cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Dynamic Authorization Failed

Manish Patel
Beginner
Beginner

hi

I keep getting error meesages on the ISE in regards to RADIUS

the error is

Dynamic Authorization failed : 1213 No response received from Network Access Device

                 

i am using ISE version 1.1.1 and the NAD is a WLC running version 7.0.98.0

i use ISE to authenticate users via PEAP. I deleted the NAD and re-added it twice but i still keep getting this issue. this set up was working fine for the last few weeks.

i dont think location and device type would cause an issue to authentication under the NAD list

anyone have any ideas?

1 ACCEPTED SOLUTION

Accepted Solutions

Is the option not there or was it not set? I can't remember if your version has radius nac.

Either way if it was disabled it could have been set and it wasn't saved and reverted after a reboot.

View solution in original post

6 REPLIES 6

Tarik Admani
Advocate
Advocate

Yes the issue maybe related to radius Nac not being configured in the advanced settings of the ssid please check and see if it goes away. I can't remember if radius Nac is in the code you are running.

Sent from Cisco Technical Support iPad App

hi

this solution was working fine i.e with the current versions of ISE and 7.0.98.0

had a look at the advanced setting on the WLC and RADIUS NAC isnt there.

why would it stop working suddenly...

Is the option not there or was it not set? I can't remember if your version has radius nac.

Either way if it was disabled it could have been set and it wasn't saved and reverted after a reboot.

the option i.e drop down box wasnt there. lookin at the compatibility chart of ISE 1.1.1 and WLC, minimum version for WLC is 7.2.103.0

Do you need to have RADIUS NAC enabled if the ISE is only used to authenticate corporate wireless users against AD. there is no CoA,

the other function is to use RADIUS as network management logon. to WLC using the AD. depending on the AD group , one could get priv 15 or priv 5 access. i am also using device attribute by location so that remote offices network enigineer cannot log onto the WLC. i.e i created a NAD , put it in a location and use that location AND the AD group to qualify for priv 15 access.

Coudl this policy interrupt the wireless RADIUS policy? Wireless policy is at the top of the list under authorization tab.

Yes you can use ise as an authentication server, coa isn't necessary and if it is not being used then disable this option in the settings for profiling in the admin section. It could be that this was turned on and caused the errors.

Also if you set a condition for service-type, you can determine if the radius request is for dot1x or device login.

Service-type=framed is for dot1x

Service-type=login is for device admin

It might be in the reports section.

Thanks

Eric Kenny
Beginner
Beginner

On your WLC you also have to enable "Support for RFC 3576" under:

Security > AAA > RADIUS > Authentication > Your RADIUS Server

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: