Hello All,

we're facing issues with the CoA from an ISE server.

When we want to do a change for authorisation we're getting failures in ISE and on the switch.

on ISE we're getting an failure:

 11213 No response received from Network Access Device after sending a Dynamic Authorization request

And on the switch with a debug i get this:

Sep 17 11:52:09.061: RADIUS: COA received from id 33 10.23.14.12:15284, CoA Request, len 167
Sep 17 11:52:09.061: COA: 10.23.14.12 request queued
Sep 17 11:52:09.061: COA: Illegal authenticator in COA from 10.23.14.12
Sep 17 11:52:14.063: RADIUS: COA received from id 33 10.23.14.12:15284, CoA Request, len 167
Sep 17 11:52:14.063: COA: 10.23.14.12 request queued
Sep 17 11:52:14.063: COA: Illegal authenticator in COA from 10.23.14.12

I've searched and when we put this commando: radius-server attribute 8 include-in-access-req

We're getting this error back:  %PARSE_RC-4-PRC_NON_COMPLIANCE: `radius-server attribute 8 include-in-access-req '

See switchconfig below:

aaa new-model
!
!
aaa group server radius ISE
server name ISE
!
aaa authentication dot1x default group ISE
aaa authorization network default group ISE
aaa accounting dot1x default start-stop group ISE
aaa accounting network default start-stop group ISE
!
!
!
!
!
aaa server radius dynamic-author
client 10.23.14.12 server-key xyz
!
aaa session-id common

ip dhcp snooping vlan 219,319
ip domain-name intra.local
vtp mode transparent
!
dot1x system-auth-control
dot1x critical eapol
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
!
!
!
vlan internal allocation policy ascending
!
vlan 113
name switch_mgmt
!
vlan 219
name Data_boszicht
!
vlan 242
name ISE_POC_BOSZICHT_GUEST
!
vlan 319
name voip_boszicht
!
lldp run
!
interface GigabitEthernet1/0/2
switchport mode access
switchport voice vlan 319
ip access-group permitany in
authentication host-mode multi-domain
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast edge

interface Vlan113
ip address 10.22.2.240 255.255.255.0
!
ip default-gateway 10.22.2.1
ip http server
ip http secure-server
ip http active-session-modules none
!
ip ssh source-interface Vlan113
ip ssh version 2
!
ip access-list extended REDIRECT
deny udp any eq bootpc any eq bootpc
deny udp any any eq domain
deny udp any host 10.23.14.12 eq 8905
deny tcp any host 10.23.14.12 eq 8905
deny udp any host 10.23.14.12 eq 8909
deny tcp any host 10.23.14.12 eq 8909
deny tcp any host 10.23.14.12 eq 8443
permit ip any any
ip access-list extended REDIRECT-GUEST
deny ip any host 10.23.14.12
permit tcp any any eq www
permit tcp any any eq 443
ip access-list extended permitany
permit ip any any
ip radius source-interface Vlan113
!
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 60 tries 5
radius-server deadtime 20
!
radius server ISE
address ipv4 10.23.14.12 auth-port 1812 acct-port 1813
key 7 XYZ

I hope some of you can help me further.