cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
578
Views
0
Helpful
6
Replies

Radius CoA not working

BlackDiamond71
Level 1
Level 1

I have Cisco ISE setup using IBNS 2.0 but without Radius DTLS and CoA seemed to work fine. I converted it to Radius DTLS and when I did that, I can no longer do CoA commands via the endpoints page of Cisco ISE. I included the names of the trustpoints below and the dynamic author settings. Any thoughts on what I am doing wrong?

show crypto pki certificates pem

------Trustpoint: SWITCH-V2-SELF-SIGNED------ (I created on the switch)

------Trustpoint: ise1.domain.com------

------Trustpoint: ise2.domain.com------

aaa server radius dynamic-author

client 192.168.1.5 dtls client-tp SWITCH-V2-SELF-SIGNED server-tp ise1.domain.com

client 192.168.1.6 dtls client-tp SWITCH-V2-SELF-SIGNED server-tp ise2.domain.com

radius server ISE01
address ipv4 192.168.1.5
automate-tester username [test-user] ignore-acct-port probe-on
dtls port 2083
dtls trustpoint client SWITCH-V2-SELF-SIGNED
dtls trustpoint server ise1.domain.com
dtls match-server-identity hostname ise1.domain.com
dtls match-server-identity ip-address 192.168.1.5
!
radius server ISE02
address ipv4 192.168.1.6
automate-tester username [test-user] ignore-acct-port probe-on
dtls port 2083
dtls trustpoint client SWITCH-V2-SELF-SIGNED
dtls trustpoint server ise2.domain.com
dtls match-server-identity hostname ise2.domain.com
dtls match-server-identity ip-address 192.168.1.6

 

Event5417 Dynamic Authorization failed
Failure Reason11103 RADIUS-Client encountered error during processing flow
ResolutionDo the following: 1) Verify shared secret matches on the ISE Server and corresponding AAA Client, External AAA Server or External RADIUS Token Server. 2) Check the AAA Client or External Server for hardware problems. 3) Check the network devices that connect the AAA peer to ISE for hardware problems. 4) Check whether the network device or AAA Client has any known RADIUS compatibility issues.
Root causeRADIUS-Client encountered an error during processing flow

Steps

 Step IDDescriptionLatency (ms)
 11203Received disconnect and port bounce dynamic authorization request
 11219Prepared the disconnect and port bounce dynamic authorization request1
 11100RADIUS-Client about to send request - ( port = 2083 , type = Cisco CoA )0
 91055RADIUS packet is encrypted0
 

 

11103RADIUS-Client encountered error during processing flow120001
1 Accepted Solution

Accepted Solutions

BlackDiamond71
Level 1
Level 1

I figured it out, This Document goes in good detail https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/16-3/configuration_guide/b_163_consolidated_3850_cg/b_163_consolidated_3850_cg_chapter_01100010.pdf. Essentially, I needed # dtls ip radius source-interface vlanX, where X is the vlan of your Cisco ISE Servers

View solution in original post

6 Replies 6

BlackDiamond71
Level 1
Level 1

I did some digging and I think I had this backwards, so I changed it to show this (Below). I looked at the error and it shows 1700 even though I have "Radius DLTS" checked. Could this be a bug as it shows it is sending over the wrong port?

aaa server radius dynamic-author

client 192.168.1.5 dtls client-tp ise1.domain.com server-tp SWITCH-V2-SELF-SIGNED

client 192.168.1.6 dtls client-tp ise2.domain.com server-tp SWITCH-V2-SELF-SIGNED

Steps

 Step IDDescriptionLatency (ms)
 11203Received disconnect and port bounce dynamic authorization request
 11219Prepared the disconnect and port bounce dynamic authorization request1
 11100RADIUS-Client about to send request - ( port = 1700 , type = Cisco CoA )2
 

 

11104RADIUS-Client request timeout expired15011
 11213No response received from Network Access Device after sending a Dynamic Authorization request4

andrewswanson
Level 7
Level 7

Do either of these match what you are seeing? Both have been updated today but neither have a fixed ISE release.

https://bst.cisco.com/bugsearch/bug/CSCwn76670


https://bst.cisco.com/bugsearch/bug/CSCvv20753

 

hth
Andy

Seems likely that it is related. From the switch I also Ran these codes and I get "User successfully authenticated"
test aaa group ISE-RADIUS server name ISE01 username password new-code

test aaa group ISE-RADIUS server name ISE02 username password new-code

Version:
3.4.0.608
Patch Information:
1

BlackDiamond71
Level 1
Level 1

Anyone have any other thoughts on how I can proceed?

PSM
Level 1
Level 1

@BlackDiamond71 wonder the intention of having 3 different trustpoints on the switch. Is it because ISE servers have certificates from different CA. In my understanding if signing CA of switch certificate and ISE certificate is same then you just need one trustpoint.

Can you share screen shot of device RADSEC configuration in ISE ? Also enable "debug radius authentication" and "debug radius radsec" and share the logs.

BlackDiamond71
Level 1
Level 1

I figured it out, This Document goes in good detail https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/16-3/configuration_guide/b_163_consolidated_3850_cg/b_163_consolidated_3850_cg_chapter_01100010.pdf. Essentially, I needed # dtls ip radius source-interface vlanX, where X is the vlan of your Cisco ISE Servers