>filter-id</P><P>&nbsp;</P><P>Any of this does not being applied to the session of the client but the client status is "Authz success"</P><P>At debug we can see that the authorization details are being sent from the radius but not being applied to the switch.</P><P>&nbsp;</P><P>&nbsp;</P><P>Although when we perform an CoA action ( no matter which kind of CoA) we receive:</P><P>COA: Illegal authenticator in COA from X.X.X.X</P><P>&nbsp;</P><P>Please help , there is some logs from the switch while i've procedure a debug on:</P><P>debug aaa pod</P><P>debug aaa authorization</P><P>debug aaa coa</P><P>debug radius</P> Wed, 18 May 2022 10:31:16 GMT https://community.cisco.com/t5/network-access-control/authorization-issue-with-802-1x/m-p/4612247#M574838 citestsco 2022-05-18T10:31:16Z https://community.cisco.com/t5/network-access-control/authorization-issue-with-802-1x/m-p/4612254#M574839 <P>Hi</P> <P>&nbsp;Which switch model and version and which radius server and version do you have?&nbsp; This can be a misconfig or incompatibility.</P> Wed, 18 May 2022 10:41:51 GMT https://community.cisco.com/t5/network-access-control/authorization-issue-with-802-1x/m-p/4612254#M574839 Flavio Miranda 2022-05-18T10:41:51Z https://community.cisco.com/t5/network-access-control/authorization-issue-with-802-1x/m-p/4612290#M574841 <P>Can we see one port config&nbsp;</P><P>Also you mention there is debug can we see it</P> Wed, 18 May 2022 11:38:27 GMT https://community.cisco.com/t5/network-access-control/authorization-issue-with-802-1x/m-p/4612290#M574841 MHM Cisco World 2022-05-18T11:38:27Z https://community.cisco.com/t5/network-access-control/authorization-issue-with-802-1x/m-p/4613697#M574895 <P>Hi&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1352589">@citestsco</a>&nbsp;</P> <P>&nbsp;</P> <P>regarding the CoA failing, it sounds as if the switch's RADIUS config is either incomplete or the shared secret in the switch's Dynamic Authorization config section is wrong. if you have two ISE PSN's, then you must enter each ISE node's IP address as a client, and also ensure that the RADIUS shared secret is the same as defined in ISE for that switch's IP address</P> <P>&nbsp;</P> <PRE>aaa server radius dynamic-author client 10.x.x.x server-key 0 RADIUS_SHARED_SECRET client 10.x.x.y server-key 0 RADIUS_SHARED_SECRET </PRE> <P>&nbsp;</P> Fri, 20 May 2022 05:58:37 GMT https://community.cisco.com/t5/network-access-control/authorization-issue-with-802-1x/m-p/4613697#M574895 Arne Bier 2022-05-20T05:58:37Z