topic Re: Radius CoA not working in Network Access Control

Radius CoA not working

BlackDiamond71 — Tue, 13 May 2025 19:09:54 GMT

I have Cisco ISE setup using IBNS 2.0 but without Radius DTLS and CoA seemed to work fine. I converted it to Radius DTLS and when I did that, I can no longer do CoA commands via the endpoints page of Cisco ISE. I included the names of the trustpoints below and the dynamic author settings. Any thoughts on what I am doing wrong?

show crypto pki certificates pem

------Trustpoint: SWITCH-V2-SELF-SIGNED------ (I created on the switch)

------Trustpoint: ise1.domain.com------

------Trustpoint: ise2.domain.com------

aaa server radius dynamic-author

client 192.168.1.5 dtls client-tp SWITCH-V2-SELF-SIGNED server-tp ise1.domain.com

client 192.168.1.6 dtls client-tp SWITCH-V2-SELF-SIGNED server-tp ise2.domain.com

radius server ISE01
address ipv4 192.168.1.5
automate-tester username [test-user] ignore-acct-port probe-on
dtls port 2083
dtls trustpoint client SWITCH-V2-SELF-SIGNED
dtls trustpoint server ise1.domain.com
dtls match-server-identity hostname ise1.domain.com
dtls match-server-identity ip-address 192.168.1.5
!
radius server ISE02
address ipv4 192.168.1.6
automate-tester username [test-user] ignore-acct-port probe-on
dtls port 2083
dtls trustpoint client SWITCH-V2-SELF-SIGNED
dtls trustpoint server ise2.domain.com
dtls match-server-identity hostname ise2.domain.com
dtls match-server-identity ip-address 192.168.1.6

Event	5417 Dynamic Authorization failed
Failure Reason	11103 RADIUS-Client encountered error during processing flow
Resolution	Do the following: 1) Verify shared secret matches on the ISE Server and corresponding AAA Client, External AAA Server or External RADIUS Token Server. 2) Check the AAA Client or External Server for hardware problems. 3) Check the network devices that connect the AAA peer to ISE for hardware problems. 4) Check whether the network device or AAA Client has any known RADIUS compatibility issues.
Root cause	RADIUS-Client encountered an error during processing flow

Steps

Step ID	Description	Latency (ms)
11203	Received disconnect and port bounce dynamic authorization request
11219	Prepared the disconnect and port bounce dynamic authorization request	1
11100	RADIUS-Client about to send request - ( port = 2083 , type = Cisco CoA )	0
91055	RADIUS packet is encrypted	0
11103	RADIUS-Client encountered error during processing flow	120001

Re: Radius CoA not working

BlackDiamond71 — Wed, 14 May 2025 13:56:55 GMT

I did some digging and I think I had this backwards, so I changed it to show this (Below). I looked at the error and it shows 1700 even though I have "Radius DLTS" checked. Could this be a bug as it shows it is sending over the wrong port?

aaa server radius dynamic-author

client 192.168.1.5 dtls client-tp ise1.domain.com server-tp SWITCH-V2-SELF-SIGNED

client 192.168.1.6 dtls client-tp ise2.domain.com server-tp SWITCH-V2-SELF-SIGNED

Steps

Step ID	Description	Latency (ms)
11203	Received disconnect and port bounce dynamic authorization request
11219	Prepared the disconnect and port bounce dynamic authorization request	1
11100	RADIUS-Client about to send request - ( port = 1700 , type = Cisco CoA )	2
11104	RADIUS-Client request timeout expired	15011
11213	No response received from Network Access Device after sending a Dynamic Authorization request	4

Re: Radius CoA not working

andrewswanson — Wed, 14 May 2025 15:04:39 GMT

Do either of these match what you are seeing? Both have been updated today but neither have a fixed ISE release.

https://bst.cisco.com/bugsearch/bug/CSCwn76670

https://bst.cisco.com/bugsearch/bug/CSCvv20753

hth
Andy

Re: Radius CoA not working

BlackDiamond71 — Wed, 14 May 2025 15:35:30 GMT

Seems likely that it is related. From the switch I also Ran these codes and I get "User successfully authenticated"
test aaa group ISE-RADIUS server name ISE01 username password new-code

test aaa group ISE-RADIUS server name ISE02 username password new-code

Version:

3.4.0.608

Patch Information:

Re: Radius CoA not working

BlackDiamond71 — Mon, 19 May 2025 18:30:37 GMT

Anyone have any other thoughts on how I can proceed?

Re: Radius CoA not working

PSM — Tue, 20 May 2025 12:37:06 GMT

@BlackDiamond71 wonder the intention of having 3 different trustpoints on the switch. Is it because ISE servers have certificates from different CA. In my understanding if signing CA of switch certificate and ISE certificate is same then you just need one trustpoint.

Can you share screen shot of device RADSEC configuration in ISE ? Also enable "debug radius authentication" and "debug radius radsec" and share the logs.

Re: Radius CoA not working

BlackDiamond71 — Tue, 03 Jun 2025 15:04:28 GMT

I figured it out, This Document goes in good detail https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/16-3/configuration_guide/b_163_consolidated_3850_cg/b_163_consolidated_3850_cg_chapter_01100010.pdf. Essentially, I needed # dtls ip radius source-interface vlanX, where X is the vlan of your Cisco ISE Servers