Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2507
Views
0
Helpful
5
Replies

ISE - Periodic Dynamic Auth Failures

xxkozxx
Level 1
Level 1

‎01-03-2014 10:04 AM - edited ‎03-10-2019 09:14 PM

I am running into an issue where I get a handful of Dynamic Auth Failure errors in ISE. In the results it's showing a CoANAK and the error cause is 200. In the steps it's showing:

11204 Received reauthenticate request

11220 Prepared the reauthenticate request

11100 RADIUS-Client about to send request

11101 RADIUS-Client received response

Which shows successful communications between ISE and the NAD. When I look at the logs for Radius Authentication for one of the hosts I see it pass MAB with one session ID then Dynamic Auth CoA Fail then pass dot1x with a different session ID.

I was reading up on the Dynamic Auth RFC (http://tools.ietf.org/html/rfc5176) and in Section 3.5 it states:

"Values 200-299 represent successful completion, so that these values may only be sent within CoA-ACK or Disconnect-ACK packets and MUST NOT be sent within a CoA-NAK or Disconnect-NAK packet."

Am I missing something here? Is anyone else having this issue?

1 person had this problem
Labels:
0 Helpful
5 Replies 5

Tarik Admani
VIP Alumni
VIP Alumni

‎01-03-2014 10:33 AM

Is this for wireless or wired or both?

Tarik Admani
*Please rate helpful posts*

0 Helpful

xxkozxx
Level 1
Level 1
In response to Tarik Admani

‎01-03-2014 11:31 AM

Wired.

0 Helpful

Tarik Admani
VIP Alumni
VIP Alumni
In response to xxkozxx

‎01-03-2014 12:44 PM

Do you have non Cisco phones that the clients connect to? Also what version and platform is the wired switch? Also can you post the running config of the port that you traced this back to?

If you issue a "show authentication session interface xxx" do you see multiple aaa-session-id for the same user?

You should be able to run a few debugs around the COA process and please make sure that the radius shared secret is the same as the server-key under the client settings for the "aaa server radius dynamic-author" configuration section.

Thanks,

Tarik Admani
*Please rate helpful posts*

0 Helpful

xxkozxx
Level 1
Level 1
In response to Tarik Admani

‎01-03-2014 01:13 PM

All Cisco Phones. Switches are 4510's running 03.02.03

Here's a sample port config:

!

interface GigabitEthernetX/X/X

switchport access vlan XX

switchport mode access

switchport voice vlan XX

srr-queue bandwidth share 10 10 60 20

queue-set 2

priority-queue out

authentication event fail action next-method

authentication host-mode multi-auth

authentication open

authentication order mab dot1x

authentication priority dot1x mab

authentication port-control auto

mab

mls qos trust device cisco-phone

mls qos trust cos

dot1x pae authenticator

dot1x timeout tx-period 10

spanning-tree portfast

spanning-tree guard root

service-policy input AutoQoS-Police-CiscoPhone

end

!

No I don't see multiple session id's for the same user. We are using EAP-TLS and cert auth.

Server keys are good. I've debugged a couple of these. Only thing I could find was the session ID is different between mab and dot1x.

0 Helpful

steve sousa
Level 1
Level 1
In response to xxkozxx

‎04-02-2019 07:59 AM

Hello, i'm having the same problem. Did you find a solution for this?

0 Helpful
Customers Also Viewed These Support Documents