cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3825
Views
0
Helpful
6
Replies

CoA is not working using Cisco ISE 1.1

sachpednekar
Level 1
Level 1

Hi all,

Can anyone help me in resolving CoA using cisco ISE as getting below error

Radius authentication failed for USER: CALLING STATION ID: 44:37:E6:4A:A7:56 AUTHTYPE:

6 Replies 6

jan.nielsen
Level 7
Level 7

Did you configure youre ise servers as clients in the switch ?

aaa server radius dynamic-author

client server-key

yes

aaa server radius dynamic-author

client 162.12.95.167 server-key 7 0518090E2A151D02380E3651

client 162.12.28.135 server-key 7 095F4108125C44192A072569

both are psn

do i need to make an entry of Admin node as well

these are in distributed deployment

No, just the psn's

Is there a firewall in between. Can you check and see if you are allowing ports 1700 and 3799?

In the packet captures I have seen only port 1700.

Thanks,

Tarik Admani
*Please rate helpful posts*

Below ports i have opend!

ISE Firewall ruleset
SourceDestinationPort no *DescriptionUse
10.120.166.13(Prim Admin)10.120.182.131521
UDP 161
443
80
10.120.182.13(Primary Monitoring)10.120.166.131521
UDP 161
443
80
162.12.95.167(PSN)
162.12.28.135(PSN)
162.12.189.135(PSN)
10.120.166.13
10.120.182.13
1521
UDP 161
10.120.166.13
10.120.182.13
162.12.95.167
162.12.28.135
162.12.189.135
1521
UPD 161
443
80
10.120.166.1310.120.182.1322
10.120.166.1310.120.182.131812
10.120.166.1310.120.182.131813
10.120.166.1310.120.182.13ICMP
10.120.166.1310.120.182.13UDP 20514
10.120.166.1310.120.182.131700
10.120.166.1310.120.182.133799
10.120.166.1310.120.182.1369
10.120.166.1310.120.182.13UDP 514
10.120.182.1310.120.166.1322
10.120.182.1310.120.166.131812
10.120.182.1310.120.166.131813
10.120.182.1310.120.166.13ICMP
10.120.182.1310.120.166.13UDP 20514
10.120.182.1310.120.166.131700
10.120.182.1310.120.166.133799
10.120.182.1310.120.166.1369
10.120.182.1310.120.166.13UDP 514
162.12.0.0/16
10.120.166.21
10.120.166.22
10.120.166.13
10.120.182.13
port 80/443HTTP/HTTPSURL-redirection
162.12.0.0/1610.120.166.13
10.120.182.13
1812RFC Standard
162.12.0.0/1610.120.166.13
10.120.182.13
1813
10.120.166.13
10.120.182.13
162.12.0.0/161812RFC Standard
10.120.166.13
10.120.182.13
162.12.0.0/161813
10.120.166.13
10.120.182.13
162.12.95.167
162.12.28.135
162.12.189.135
22SSH
162.12.0.0/16
10.120.166.21
10.120.166.22
10.120.166.13
10.120.182.13
22SSH
10.120.166.13
10.120.182.13
162.12.0.0/16
10.120.166.21
10.120.166.22
ICMPPing
162.12.0.0/16
10.120.166.21
10.120.166.22
10.120.166.13
10.120.182.13
ICMPPing
162.12.95.167
162.12.28.135
162.12.189.135
10.120.166.13
10.120.182.13
20514UDPSyslog Transport
10.120.166.13
10.120.182.13
162.12.95.167
162.12.28.135
162.12.189.135
20514UDPSyslog Transport
10.120.166.13
10.120.182.13
162.12.95.167
162.12.28.135
162.12.189.135
1700IOS Default
162.12.95.167
162.12.28.135
162.12.189.135
10.120.166.13
10.120.182.13
1700IOS Default
162.12.95.167
162.12.28.135
162.12.189.135
10.120.166.13
10.120.182.13
3799RFC
10.120.166.13
10.120.182.13
162.12.95.167
162.12.28.135
162.12.189.135
3799RFC
162.12.0.0/1610.120.166.13
10.120.182.13
8443TCP
10.120.134.74

10.120.135.74
10.120.166.13
10.120.182.13
UDP/TCP 53DNS
10.120.166.13
10.120.182.13
10.120.134.74
10.120.135.74
UDP/TCP 53DNS
10.120.166.13
10.120.182.13
10.120.132.166
10.120.133.166
10.120.134.5
10.120.135.5
10.120.135.4
UDP 123NTP
10.120.132.166
10.120.133.166
10.120.134.5
10.120.135.5
10.120.135.4
10.120.166.13
10.120.182.13
UDP 123NTP
10.120.166.13
10.120.182.13
162.12.95.170UDP/TCP 514Syslog
10.120.129.135
10.120.134.5
10.120.135.5
10.120.135.4
10.120.166.13
10.120.182.13
UDP/TCP 636Secure LDAP
10.120.129.135
10.120.134.5
10.120.135.5
10.120.135.4
10.120.166.13
10.120.182.13
UDP/TCP 389LDAP
10.120.166.13
10.120.182.13
10.120.129.135
10.120.134.5
10.120.135.5
10.120.135.4
UDP/TCP 636Secure LDAP
10.120.166.13
10.120.182.13
10.120.129.135
10.120.134.5
10.120.135.5
10.120.135.4
UDP/TCP 389LDAP
162.12.95.167
162.12.28.135
162.12.189.135
10.120.166.13
10.120.182.13
UDP 69TFTP
10.120.166.13
10.120.182.13
162.12.95.167
162.12.28.135
162.12.189.135
UDP 69TFTP
10.120.166.21
10.120.166.22
162.12.95.167
162.12.28.135
162.12.189.135
10.120.166.13
10.120.182.13
UDP 69TFTP
162.12.95.167
162.12.28.135
162.12.189.135
10.120.166.13
10.120.182.13
10.120.166.21
10.120.166.22
UDP 69TFTP
162.12.0.0/16
10.120.166.21
10.120.166.22
10.120.166.13
10.120.182.13
8080WWW
10.120.134.5
10.120.135.5
10.120.135.4
10.120.166.13
10.120.182.13
445SMBAD Domain services
10.120.134.5
10.120.135.5
10.120.135.4
10.120.166.13
10.120.182.13
88KDCAD Domain services
10.120.134.5
10.120.135.5
10.120.135.4
10.120.166.13
10.120.182.13
3268Global CatalogAD Domain services
10.120.134.5
10.120.135.5
10.120.135.4
10.120.166.13
10.120.182.13
464KPASSAD Domain services
10.120.166.13
10.120.182.13
10.120.134.5
10.120.135.5
10.120.135.4
445SMBAD Domain services
10.120.166.13
10.120.182.13
10.120.134.5
10.120.135.5
10.120.135.4
88KDCAD Domain services
10.120.166.13
10.120.182.13
10.120.134.5
10.120.135.5
10.120.135.4
3268Global CatalogAD Domain services
10.120.166.13
10.120.182.13
10.120.134.5
10.120.135.5
10.120.135.4
464KPASSAD Domain services

      

Web autherization working and and i am able to authenticate but if i open any other url then it redirect me again to ISE web Auth page....

Actions

Troubleshoot Authentication Opens in new window

View Diagnostic Messages

Audit Network Device Configuration Opens in new window

View Network Device Configuration Opens in new window

View Server Configuration Changes

Authentication Summary

Logged At:

November 21,2012 2:16:11.794 PM

RADIUS Status:

Authentication succeeded

NAS Failure:

Username:

00:21:CC:69:3D:30

MAC/IP Address:

00:21:CC:69:3D:30

Network Device:

FarmingtonHills : 162.12.95.71 : GigabitEthernet2/0/18

Allowed Protocol:

Default Network Access

Identity Store:

Authorization Profiles:

TDAF-WebAuth

SGA Security Group:

Authentication Protocol :

Lookup

Authentication Result

User-Name=00-21-CC-69-3D-30
State=ReauthSession:A20C5F47000000970ED72ABE
Class=CACS:A20C5F47000000970ED72ABE:ISEHQFM01/142798580/98
Termination-Action=RADIUS-Request
cisco-av-pair=url-redirect-acl=ACL-TDAF-WEBAUTH-REDIRECT
cisco-av-pair=url-redirect=https://ISEHQFM01.tcom.tdaf.com:8443/guestportal/gateway?sessionId=A20C5F47000000970ED72ABE&action=cwa

Related Events

Nov 21,12 2:16:18.090 PM

Radius accounting start

Radius accounting start

Nov 21,12 2:16:17.012 PM

Radius accounting stop

Radius accouting stop

Nov 21,12 2:16:11.895 PM

Radius accounting start

Radius accounting start

Authentication Details

Logged At:

November 21,2012 2:16:11.794 PM

Occurred At:

November 21,2012 2:16:11.793 PM

Server:

ISEHQFM01

Authentication Method:

mab

EAP Authentication Method :

Lookup

EAP Tunnel Method :

Username:

00:21:CC:69:3D:30

RADIUS Username :

00:21:CC:69:3D:30

Calling Station ID:

00:21:CC:69:3D:30

Framed IP Address:

162.12.108.160

Use Case:

Host Lookup

Network Device:

FarmingtonHills

Network Device Groups:

Location#All Locations#Farmington Hills MI,Device Type#All Device Types

NAS IP Address:

162.12.95.71

NAS Identifier:

NAS Port:

50218

NAS Port ID:

GigabitEthernet2/0/18

NAS Port Type:

Ethernet

Allowed Protocol:

Default Network Access

Service Type:

Call Check

Identity Store:

Authorization Profiles:

TDAF-WebAuth

Active Directory Domain:

Identity Group:

Allowed Protocol Selection Matched Rule:

MAB

Identity Policy Matched Rule:

Default

Selected Identity Stores:

Internal Endpoints

Authorization Policy Matched Rule:

Default

SGA Security Group:

AAA Session ID:

ISEHQFM01/142798580/98

Audit Session ID:

A20C5F47000000970ED72ABE

Tunnel Details:

Cisco-AVPairs:

service-type=Call Check
audit-session-id=A20C5F47000000970ED72ABE

Other Attributes:

ConfigVersionId=8,DestinationPort=1812,Protocol=Radius,Framed-MTU=1500,EAP-Key-Name=,CPMSessionID=A20C5F47000000970ED72ABE,EndPointMACAddress=00-21-CC-69-3D-30,Device Type=Device Type#All Device Types,Location=Location#All Locations#Farmington Hills MI,Model Name=Cisco,Device IP Address=162.12.95.71,Called-Station-ID=28:94:0F:0C:06:92

Posture Status:

Pending

EPS Status:

Steps

11001 Received RADIUS Access-Request

11017 RADIUS created a new session

11027 Detected Host Lookup UseCase (Service-Type = Call Check (10))

Evaluating Service Selection Policy

15048 Queried PIP

15048 Queried PIP

15004 Matched rule

Evaluating Identity Policy

15006 Matched Default Rule

15013 Selected Identity Store - Internal Endpoints

24209 Looking up Host in Internal Hosts IDStore - 00:21:CC:69:3D:30

24217 The host is not found in the internal endpoints identity store

22056 Subject not found in the applicable identity store(s)

22058 The advanced option that is configured for an unknown user is used

22060 The 'Continue' advanced option is configured in case of a failed authentication request

Evaluating Authorization Policy

15004 Matched rule

15016 Selected Authorization Profile - TDAF-WebAuth

11002 Returned RADIUS Access-Accept

Tarik Admani
VIP Alumni
VIP Alumni

I apologize for the question but I am viewing this from my mobile device. Please make surw that coa and is opened between the access layer device and the ise psn group.

Thanks.


Sent from Cisco Technical Support Android App

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: