05-13-2025 12:09 PM
I have Cisco ISE setup using IBNS 2.0 but without Radius DTLS and CoA seemed to work fine. I converted it to Radius DTLS and when I did that, I can no longer do CoA commands via the endpoints page of Cisco ISE. I included the names of the trustpoints below and the dynamic author settings. Any thoughts on what I am doing wrong?
show crypto pki certificates pem
------Trustpoint: SWITCH-V2-SELF-SIGNED------ (I created on the switch)
------Trustpoint: ise1.domain.com------
------Trustpoint: ise2.domain.com------
aaa server radius dynamic-author
client 192.168.1.5 dtls client-tp SWITCH-V2-SELF-SIGNED server-tp ise1.domain.com
client 192.168.1.6 dtls client-tp SWITCH-V2-SELF-SIGNED server-tp ise2.domain.com
radius server ISE01
address ipv4 192.168.1.5
automate-tester username [test-user] ignore-acct-port probe-on
dtls port 2083
dtls trustpoint client SWITCH-V2-SELF-SIGNED
dtls trustpoint server ise1.domain.com
dtls match-server-identity hostname ise1.domain.com
dtls match-server-identity ip-address 192.168.1.5
!
radius server ISE02
address ipv4 192.168.1.6
automate-tester username [test-user] ignore-acct-port probe-on
dtls port 2083
dtls trustpoint client SWITCH-V2-SELF-SIGNED
dtls trustpoint server ise2.domain.com
dtls match-server-identity hostname ise2.domain.com
dtls match-server-identity ip-address 192.168.1.6
Event | 5417 Dynamic Authorization failed |
Failure Reason | 11103 RADIUS-Client encountered error during processing flow |
Resolution | Do the following: 1) Verify shared secret matches on the ISE Server and corresponding AAA Client, External AAA Server or External RADIUS Token Server. 2) Check the AAA Client or External Server for hardware problems. 3) Check the network devices that connect the AAA peer to ISE for hardware problems. 4) Check whether the network device or AAA Client has any known RADIUS compatibility issues. |
Root cause | RADIUS-Client encountered an error during processing flow |
Step ID | Description | Latency (ms) | |
11203 | Received disconnect and port bounce dynamic authorization request | ||
11219 | Prepared the disconnect and port bounce dynamic authorization request | 1 | |
11100 | RADIUS-Client about to send request - ( port = 2083 , type = Cisco CoA ) | 0 | |
91055 | RADIUS packet is encrypted | 0 | |
| 11103 | RADIUS-Client encountered error during processing flow | 120001 |
Solved! Go to Solution.
06-03-2025 08:04 AM
I figured it out, This Document goes in good detail https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/16-3/configuration_guide/b_163_consolidated_3850_cg/b_163_consolidated_3850_cg_chapter_01100010.pdf. Essentially, I needed # dtls ip radius source-interface vlanX, where X is the vlan of your Cisco ISE Servers
05-14-2025 06:56 AM
I did some digging and I think I had this backwards, so I changed it to show this (Below). I looked at the error and it shows 1700 even though I have "Radius DLTS" checked. Could this be a bug as it shows it is sending over the wrong port?
aaa server radius dynamic-author
client 192.168.1.5 dtls client-tp ise1.domain.com server-tp SWITCH-V2-SELF-SIGNED
client 192.168.1.6 dtls client-tp ise2.domain.com server-tp SWITCH-V2-SELF-SIGNED
Step ID | Description | Latency (ms) | |
11203 | Received disconnect and port bounce dynamic authorization request | ||
11219 | Prepared the disconnect and port bounce dynamic authorization request | 1 | |
11100 | RADIUS-Client about to send request - ( port = 1700 , type = Cisco CoA ) | 2 | |
| 11104 | RADIUS-Client request timeout expired | 15011 |
11213 | No response received from Network Access Device after sending a Dynamic Authorization request | 4 |
05-14-2025 08:04 AM
Do either of these match what you are seeing? Both have been updated today but neither have a fixed ISE release.
https://bst.cisco.com/bugsearch/bug/CSCwn76670
https://bst.cisco.com/bugsearch/bug/CSCvv20753
hth
Andy
05-14-2025 08:35 AM
Seems likely that it is related. From the switch I also Ran these codes and I get "User successfully authenticated"
test aaa group ISE-RADIUS server name ISE01 username password new-code
test aaa group ISE-RADIUS server name ISE02 username password new-code
05-19-2025 11:30 AM
Anyone have any other thoughts on how I can proceed?
05-20-2025 05:37 AM
@BlackDiamond71 wonder the intention of having 3 different trustpoints on the switch. Is it because ISE servers have certificates from different CA. In my understanding if signing CA of switch certificate and ISE certificate is same then you just need one trustpoint.
Can you share screen shot of device RADSEC configuration in ISE ? Also enable "debug radius authentication" and "debug radius radsec" and share the logs.
06-03-2025 08:04 AM
I figured it out, This Document goes in good detail https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/16-3/configuration_guide/b_163_consolidated_3850_cg/b_163_consolidated_3850_cg_chapter_01100010.pdf. Essentially, I needed # dtls ip radius source-interface vlanX, where X is the vlan of your Cisco ISE Servers
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide