11-19-2012 12:02 PM - edited 03-10-2019 07:48 PM
Hi all,
Can anyone help me in resolving CoA using cisco ISE as getting below error
Radius authentication failed for USER: CALLING STATION ID: 44:37:E6:4A:A7:56 AUTHTYPE:
11-20-2012 11:41 AM
Did you configure youre ise servers as clients in the switch ?
aaa server radius dynamic-author
client
11-20-2012 11:51 AM
yes
aaa server radius dynamic-author
client 162.12.95.167 server-key 7 0518090E2A151D02380E3651
client 162.12.28.135 server-key 7 095F4108125C44192A072569
both are psn
do i need to make an entry of Admin node as well
these are in distributed deployment
11-20-2012 12:42 PM
No, just the psn's
11-20-2012 01:26 PM
Is there a firewall in between. Can you check and see if you are allowing ports 1700 and 3799?
In the packet captures I have seen only port 1700.
Thanks,
Tarik Admani
*Please rate helpful posts*
11-21-2012 08:32 AM
Below ports i have opend!
ISE Firewall ruleset | ||||
Source | Destination | Port no * | Description | Use |
10.120.166.13(Prim Admin) | 10.120.182.13 | 1521 UDP 161 443 80 | ||
10.120.182.13(Primary Monitoring) | 10.120.166.13 | 1521 UDP 161 443 80 | ||
162.12.95.167(PSN) 162.12.28.135(PSN) 162.12.189.135(PSN) | 10.120.166.13 10.120.182.13 | 1521 UDP 161 | ||
10.120.166.13 10.120.182.13 | 162.12.95.167 162.12.28.135 162.12.189.135 | 1521 UPD 161 443 80 | ||
10.120.166.13 | 10.120.182.13 | 22 | ||
10.120.166.13 | 10.120.182.13 | 1812 | ||
10.120.166.13 | 10.120.182.13 | 1813 | ||
10.120.166.13 | 10.120.182.13 | ICMP | ||
10.120.166.13 | 10.120.182.13 | UDP 20514 | ||
10.120.166.13 | 10.120.182.13 | 1700 | ||
10.120.166.13 | 10.120.182.13 | 3799 | ||
10.120.166.13 | 10.120.182.13 | 69 | ||
10.120.166.13 | 10.120.182.13 | UDP 514 | ||
10.120.182.13 | 10.120.166.13 | 22 | ||
10.120.182.13 | 10.120.166.13 | 1812 | ||
10.120.182.13 | 10.120.166.13 | 1813 | ||
10.120.182.13 | 10.120.166.13 | ICMP | ||
10.120.182.13 | 10.120.166.13 | UDP 20514 | ||
10.120.182.13 | 10.120.166.13 | 1700 | ||
10.120.182.13 | 10.120.166.13 | 3799 | ||
10.120.182.13 | 10.120.166.13 | 69 | ||
10.120.182.13 | 10.120.166.13 | UDP 514 | ||
162.12.0.0/16 10.120.166.21 10.120.166.22 | 10.120.166.13 10.120.182.13 | port 80/443 | HTTP/HTTPS | URL-redirection |
162.12.0.0/16 | 10.120.166.13 10.120.182.13 | 1812 | RFC Standard | |
162.12.0.0/16 | 10.120.166.13 10.120.182.13 | 1813 | ||
10.120.166.13 10.120.182.13 | 162.12.0.0/16 | 1812 | RFC Standard | |
10.120.166.13 10.120.182.13 | 162.12.0.0/16 | 1813 | ||
10.120.166.13 10.120.182.13 | 162.12.95.167 162.12.28.135 162.12.189.135 | 22 | SSH | |
162.12.0.0/16 10.120.166.21 10.120.166.22 | 10.120.166.13 10.120.182.13 | 22 | SSH | |
10.120.166.13 10.120.182.13 | 162.12.0.0/16 10.120.166.21 10.120.166.22 | ICMP | Ping | |
162.12.0.0/16 10.120.166.21 10.120.166.22 | 10.120.166.13 10.120.182.13 | ICMP | Ping | |
162.12.95.167 162.12.28.135 162.12.189.135 | 10.120.166.13 10.120.182.13 | 20514 | UDP | Syslog Transport |
10.120.166.13 10.120.182.13 | 162.12.95.167 162.12.28.135 162.12.189.135 | 20514 | UDP | Syslog Transport |
10.120.166.13 10.120.182.13 | 162.12.95.167 162.12.28.135 162.12.189.135 | 1700 | IOS Default | |
162.12.95.167 162.12.28.135 162.12.189.135 | 10.120.166.13 10.120.182.13 | 1700 | IOS Default | |
162.12.95.167 162.12.28.135 162.12.189.135 | 10.120.166.13 10.120.182.13 | 3799 | RFC | |
10.120.166.13 10.120.182.13 | 162.12.95.167 162.12.28.135 162.12.189.135 | 3799 | RFC | |
162.12.0.0/16 | 10.120.166.13 10.120.182.13 | 8443 | TCP | |
10.120.134.7410.120.135.74 | 10.120.166.13 10.120.182.13 | UDP/TCP 53 | DNS | |
10.120.166.13 10.120.182.13 | 10.120.134.74 10.120.135.74 | UDP/TCP 53 | DNS | |
10.120.166.13 10.120.182.13 | 10.120.132.166 10.120.133.166 10.120.134.5 10.120.135.5 10.120.135.4 | UDP 123 | NTP | |
10.120.132.166 10.120.133.166 10.120.134.5 10.120.135.5 10.120.135.4 | 10.120.166.13 10.120.182.13 | UDP 123 | NTP | |
10.120.166.13 10.120.182.13 | 162.12.95.170 | UDP/TCP 514 | Syslog | |
10.120.129.135 10.120.134.5 10.120.135.5 10.120.135.4 | 10.120.166.13 10.120.182.13 | UDP/TCP 636 | Secure LDAP | |
10.120.129.135 10.120.134.5 10.120.135.5 10.120.135.4 | 10.120.166.13 10.120.182.13 | UDP/TCP 389 | LDAP | |
10.120.166.13 10.120.182.13 | 10.120.129.135 10.120.134.5 10.120.135.5 10.120.135.4 | UDP/TCP 636 | Secure LDAP | |
10.120.166.13 10.120.182.13 | 10.120.129.135 10.120.134.5 10.120.135.5 10.120.135.4 | UDP/TCP 389 | LDAP | |
162.12.95.167 162.12.28.135 162.12.189.135 | 10.120.166.13 10.120.182.13 | UDP 69 | TFTP | |
10.120.166.13 10.120.182.13 | 162.12.95.167 162.12.28.135 162.12.189.135 | UDP 69 | TFTP | |
10.120.166.21 10.120.166.22 | 162.12.95.167 162.12.28.135 162.12.189.135 10.120.166.13 10.120.182.13 | UDP 69 | TFTP | |
162.12.95.167 162.12.28.135 162.12.189.135 10.120.166.13 10.120.182.13 | 10.120.166.21 10.120.166.22 | UDP 69 | TFTP | |
162.12.0.0/16 10.120.166.21 10.120.166.22 | 10.120.166.13 10.120.182.13 | 8080 | WWW | |
10.120.134.5 10.120.135.5 10.120.135.4 | 10.120.166.13 10.120.182.13 | 445 | SMB | AD Domain services |
10.120.134.5 10.120.135.5 10.120.135.4 | 10.120.166.13 10.120.182.13 | 88 | KDC | AD Domain services |
10.120.134.5 10.120.135.5 10.120.135.4 | 10.120.166.13 10.120.182.13 | 3268 | Global Catalog | AD Domain services |
10.120.134.5 10.120.135.5 10.120.135.4 | 10.120.166.13 10.120.182.13 | 464 | KPASS | AD Domain services |
10.120.166.13 10.120.182.13 | 10.120.134.5 10.120.135.5 10.120.135.4 | 445 | SMB | AD Domain services |
10.120.166.13 10.120.182.13 | 10.120.134.5 10.120.135.5 10.120.135.4 | 88 | KDC | AD Domain services |
10.120.166.13 10.120.182.13 | 10.120.134.5 10.120.135.5 10.120.135.4 | 3268 | Global Catalog | AD Domain services |
10.120.166.13 10.120.182.13 | 10.120.134.5 10.120.135.5 10.120.135.4 | 464 | KPASS | AD Domain services |
Web autherization working and and i am able to authenticate but if i open any other url then it redirect me again to ISE web Auth page....
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
11-21-2012 08:30 PM
I apologize for the question but I am viewing this from my mobile device. Please make surw that coa and is opened between the access layer device and the ise psn group.
Thanks.
Sent from Cisco Technical Support Android App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide