https://community.cisco.com/t5/network-access-control/ise-periodic-dynamic-auth-failures/m-p/2391754#M88986 <HTML><HEAD></HEAD><BODY><P>Is this for wireless or wired or both?</P><P></P><P></P><P>Tarik Admani <BR />*Please rate helpful posts*</P></BODY></HTML> Fri, 03 Jan 2014 18:33:35 GMT Tarik Admani 2014-01-03T18:33:35Z https://community.cisco.com/t5/network-access-control/ise-periodic-dynamic-auth-failures/m-p/2391753#M88985 <P>I am running into an issue where I get a handful of Dynamic Auth Failure errors in ISE. In the results it's showing a CoANAK and the error cause is 200. In the steps it's showing:</P><P></P><P></P><P>11204 Received reauthenticate request </P><P>11220 Prepared the reauthenticate request </P><P>11100 RADIUS-Client about to send request </P><P>11101 RADIUS-Client received response </P><P></P><P></P><P>Which shows successful communications between ISE and the NAD. When I look at the logs for Radius Authentication for one of the hosts I see it pass MAB with one session ID then Dynamic Auth CoA Fail then pass dot1x with a different session ID.</P><P></P><P></P><P><SPAN>I was reading up on the Dynamic Auth RFC (</SPAN><A class="jive-link-external-small" href="http://tools.ietf.org/html/rfc5176" target="_blank">http://tools.ietf.org/html/rfc5176</A><SPAN>) and in Section 3.5 it states:</SPAN></P><P></P><P></P><P>"Values 200-299 represent successful completion, so that these values may only be sent within CoA-ACK or Disconnect-ACK packets and MUST NOT be sent within a CoA-NAK or Disconnect-NAK packet."</P><P></P><P></P><P>Am I missing something here? Is anyone else having this issue? </P> Mon, 11 Mar 2019 04:14:13 GMT https://community.cisco.com/t5/network-access-control/ise-periodic-dynamic-auth-failures/m-p/2391753#M88985 xxkozxx 2019-03-11T04:14:13Z https://community.cisco.com/t5/network-access-control/ise-periodic-dynamic-auth-failures/m-p/2391754#M88986 <HTML><HEAD></HEAD><BODY><P>Is this for wireless or wired or both?</P><P></P><P></P><P>Tarik Admani <BR />*Please rate helpful posts*</P></BODY></HTML> Fri, 03 Jan 2014 18:33:35 GMT https://community.cisco.com/t5/network-access-control/ise-periodic-dynamic-auth-failures/m-p/2391754#M88986 Tarik Admani 2014-01-03T18:33:35Z https://community.cisco.com/t5/network-access-control/ise-periodic-dynamic-auth-failures/m-p/2391755#M88987 <HTML><HEAD></HEAD><BODY><P>Wired.</P></BODY></HTML> Fri, 03 Jan 2014 19:31:28 GMT https://community.cisco.com/t5/network-access-control/ise-periodic-dynamic-auth-failures/m-p/2391755#M88987 xxkozxx 2014-01-03T19:31:28Z https://community.cisco.com/t5/network-access-control/ise-periodic-dynamic-auth-failures/m-p/2391756#M88988 <HTML><HEAD></HEAD><BODY><P>Do you have non Cisco phones that the clients connect to? Also what version and platform is the wired switch? Also can you post the running config of the port that you traced this back to?</P><P></P><P>If you issue a "show authentication session interface xxx" do you see multiple aaa-session-id for the same user?</P><P></P><P>You should be able to run a few debugs around the COA process and please make sure that the radius shared secret is the same as the server-key under the client settings for the "aaa server radius dynamic-author" configuration section. </P><P></P><P>Thanks,</P><P>Tarik Admani <BR />*Please rate helpful posts*</P></BODY></HTML> Fri, 03 Jan 2014 20:44:50 GMT https://community.cisco.com/t5/network-access-control/ise-periodic-dynamic-auth-failures/m-p/2391756#M88988 Tarik Admani 2014-01-03T20:44:50Z https://community.cisco.com/t5/network-access-control/ise-periodic-dynamic-auth-failures/m-p/2391757#M88989 <HTML><HEAD></HEAD><BODY><P>All Cisco Phones. Switches are 4510's running 03.02.03</P><P></P><P></P><P>Here's a sample port config:</P><P></P><P></P><P>!</P><P>interface GigabitEthernetX/X/X</P><P> switchport access vlan XX</P><P> switchport mode access</P><P> switchport voice vlan XX</P><P> srr-queue bandwidth share 10 10 60 20</P><P> queue-set 2</P><P> priority-queue out</P><P> authentication event fail action next-method</P><P> authentication host-mode multi-auth</P><P> authentication open</P><P> authentication order mab dot1x</P><P> authentication priority dot1x mab</P><P> authentication port-control auto</P><P> mab</P><P> mls qos trust device cisco-phone</P><P> mls qos trust cos</P><P> dot1x pae authenticator</P><P> dot1x timeout tx-period 10</P><P> spanning-tree portfast</P><P> spanning-tree guard root</P><P> service-policy input AutoQoS-Police-CiscoPhone</P><P>end</P><P>! </P><P></P><P>No I don't see multiple session id's for the same user. We are using EAP-TLS and cert auth.</P><P></P><P></P><P>Server keys are good. I've debugged a couple of these. Only thing I could find was the session ID is different between mab and dot1x.</P></BODY></HTML> Fri, 03 Jan 2014 21:13:23 GMT https://community.cisco.com/t5/network-access-control/ise-periodic-dynamic-auth-failures/m-p/2391757#M88989 xxkozxx 2014-01-03T21:13:23Z https://community.cisco.com/t5/network-access-control/ise-periodic-dynamic-auth-failures/m-p/3830723#M88990 <P>Hello, i'm having the same problem. Did you find a solution for this?</P> Tue, 02 Apr 2019 14:59:30 GMT https://community.cisco.com/t5/network-access-control/ise-periodic-dynamic-auth-failures/m-p/3830723#M88990 steve sousa 2019-04-02T14:59:30Z