Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
650
Views
0
Helpful
6
Replies

Radius CoA not working

Go to solution
BlackDiamond71
Level 1
Level 1

‎05-13-2025 12:09 PM

I have Cisco ISE setup using IBNS 2.0 but without Radius DTLS and CoA seemed to work fine. I converted it to Radius DTLS and when I did that, I can no longer do CoA commands via the endpoints page of Cisco ISE. I included the names of the trustpoints below and the dynamic author settings. Any thoughts on what I am doing wrong?

show crypto pki certificates pem

------Trustpoint: SWITCH-V2-SELF-SIGNED------ (I created on the switch)

------Trustpoint: ise1.domain.com------

------Trustpoint: ise2.domain.com------

aaa server radius dynamic-author

client 192.168.1.5 dtls client-tp SWITCH-V2-SELF-SIGNED server-tp ise1.domain.com

client 192.168.1.6 dtls client-tp SWITCH-V2-SELF-SIGNED server-tp ise2.domain.com

radius server ISE01
address ipv4 192.168.1.5
automate-tester username [test-user] ignore-acct-port probe-on
dtls port 2083
dtls trustpoint client SWITCH-V2-SELF-SIGNED
dtls trustpoint server ise1.domain.com
dtls match-server-identity hostname ise1.domain.com
dtls match-server-identity ip-address 192.168.1.5
!
radius server ISE02
address ipv4 192.168.1.6
automate-tester username [test-user] ignore-acct-port probe-on
dtls port 2083
dtls trustpoint client SWITCH-V2-SELF-SIGNED
dtls trustpoint server ise2.domain.com
dtls match-server-identity hostname ise2.domain.com
dtls match-server-identity ip-address 192.168.1.6

 

Event5417 Dynamic Authorization failed
Failure Reason11103 RADIUS-Client encountered error during processing flow
ResolutionDo the following: 1) Verify shared secret matches on the ISE Server and corresponding AAA Client, External AAA Server or External RADIUS Token Server. 2) Check the AAA Client or External Server for hardware problems. 3) Check the network devices that connect the AAA peer to ISE for hardware problems. 4) Check whether the network device or AAA Client has any known RADIUS compatibility issues.
Root causeRADIUS-Client encountered an error during processing flow

Steps

 Step IDDescriptionLatency (ms)
 11203Received disconnect and port bounce dynamic authorization request
 11219Prepared the disconnect and port bounce dynamic authorization request1
 11100RADIUS-Client about to send request - ( port = 2083 , type = Cisco CoA )0
 91055RADIUS packet is encrypted0
 

 

11103RADIUS-Client encountered error during processing flow120001
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
BlackDiamond71
Level 1
Level 1

‎06-03-2025 08:04 AM

I figured it out, This Document goes in good detail https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/16-3/configuration_guide/b_163_consolidated_3850_cg/b_163_consolidated_3850_cg_chapter_01100010.pdf. Essentially, I needed # dtls ip radius source-interface vlanX, where X is the vlan of your Cisco ISE Servers

View solution in original post

0 Helpful
6 Replies 6

Go to solution
BlackDiamond71
Level 1
Level 1

‎05-14-2025 06:56 AM

I did some digging and I think I had this backwards, so I changed it to show this (Below). I looked at the error and it shows 1700 even though I have "Radius DLTS" checked. Could this be a bug as it shows it is sending over the wrong port?

aaa server radius dynamic-author

client 192.168.1.5 dtls client-tp ise1.domain.com server-tp SWITCH-V2-SELF-SIGNED

client 192.168.1.6 dtls client-tp ise2.domain.com server-tp SWITCH-V2-SELF-SIGNED

Steps

 Step IDDescriptionLatency (ms)
 11203Received disconnect and port bounce dynamic authorization request
 11219Prepared the disconnect and port bounce dynamic authorization request1
 11100RADIUS-Client about to send request - ( port = 1700 , type = Cisco CoA )2
 

 

11104RADIUS-Client request timeout expired15011
 11213No response received from Network Access Device after sending a Dynamic Authorization request4
0 Helpful

Go to solution
andrewswanson
Level 7
Level 7

‎05-14-2025 08:04 AM

Do either of these match what you are seeing? Both have been updated today but neither have a fixed ISE release.

https://bst.cisco.com/bugsearch/bug/CSCwn76670


https://bst.cisco.com/bugsearch/bug/CSCvv20753

 

hth
Andy

0 Helpful

Go to solution
BlackDiamond71
Level 1
Level 1
In response to andrewswanson

‎05-14-2025 08:35 AM

Seems likely that it is related. From the switch I also Ran these codes and I get "User successfully authenticated"
test aaa group ISE-RADIUS server name ISE01 username password new-code

test aaa group ISE-RADIUS server name ISE02 username password new-code

Version:
3.4.0.608
Patch Information:
1
0 Helpful

Go to solution
BlackDiamond71
Level 1
Level 1

‎05-19-2025 11:30 AM

Anyone have any other thoughts on how I can proceed?

0 Helpful

Go to solution
PSM
Level 1
Level 1

‎05-20-2025 05:37 AM

@BlackDiamond71 wonder the intention of having 3 different trustpoints on the switch. Is it because ISE servers have certificates from different CA. In my understanding if signing CA of switch certificate and ISE certificate is same then you just need one trustpoint.

Can you share screen shot of device RADSEC configuration in ISE ? Also enable "debug radius authentication" and "debug radius radsec" and share the logs.

0 Helpful

Go to solution
BlackDiamond71
Level 1
Level 1

‎06-03-2025 08:04 AM

I figured it out, This Document goes in good detail https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/16-3/configuration_guide/b_163_consolidated_3850_cg/b_163_consolidated_3850_cg_chapter_01100010.pdf. Essentially, I needed # dtls ip radius source-interface vlanX, where X is the vlan of your Cisco ISE Servers

0 Helpful
Customers Also Viewed These Support Documents