Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1103
Views
5
Helpful
3
Replies

Authorization Issue with 802.1x

Go to solution
citestsco
Level 1
Level 1

‎05-18-2022 03:31 AM

Hi ,

 

Recently we have connected our switch to  a nac with dot1x .

We have implemented all the best practice of cisco to connect the switch to our radius server .

The clients authenticating successfully but as for the authorization side we are facing a problem.

Once the client is authenticated and authorized we cannot implement any authorization step.

Which means from the radius we cannot procedure an action which related to authorization such as:

Reauthenticate

Vlan assignment

filter-id

 

Any of this does not being applied to the session of the client but the client status is "Authz success"

At debug we can see that the authorization details are being sent from the radius but not being applied to the switch.

 

 

Although when we perform an CoA action ( no matter which kind of CoA) we receive:

COA: Illegal authenticator in COA from X.X.X.X

 

Please help , there is some logs from the switch while i've procedure a debug on:

debug aaa pod

debug aaa authorization

debug aaa coa

debug radius

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP

‎05-19-2022 10:58 PM

Hi @citestsco 

 

regarding the CoA failing, it sounds as if the switch's RADIUS config is either incomplete or the shared secret in the switch's Dynamic Authorization config section is wrong. if you have two ISE PSN's, then you must enter each ISE node's IP address as a client, and also ensure that the RADIUS shared secret is the same as defined in ISE for that switch's IP address

 

aaa server radius dynamic-author
 client 10.x.x.x server-key 0 RADIUS_SHARED_SECRET
 client 10.x.x.y server-key 0 RADIUS_SHARED_SECRET

 

View solution in original post

3 Replies 3

Go to solution
Flavio Miranda
VIP
VIP

‎05-18-2022 03:41 AM

Hi

 Which switch model and version and which radius server and version do you have?  This can be a misconfig or incompatibility.

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎05-18-2022 04:38 AM

Can we see one port config 

Also you mention there is debug can we see it

0 Helpful

Go to solution
Arne Bier
VIP
VIP

‎05-19-2022 10:58 PM

Hi @citestsco 

 

regarding the CoA failing, it sounds as if the switch's RADIUS config is either incomplete or the shared secret in the switch's Dynamic Authorization config section is wrong. if you have two ISE PSN's, then you must enter each ISE node's IP address as a client, and also ensure that the RADIUS shared secret is the same as defined in ISE for that switch's IP address

 

aaa server radius dynamic-author
 client 10.x.x.x server-key 0 RADIUS_SHARED_SECRET
 client 10.x.x.y server-key 0 RADIUS_SHARED_SECRET

 

Customers Also Viewed These Support Documents