topic CoA Re-authenticate fail on switch when running on 802.1x EAP in Network Access Control

CoA Re-authenticate fail on switch when running on 802.1x EAP

jinyuanbao — Tue, 08 Nov 2022 09:28:29 GMT

Hi guys,

I'm using Change of Authorization (CoA) Re-authenticate Cisco:cisco-av-pair=subscriber:command=reauthenticate,

it works fine on pap and chap, but can't become online again on eap-md5, peap, ttls,tls.

The traffic capture file contain the sucessful process and the failed ones. In the failed process the coa is all successful but then the ISE rejects the switch.

And on the ise log page,

the first error shows

Event	5440 Endpoint abandoned EAP session and started new
Failure Reason	5440 Endpoint abandoned EAP session and started new
Resolution	Verify known NAD or supplicant issues and published bugs. Verify NAD and supplicant configuration.
Root cause	Endpoint started new authentication while previous is still in progress. Most probable that supplicant on that endpoint stopped conducting the previous authentication and started the new one. Closing the previous authentication.

Endpoint started new authentication while previous is still in progress.----------i don't how ISE know which is new and which is previous authentication.

And the second error shows

Event	5400 Authentication failed
Failure Reason	11051 RADIUS packet contains invalid state attribute
Resolution	Do the the following: Check the network device or AAA Client for hardware problems or known RADIUS compatibility issues ; Check the network that connects the device to ISE for hardware problems.
Root cause	The state attribute in the RADIUS packet did not match any active session.

About the known RADIUS compatibility issues, i'm using h3c switch actually, i don't know how this compatibility issues happens.

About the 11051 RADIUS packet contains invalid state attribute and The state attribute in the RADIUS packet did not match any active session. i have looked into the network traffic capture, i have to admin the state is not the same before and after the coa, but maybe it's because the ise sends the new state id to switch.

And i have tried in another environment with wireless device, the state attribute is also not the same before and after the coa, but successful, collected file in wireless sucessful coa reauth.zip

The other file and snapshots are collected on ise 2.4.0.357 patch 8, i have also tried on ise 3.1, the errors are the same.

So how should switch repond to make the process sucessful or what configuration i can do on ISE.

Thank you in advance!!

Re: CoA Re-authenticate fail on switch when running on 802.1x EAP

Arne Bier — Mon, 14 Nov 2022 20:57:57 GMT

Do you know why the CoA is being triggered? Is it because of ISE profiling?

Possibly, the H3C switch doesn't process the CoA re-auth as one might expect. Are you sure that this model of device support RADIUS CoA Re-auth? In my experience this form of CoA is very Cisco specific. Most vendors will support CoA packet of disconnect and very little else.

ISE does support other vednor devices and if possible, one should assign these non-Cisco devices with a Device Profile that matches the capabilities of the device. e.g. a HPE Switch has a profile in ISE, because it handles CoA and other things differently to a Cisco switch. I had a look at what the HPE switch supports, and it does not support Re-Auth. Interestingly, I see H3C Dictionary mentioned in the HPWired Network Device Profile. Perhaps these two vendors do things similarly.

H3c switch process CoA on port 3799 (which I see you're doing) - have you run a debug on the switch during and after the CoA, to see what the switch does ?

Have you also seen this great article by Thomas Howard?

Re: CoA Re-authenticate fail on switch when running on 802.1x EAP

jinyuanbao — Fri, 25 Nov 2022 04:41:40 GMT

Hi, thank you for your reply.

Do you know why the CoA is being triggered? Is it because of ISE profiling?

i manually trigger it in Live Sessions while capture the network traffic and logs. When profiling or posture trigger the coa, the results are the same.

have you run a debug on the switch during and after the CoA, to see what the switch does ?

the switch shows logs like Device DOT1X/7/EVENT: User failed to come online (UserMAC=000c-2944-2de5, VLANID=2, Interface=GigabitEthernet1/0/3). Reason: The RADIUS server rejected the authentication request。

I had a look at what the HPE switch supports, and it does not support Re-Auth

you mean in ise default Network Access Device Profiles, the hp wired do not has coa Re-authenticate enabled?

actually i replicate a Network Access Device Profile and input h3c-av-pair or cisco-av-pair equls subscriber:command=reauthenticate.

My confusion is why it works in pap or chap, but not working in eap.

thanks.

Re: CoA Re-authenticate fail on switch when running on 802.1x EAP

Arne Bier — Fri, 25 Nov 2022 06:30:13 GMT

sounds like you have hit quite a specific roadblock. Perhaps it's time for a TAC case. I can't see why ISE would differentiate between a PAP/CHAP auth and an EAP auth with regards to sending a CoA.