01-03-2014 10:04 AM - edited 03-10-2019 09:14 PM
I am running into an issue where I get a handful of Dynamic Auth Failure errors in ISE. In the results it's showing a CoANAK and the error cause is 200. In the steps it's showing:
11204 Received reauthenticate request
11220 Prepared the reauthenticate request
11100 RADIUS-Client about to send request
11101 RADIUS-Client received response
Which shows successful communications between ISE and the NAD. When I look at the logs for Radius Authentication for one of the hosts I see it pass MAB with one session ID then Dynamic Auth CoA Fail then pass dot1x with a different session ID.
I was reading up on the Dynamic Auth RFC (http://tools.ietf.org/html/rfc5176) and in Section 3.5 it states:
"Values 200-299 represent successful completion, so that these values may only be sent within CoA-ACK or Disconnect-ACK packets and MUST NOT be sent within a CoA-NAK or Disconnect-NAK packet."
Am I missing something here? Is anyone else having this issue?
01-03-2014 10:33 AM
Is this for wireless or wired or both?
Tarik Admani
*Please rate helpful posts*
01-03-2014 11:31 AM
Wired.
01-03-2014 12:44 PM
Do you have non Cisco phones that the clients connect to? Also what version and platform is the wired switch? Also can you post the running config of the port that you traced this back to?
If you issue a "show authentication session interface xxx" do you see multiple aaa-session-id for the same user?
You should be able to run a few debugs around the COA process and please make sure that the radius shared secret is the same as the server-key under the client settings for the "aaa server radius dynamic-author" configuration section.
Thanks,
Tarik Admani
*Please rate helpful posts*
01-03-2014 01:13 PM
All Cisco Phones. Switches are 4510's running 03.02.03
Here's a sample port config:
!
interface GigabitEthernetX/X/X
switchport access vlan XX
switchport mode access
switchport voice vlan XX
srr-queue bandwidth share 10 10 60 20
queue-set 2
priority-queue out
authentication event fail action next-method
authentication host-mode multi-auth
authentication open
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
mab
mls qos trust device cisco-phone
mls qos trust cos
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
spanning-tree guard root
service-policy input AutoQoS-Police-CiscoPhone
end
!
No I don't see multiple session id's for the same user. We are using EAP-TLS and cert auth.
Server keys are good. I've debugged a couple of these. Only thing I could find was the session ID is different between mab and dot1x.
04-02-2019 07:59 AM
Hello, i'm having the same problem. Did you find a solution for this?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide