05-18-2022 03:31 AM
Hi ,
Recently we have connected our switch to a nac with dot1x .
We have implemented all the best practice of cisco to connect the switch to our radius server .
The clients authenticating successfully but as for the authorization side we are facing a problem.
Once the client is authenticated and authorized we cannot implement any authorization step.
Which means from the radius we cannot procedure an action which related to authorization such as:
Reauthenticate
Vlan assignment
filter-id
Any of this does not being applied to the session of the client but the client status is "Authz success"
At debug we can see that the authorization details are being sent from the radius but not being applied to the switch.
Although when we perform an CoA action ( no matter which kind of CoA) we receive:
COA: Illegal authenticator in COA from X.X.X.X
Please help , there is some logs from the switch while i've procedure a debug on:
debug aaa pod
debug aaa authorization
debug aaa coa
debug radius
Solved! Go to Solution.
05-19-2022 10:58 PM
Hi @citestsco
regarding the CoA failing, it sounds as if the switch's RADIUS config is either incomplete or the shared secret in the switch's Dynamic Authorization config section is wrong. if you have two ISE PSN's, then you must enter each ISE node's IP address as a client, and also ensure that the RADIUS shared secret is the same as defined in ISE for that switch's IP address
aaa server radius dynamic-author client 10.x.x.x server-key 0 RADIUS_SHARED_SECRET client 10.x.x.y server-key 0 RADIUS_SHARED_SECRET
05-18-2022 03:41 AM
Hi
Which switch model and version and which radius server and version do you have? This can be a misconfig or incompatibility.
05-18-2022 04:38 AM
Can we see one port config
Also you mention there is debug can we see it
05-19-2022 10:58 PM
Hi @citestsco
regarding the CoA failing, it sounds as if the switch's RADIUS config is either incomplete or the shared secret in the switch's Dynamic Authorization config section is wrong. if you have two ISE PSN's, then you must enter each ISE node's IP address as a client, and also ensure that the RADIUS shared secret is the same as defined in ISE for that switch's IP address
aaa server radius dynamic-author client 10.x.x.x server-key 0 RADIUS_SHARED_SECRET client 10.x.x.y server-key 0 RADIUS_SHARED_SECRET
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide