Re: ISE: Dynamic Authorization Failed

Philip Vilhelmsson · ‎12-06-2012

Hi,

I am gettning warning messages in ISE saying

Cause:	Dynamic Authorization Failed for Device: 0002SWC003 (switch)
Details:	Dynamic Authorization Failed

It is not only on that switch but on all switches I have configured. I am using 3560 IPBase 12.2(55)SE6. I have configured them according to Trustsec 2.1.

My end devices are none-802.1x.

I can't figure out what is causing this error.

The thing is that I have not experienced any problem. In Live Authentications there are some 'Unknown' and 'Profiled' devices hitting the DenyAccess rule, but other then that everying is beeing Authorized fine.

Anyone got an idea what could be causing this error?

Regards,

Philip

edondurguti · ‎12-06-2012

Good question, I have the same thing happening for Wireless Controller from time to time

Alarm

Occurred At:	Tue Nov 13 13:19:40 CST 2012
Cause:	Dynamic Authorization Failed for Device: SECONDARY-WLC
Details:	Dynamic Authorization Failed

Philip Vilhelmsson · ‎12-07-2012

Just noticed that we are getting it on our WLC too. I wish the Details section of the error could be a little more... detailed...

M. Wisely · ‎12-07-2012

We get these several times a day but it seems to be pretty random, we've got 24 WLCs and it's almost never the same twice in a row and we can see that most dynamic authorization happens without issue in the live logs. It doesn't seem to have any impact for us either but if you look at a successful dynamic authorization the client successfully authenticates prior then I think the dynamic authorization is done once the client is profiled. I could be wrong.

Sri Harsha Dasari · ‎06-29-2021

Hi,

While Adding a Radius Server for Authentication on WLC, did you enable support for COA ?

It is disabled by default.

Thanks,

Sri.

Thanks, Sri.

Mikael Gustafsson · ‎12-07-2012

Might be the CoA command thats missing, the aaa server radius dynamic-author - client 10.1.1.1 server-key cisco?

strujillo · ‎01-10-2013

This is what I have found out.. Using ISE Version 1.1.1.268. If you go the logs page

Jan 10,13 7:39:12.147 AM

Dynamic Authorization failed

and then go to the details...

Failure Reason > Authentication Failure Code Lookup

Failure Reason :

11213 No response received from Network Access Device

Generated on:January 10, 2013 8:08:17 AM PST

Description
No response received from Network Access Device.

Resolution Steps
Check the connectivity between ISE and Network Access Device. Ensure that ISE is defined as Dynamic Authorization Client on Network Access Device and that CoA is supported on device.

...next check into Resolution Steps...

Tarik Admani · ‎01-10-2013

If you are receiving this message for every user session, then you have to check the following:

On the wired settings check and see the dynamic-author statement which was already covered.
On the wireless check the advanced settings on the ssid and make sure that radius nac is configured.
Make sure that you are allowing udp port 1700 and 3799 from ISE to your Network devices.
Check radius accounting to make sure the session-id are closed when users disconnect from the network (also it keeps your licensing intact).

You can use the tcpdump utility to get the capture as the coa leaves. you can also use debug radius authentication on the wired devices to see why the coa is being dropped (or if it gets to the network device).

Thanks,

Sent from Cisco Technical Support iPad App

marioderosa2008 · ‎05-31-2013

hi Tarik,

I am still having this problem occur very randomly about once a day.

Is the TCP Dump feature something that I can leave on and then as soon as the problem happens, I can download the latest TCP dump file?

Or must I manually kick this off just before the problem happens? If so, this will be very difficult almost impossible as it is very random.

We have no firewall between our ISE PSN & WLC. And we only have one WLC.

Thanks

Mario

Pranav Gade · ‎02-23-2015

Hi Tarik,

M also facing the same issue but its intermediate. I am facing this issue mainly with WLC 7.6.130 and ISE ver 1.2.1.0.899

Is anybody found solution for the same

Richard Atkin · ‎05-31-2013

I'm not sure about the LAN, but you see this a lot with Wireless LAN Controllers... A Client will poke the WLAN just enough for it to start a RADIUS Session with ISE, but then the Client will disappear / join a different SSID / etc.. When the ISE sends an instruction to the WLC to do something, the WLC then ignores the instruction because the Client is no longer there and you get the ISE Error Message as a result. I guess you might be able to achieve this on the LAN if you unplug the port or if the PC goes to sleep? Again, not sure about Switches but there's a WLC CLI Show command that allows you to track these kind of events, show radius rfc3576 statistics, but it's broken - woops! All the values will always be zero

kavmaria · ‎07-22-2013

Please check following configuration in your switch

•1) To check Switch can handle COA
•2) To check following configuration available in switch and also make sure 10.0.10.131 server have PDP service

aaa server radius dynamic-author

client 10.0.10.131 server-key cisco123

Ravi Singh · ‎07-23-2013

Check the connectivity between ISE and the NAD. Ensure that ISE is defined as the dynamic authorization client on NAD and that CoA is supported on device.

myanuary · ‎07-23-2013

that was message that can indicated a failed CoA

1. check the configuration on ISE, and NAD (switch and/or WLC)

2. is there any firewall or ACL beetwen it ?

3. use wireshark or another sniffer tool to monitor RADIUS and CoA traffic on NAD. if there is no any RADIUS traffic so it will be firewall/ACL problem, check the firewall. if any check the configuration on ISE and NAD

4. if nothing solved, last solution -> open TAC case...

Sri Harsha Dasari · ‎06-29-2021

Hi,

Do you have these commands on the switch ?

aaa server radius dynamic-author
client x.x.x.x server-key 0 xxxxxxx
!

Thanks, Sri.