This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
Just wondering if anyone else is having CoA issues using patch 8 on wired infrastructure? I was troubleshooting CoA this morning in a 5 node deployment (1 x Admin, 1 x Monitoring, 1 x secondary admin/monitoring and 2 x PSN) and found that CoA was not working. I did a debug aaa pod and it said that POD message was dropped due to an unconfigured client and listed off the IP address of the primary admin node that I had initiated the CoA from (in the gui).
I thought this was strange in that I have always believed the CoA comes from the PSNs. I stopped the primary admin and did the same test using the secondary admin and the same error presented this time with the ip address of the secondary admin. I then proceeded to add the admin nodes as dynamic author clients and CoA started to work properly.
So in summary I am wondering whether this is a bug, a misunderstanding on my part or a change to the way that ISE CoA now works?
Cisco ISE does not issue a CoA for the following reasons:
I have just upgraded the deployment from 1.2 patch 8 up to 1.2.1 and the issue still persists. Thanks kindly for the information but I am well aware of the above mentioned scenarios.
To put it simply the issue presents when I issue a CoA from the administration GUI. What then happens is the switch gives the following error (where x.x.x.x is the IP of the admin node):
Jun 10 12:28:11: POD: x.x.x.x client not configured. Dropping POD packet.
Basically the admin node is purely an admin node no policy no monitoring. If I repeat the test from the secondary admin the same error occurs albeit with the secondary IP in the error. I can resolve this issue by adding the admin nodes as dynamic authors on the switch.
Just to clarify - I am correct in my assumption that all CoA should be from the PSNs?
CoA Not Initiating on Client Machine
Cisco ISE is not able to identify the specified Network Access Device (NAD).
Conditions Click the magnifying glass icon in Authentications to display the steps in the
Authentication Report. The logs display the following error message:
• 11007 Could not locate Network Device or AAA Client Resolution
Possible Causes • The administrator did not correctly configure the Network Access Device
(NAD) type in Cisco ISE.
• Could not find the network device or the AAA Client while accessing NAS by
IP during authentication.
Resolution • Add the NAD in Cisco ISE again, verifying the NAD type and settings.
• Verify whether the Network Device or AAA client is correctly configured in
Administration > Network Resources > Network Devices
Users logging into the Cisco ISE network are not experiencing the required Change
of Authorization (CoA).
Conditions Cisco ISE uses port 1700 by default for communicating RADIUS CoA requests from
supported network devices.
Possible Causes Cisco ISE network enforcement points (switches) may be missing key configuration
commands, may be assigning the wrong port (for example, a port other than 1700),
or have an incorrect or incorrectly entered key.
Resolution Ensure the following commands are present in the switch configuration file (required
on switch to activate CoA and configure the switch):
aaa server radius dynamic-author
client <Monitoring_node_IP_address> server-key <radius_key>