cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
22959
Views
0
Helpful
12
Replies

Cisco ISE error Dynamic Authorization failed

Hi,

I am having two types of below errors with some similarities from Cisco ISE summary reports for added sites. can any one let me know the fix and what can be the impact or risk of this error? is low or medium or high??? Thanks.

Event

5417 Dynamic Authorization failed

Failure Reason

11213 No response received from Network Access Device after sending a Dynamic Authorization request

Resolution

Check the connectivity between ISE and Network Access Device. Ensure that ISE is defined as Dynamic Authorization Client on Network Access Device and that CoA is supported on device.

Root cause

No response received from Network Access Device after sending a Dynamic Authorization request

Second type is as below.

Event

5417 Dynamic Authorization failed

Failure Reason

11215 No response has been received from Dynamic Authorization Client in ISE

Resolution

Check the connectivity between the following: ISE running Log Collector and Dynamic Authorization Client in ISE ; Dynamic Authorization Client in ISE and Network Access Device.

Root cause

No response has been received from Dynamic Authorization Client in ISE.

12 Replies 12

Thibault BRISSE
Level 1
Level 1

Have you configured the CoA on your switches ?

aaa server radius dynamic-author

Hi,

same issue. Radius dynamic-author configured but i received the follow error : 

11204 Received reauthenticate request

11220 Prepared the reauthenticate request 

11100 RADIUS-Client about to send request - ( port = 1700 , type = Cisco CoA ) 

11104 RADIUS-Client request timeout expired ( Step latency=10003 ms) 

11213 No response received from Network Access Device after sending a Dynamic Authorization request

any idea?

thanks

Marco

Hi, Did you check if traffic from ISE server to NAD is allowed on port UDP 1700 if NAD is a Cisco Device ?

Thanks, Sri.

obadillaa
Level 1
Level 1

Hi, I have the same issue when configuring easyconnect:

 

11204 Received reauthenticate request
11220 Prepared the reauthenticate request
11211 Proxying request to Dynamic Authorization Client ISE
11100 RADIUS-Client about to send request - ( port = 1700 , type = Cisco CoA )
11104 RADIUS-Client request timeout expired (step latency=10001 ms Step latency=10001 ms)
11215 No response has been received from Dynamic Authorization Client in ISE

 

I have configured CoA in my switch:

 

aaa server radius dynamic-author

 

Client remains with LimitedAccess ACL applied no matter it log-in successfully into domain. Any ideas?

 

thks 

Do you have servers (client) defined within the aaa server radius dynamic-author section?

See RADIUS Change of Authorization. In particular, it has a section Monitoring and Troubleshooting RADIUS Change of Authorization, which might help.

 

Thks gbekmezi and hslai for your replies,


Let me start answering that yes, I have two servers configured in that section.

Now let me re-phrase my issue providing a little more info.

  

When I connect my test-laptop to the switch, it applies the limited
connection profile as expected:

 

switch#sho authe sess int gi1/0/2 det
Interface: GigabitEthernet1/0/2
IIF-ID: 0x101B180000000BB
MAC Address: 8cdc.d4cd.8a8f
IPv6 Address: Unknown
IPv4 Address: 172.20.40.100
User-Name: 8C-DC-D4-CD-8A-8F
Status: Authorized
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Session timeout: N/A
Common Session ID: AC1428F70000107F7EEE74B2
Acct Session ID: 0x000016C6
Handle: 0x9F00002B
Current Policy: POLICY_Gi1/0/2

Server Policies:
Vlan Group: Vlan: {vlan-id}
ACS ACL: xACSACLx-IP-EASYCONNECT_ACL-5b3409b5

Method status list:
Method State
mab Authc Success

 

But no matter I login successfully into domain, profile does not change to full-access.

I have noticed that full-access authorization policy inside my EZConnect policy does not get any matches, the condition for this policy is

 

"{myDomain} ExternalGroups EQUALS {myDomain}/Users/Domain Users".

 

All matches go to default policy which has the limited-connection profile.

 

"Domain Users" group was included in "Network Access>Ext Id Sources>Active Directory>Groups"

 

I am using default CoA port (1700), my ISE servers are behind a firewall as expected, but I could not see any packets going in that port (on both FW´s interfaces) just 1812-1813 packets.

 

FW has policies to allow CoA traffic to reach ISE servers.

 

I am not pretty sure who triggers the CoA (the switch or the ISE server) and I have checked connection between ISE servers an AD and all test passed.

 

 I am using default CoA port (1700), my ISE servers are behind a firewall as expected, but I could not see any packets going in that port (on both FW´s interfaces) just 1812-1813 packets.

 

FW has policies to allow CoA traffic to reach ISE servers.

 

I am not pretty sure who triggers the CoA (the switch or the ISE server) and I have checked connection between ISE servers an AD and all test passed. 


 For CoA interactions, the switch (NAD) is the CoA server and the ISE is the CoA client so that NAD listening on the CoA port (UDP 1700 or other port) and ISE makes the CoA requests to NAD. The packets would be from ISE outbound to NAD on UDP 1700.

Once CoA succeeds, NAD will trigger a re-authentication request for the endpoint to ISE and ISE will merge the Passive ID identity into the RADIUS MAB session and authorize with the endpoint with the matched AD group.

Sri Harsha Dasari
Spotlight
Spotlight

It only matters if you are pushing any dynamic attributes in authorization policy like dACL's or VLAN changes.

Check if traffic from ISE server to NAD is allowed on port UDP/1700 if NAD is a Cisco Device.

Thanks, Sri.

rene_braun
Level 1
Level 1

Hello together

 

Please check double check the shared secret for the RADIUS Server on the NAD. You may check this by debugging aaa events.

 

e.g.

(wlc) >debug aaa events enable

*radiusCoASupportTransportThread: Aug 01 16:07:30.310: [SA] Invalid message authenticator received in 'CoA-Request' from 8.8.8.8 port 41396

 

Problem is that an wlc e.g. silently drops a CoA if the shared secret is wrong.

 

Best regards

 

Faruzzi
Level 1
Level 1

Hello,

Try enabling IP Tracking on the switch. Example (device tracking policy attacked to easy connect configured port):

device-tracking policy IP-TRACKING
 limit address-count 4
 security-level glean
 no protocol ndp
 no protocol dhcp6
 no protocol udp
 tracking enable reachable-lifetime 30

interface ge 1/0/X

 device-tracking attach-policy IP-TRACKING

Hope this helps.

 

 

bohumil-danilak
Level 1
Level 1

Hey guys,

having same issue...I believe it may be due to the distributed deployment, where PAN nodes initiate CoA requests not the PSN nodes! at least in my case. ALSOPAN sends CoAPAN sends CoA