02-28-2013 12:42 PM - edited 03-10-2019 08:08 PM
We are having an issue using the cisco ise 1.1.2 and a 3750x (Version 12.2(58)SE2)
When the radius sends a reauthentication CoA message to the switch, the switch responds with a 'session contect not found' reply. I have upgraded the code to the latest levels on both the ise and switch and still have the same resultts.
This reauthenticate is needed after the NAC profiler determines the pc is complient. I am receiving the complient message from the pc and switch, but becuase the switch never reauthentices the client after the CoA request, the client is never granted full access.
I am not sure if the radius server is sending the wrong session id, or if the switch is looking at it wrong.
Please Help...!!!!!
-Debug --
Log Buffer (10000 bytes):
Feb 28 19:34:21.940 UTC: RADIUS: COA received from id 38 10.122.1.82:40171, CoA Request, len 140
Feb 28 19:34:21.940 UTC: COA: 10.122.1.82 request queued
Feb 28 19:34:21.940 UTC: RADIUS: authenticator 62 6B 15 C9 C7 A5 CA 88 - 4F B2 EE 4C A0 3D 9F 50
Feb 28 19:34:21.948 UTC: RADIUS: NAS-IP-Address [4] 6 10.122.1.66
Feb 28 19:34:21.948 UTC: RADIUS: Event-Timestamp [55] 6 1362080061
Feb 28 19:34:21.948 UTC: RADIUS: Message-Authenticato[80] 18
Feb 28 19:34:21.948 UTC: RADIUS: BC B3 BA 2A 11 BD 63 0B 22 7E 82 AA C2 A5 F7 C4 [ *c"~]
Feb 28 19:34:21.948 UTC: RADIUS: Vendor, Cisco [26] 41
Feb 28 19:34:21.948 UTC: RADIUS: Cisco AVpair [1] 35 "subscriber:command=reauthenticate"
Feb 28 19:34:21.948 UTC: RADIUS: Vendor, Cisco [26] 49
Feb 28 19:34:21.948 UTC: RADIUS: Cisco AVpair [1] 43 "audit-session-id=0A7A014200000272048AF0F1"
Feb 28 19:34:21.948 UTC: COA: Message Authenticator decode passed
Feb 28 19:34:21.948 UTC: ++++++ CoA Attribute List ++++++
Feb 28 19:34:21.948 UTC: 07353140 0 00000001 nas-ip-address(585) 4 10.122.1.66
Feb 28 19:34:21.948 UTC: 0735375C 0 00000001 Event-Timestamp(430) 4 1362080061(512FB13D)
Feb 28 19:34:21.948 UTC: 0735376C 0 00000009 audit-session-id(794) 24 0A7A014200000272048AF0F1
Feb 28 19:34:21.948 UTC: 0735377C 0 00000009 ssg-command-code(475) 1 32
Feb 28 19:34:21.948 UTC:
Feb 28 19:34:21.957 UTC: AUTH-EVENT: auth_mgr_ch_search_record - Search record in IDC db failed
Feb 28 19:34:21.957 UTC: RADIUS/ENCODE(00000000):Orig. component type = Invalid
Feb 28 19:34:21.957 UTC: RADIUS(00000000): sending
Feb 28 19:34:21.957 UTC: RADIUS(00000000): Send CoA Nack Response to 10.122.1.82:40171 id 38, len 62
Feb 28 19:34:21.957 UTC: RADIUS: authenticator DF 18 2F 59 21 4F 84 E1 - 61 B8 43 B8 01 C5 58 B4
Feb 28 19:34:21.957 UTC: RADIUS: Reply-Message [18] 18
Feb 28 19:34:21.957 UTC: RADIUS: 4E 6F 20 76 61 6C 69 64 20 53 65 73 73 69 6F 6E [ No valid Session]
Feb 28 19:34:21.957 UTC: RADIUS: Dynamic-Author-Error[101] 6 Session Context Not Found [503]
Feb 28 19:34:21.957 UTC: RADIUS: Message-Authenticato[80] 18
Feb 28 19:34:21.957 UTC: RADIUS: 30 C9 AE 52 80 2E A2 54 FF F3 4B C7 28 31 A9 61 [ 0R.TK(1a]
ESWHQFL02-S#
ESWHQFL02-S#
-- Switch Config -
aaa authentication login default group tacacs+ local-case
aaa authentication login local_login local
aaa authentication enable default group tacacs+ enable
aaa authentication dot1x default group radius
aaa authorization exec default group tacacs+ local
aaa authorization commands 5 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa authorization network default group radius
aaa authorization network auth-list group DOT1X
aaa accounting dot1x default start-stop group radius
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 5 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
!
aaa server radius dynamic-author
client 10.122.1.82 server-key 7 14141B180F0B
client 10.122.1.80 server-key 7 045802150C2E
!
aaa session-id common
radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server host 10.122.1.82 auth-port 1812 acct-port 1813 key 7 13061E010803
radius-server host 10.122.1.80 auth-port 1812 acct-port 1813 key 7 104D000A0618
radius-server deadtime 5
radius-server key 7 030752180500
radius-server vsa send accounting
radius-server vsa send authentication
03-01-2013 08:44 AM
What version of code are you running on both ISE and the NAD?
03-01-2013 11:03 AM
cisco ise 1.1.2 and a 3750x (Version 12.2(58)SE2)
We have the fix for this...
We had to downgrade to 12.2.(55)se7 on the 3750 and allow radius attribute 25 on the switch config.
..
radius-server attribute 25 access-request include
..
CoA is now functioning properly...
03-01-2013 01:21 PM
I was suspecting that the version of code could be the problem Also, you can always use ISE's "Evaluate ConfigurationValidator" which can be found under "Operations > Diagnostic Tools." It is not 100% cross platform accurate but it definitely helps catching small things that you missed.
In either case, good job on finding the solution and posting back here! (+5 from me).
If your issue is resolved please mark the thread as "answered"
03-07-2013 02:56 PM
Upgrade the IOS on the Catalyst 3750, we were having the same problem here and it was solved by upgrading to
Version 15.0(2)SE2.
Hope that helps.
Luis
03-09-2013 07:23 AM
As per the cisco recommendation IOSv12.2(52)SE is suitable for Catalyst 3750-X which will support all the features without any issues like MAB,802.1X,CWA,LWA,COA,VLAN,DACL,SAG as mentioned in the link below:
http://www.cisco.com/en/US/docs/security/ise/1.1.1/compatibility/ise_sdt.html.
I see you are using IOSv12.2(58)SE2,which is not recommended.So you can downgrade to IOSv12.2(52)SE which will solve your issues.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide