Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1688
Views
0
Helpful
3
Replies

Sponsored Guest user not getting internet after authentication success ISE 2.7

Tutu
Level 1
Level 1

‎11-19-2020 03:16 AM

Hello can someone please help me.

 

After i connect endpoint to switch i get the guest portal and login aswel but i am not able to get access after.

 

Please help.

 

Thanks

Overview
Event 5417 Dynamic Authorization failed
Username
Endpoint Id 70:5A:0F:2A:47:DE
Endpoint Profile
Authorization Result

Authentication Details
Source Timestamp 2020-11-19 11:06:47.095
Received Timestamp 2020-11-19 11:06:47.095
Policy Server -ISE-PAN
Event 5417 Dynamic Authorization failed
Failure Reason 11213 No response received from Network Access Device after sending a Dynamic Authorization request
Resolution Check the connectivity between ISE and Network Access Device. Ensure that ISE is defined as Dynamic Authorization Client on Network Access Device and that CoA is supported on device.
Root cause No response received from Network Access Device after sending a Dynamic Authorization request
Endpoint Id 70:5A:0F:2A:47:DE
Calling Station Id 70-5A-0F-2A-47-DE
Audit Session Id 0AC8D064000000710F6EB827
Network Device Test
Device Type All Device Types#Wired
Location All Locations#-HQ
NAS IPv4 Address 10.200.208.100
Response Time 10009 milliseconds

Other Attributes
ConfigVersionId 352
RadiusPacketType CoARequest
Event-Timestamp 1605783997
Device CoA type Cisco CoA
Device CoA port 1700
NetworkDeviceProfileId b0699505-3150-4215-a80e-6753d45bf56c
IsThirdPartyDeviceFlow false
AcsSessionID 94718cc4-1143-403c-a92f-4e9afcb92592
StepLatency 3=10008
CoASourceComponent GUEST
CoAReason Guest authenticated for network access
CoAType Reauthentication - last
Network Device Profile Cisco
Location Location#All Locations#-HQ
Device Type Device Type#All Device Types#Wired
IPSEC IPSEC#Is IPSEC Device#No
Device IP Address 10.200.208.100
CiscoAVPair subscriber:command=reauthenticate,
subscriber:reauthenticate-type=last,
audit-session-id=0AC8D064000000710F6EB827

Session Events

Steps
11204 Received reauthenticate request
11220 Prepared the reauthenticate request
11100 RADIUS-Client about to send request - ( port = 1700 , type = Cisco CoA )
11104 RADIUS-Client request timeout expired ( [step latency=10008 ms] Step latency=10008 ms)
11213 No response received from Network Access Device after sending a Dynamic Authorization req

 

guest12345.png

1 person had this problem
0 Helpful
3 Replies 3

Mike.Cifelli
VIP Alumni
VIP Alumni

‎11-19-2020 08:20 AM

Do you have ISE properly configured as a Dynamic Author on your switch? Are there any firewalls in between possibly blocking coa port UDP 1700?  Have you ran any debugs on switch?

debug aaa coa

0 Helpful

Tutu
Level 1
Level 1
In response to Mike.Cifelli

‎11-20-2020 02:54 AM

Hello yes i do have Dynamic Author configured.

No firewalls in between blocking port.

 

aaa server radius dynamic-author
client 10.200.222.82 server-key cisco1234

 

0 Helpful

Mike.Cifelli
VIP Alumni
VIP Alumni

‎11-20-2020 05:41 AM

My suggestion would be to run a tcpdump in ISE, and run two debugs on the switch which should aide in shedding light on the issue.

debug aaa coa

debug radius

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card