Solved: Re: Can't get Dynamic-Author to work on an Catalyst 9300

skhan3 · ‎01-24-2019

I have the following Cat 93000 config and am wondering how to get dynamic author to work:

c9300#sh run
Building configuration...

Current configuration : 20458 bytes
!
! Last configuration change at 14:41:47 CST Wed Jan 23 2019 by shkhan
!
version 16.10
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service call-home
no platform punt-keepalive disable-kernel-core
!
hostname c9300
!
!
vrf definition Mgmt-vrf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
enable secret 9 $9$yppGFmFJXyemAE$zOiCOHHxEiG0f4rWo2uAJFdZrHdxFZo2LSFS2vHajKY
!
aaa new-model
!
!
aaa group server radius Mgmt
server name ISE
ip vrf forwarding Mgmt-vrf
ip radius source-interface GigabitEthernet0/0
!
aaa group server tacacs+ ISE
server name ISE
ip vrf forwarding Mgmt-vrf
ip tacacs source-interface GigabitEthernet0/0
!
aaa authentication login default group ISE local
aaa authentication enable default group ISE enable
aaa authentication dot1x default group Mgmt
aaa authorization config-commands
aaa authorization exec default group ISE if-authenticated
aaa authorization network default group Mgmt
aaa authorization auth-proxy default group Mgmt
aaa accounting update periodic 5
aaa accounting dot1x default start-stop group Mgmt
aaa accounting exec default start-stop group ISE
aaa accounting commands 1 default start-stop group ISE
aaa accounting commands 15 default start-stop group ISE
!
!
!
!
!
aaa server radius dynamic-author
client 172.29.0.35 vrf Mgmt-vrf server-key 7 0027421507545A545C75
domain stripping right-to-left
!
aaa session-id common
boot system switch all flash:cat9k_iosxe.16.10.01.SPA.bin
clock timezone CST -6 0
clock summer-time CST recurring
switch 1 provision c9300-48p
!
!
!
!
!
no ip domain lookup
!
!
!
ip dhcp snooping
login on-success log
!
!
!
!
!
!
!
no device-tracking logging theft
device-tracking policy track
no protocol udp
tracking enable
!
!
license boot level network-advantage
!
!
diagnostic bootup level minimal
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
dot1x system-auth-control
!
!
username cisco password 7 110A1016141D
!
redundancy
mode sso
!
!
!
!
!
interface GigabitEthernet0/0
vrf forwarding Mgmt-vrf
ip address 172.31.34.200 255.255.255.0
speed 1000
negotiation auto
!
interface GigabitEthernet1/0/1
switchport trunk allowed vlan 21,31
switchport mode trunk
spanning-tree portfast
!
interface GigabitEthernet1/0/2
switchport access vlan 21
switchport mode access
device-tracking attach-policy track
authentication event fail action next-method
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
!
interface Vlan1
no ip address
shutdown
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http active-session-modules none
ip route 0.0.0.0 0.0.0.0 172.31.34.1
ip route vrf Mgmt-vrf 0.0.0.0 0.0.0.0 172.31.34.1
!
ip ssh time-out 10
ip ssh version 2
!
ip radius source-interface GigabitEthernet0/0 vrf Mgmt-vrf
!
ip access-list extended POSTURE-REDIRECT
deny udp any eq bootpc any eq bootps
deny udp any any eq domain
deny udp any host 172.29.0.35 eq 8905
deny tcp any host 172.29.0.35 eq 8905
deny udp any host 172.29.0.35 eq 8909
deny tcp any host 172.29.0.35 eq 8909
deny tcp any host 172.29.0.35 eq 8443
permit ip any any
logging source-interface GigabitEthernet0/0 vrf Mgmt-vrf
!
tacacs server ISE
address ipv4 172.29.0.35
key 7 11584854
timeout 3
!
!
!
radius server ISE
address ipv4 172.29.0.35 auth-port 1812 acct-port 1813
key 7 15315A1F07257A767B67
!
!
control-plane
service-policy input system-cpp-policy
!
mac address-table notification mac-move
!
!
!
!
end

Damien Miller · ‎01-24-2019

Assuming you haven't already then I would confirm a couple things.

udp 1700 is not blocked by a firewall or acl
Your key is correct for the dynamic author config
Run a debug and see if the switch is actually receiving the coa - tied to the first one really.

I haven't run 16.10 myself, but being the leading edge, there is very little in the way of documented bugs. If possible and available for the 9300 I would try 16.6.5 to see if the same config works. As of this post, 16.6.5 is recommended for quite a few platforms, I know coa's were working for my lab 9300 with 16.6.4 at least.

View solution in original post

Damien Miller · ‎01-24-2019

Assuming you haven't already then I would confirm a couple things.

udp 1700 is not blocked by a firewall or acl
Your key is correct for the dynamic author config
Run a debug and see if the switch is actually receiving the coa - tied to the first one really.

I haven't run 16.10 myself, but being the leading edge, there is very little in the way of documented bugs. If possible and available for the 9300 I would try 16.6.5 to see if the same config works. As of this post, 16.6.5 is recommended for quite a few platforms, I know coa's were working for my lab 9300 with 16.6.4 at least.

skhan3 · ‎01-25-2019

The switch is getting the CoA request from ISE, you see that in the packet trace. The switch responds by ping'ing ISE on port 1700. Port is unreachable.

ldanny · ‎01-27-2019

Your configuration looks fine.

Make sure you have no fw blocking the port and as mentioned I recommend you downgrade to a recommended code and try this again. You just might be hitting a bug in the latest code.

andy!doesnt!like!uucp · ‎07-07-2021

Hi

post is quite aged, but just for any case: i've confirmation from TAC that VRF'ed CoA config doesnt work at least for 16.9.*