CoA issues between ISE and 3750x

Glnc66inc · ‎02-28-2013

We are having an issue using the cisco ise 1.1.2 and a 3750x (Version 12.2(58)SE2)

When the radius sends a reauthentication CoA message to the switch, the switch responds with a 'session contect not found' reply. I have upgraded the code to the latest levels on both the ise and switch and still have the same resultts.

This reauthenticate is needed after the NAC profiler determines the pc is complient. I am receiving the complient message from the pc and switch, but becuase the switch never reauthentices the client after the CoA request, the client is never granted full access.

I am not sure if the radius server is sending the wrong session id, or if the switch is looking at it wrong.

Please Help...!!!!!

-Debug --

Log Buffer (10000 bytes):

Feb 28 19:34:21.940 UTC: RADIUS: COA received from id 38 10.122.1.82:40171, CoA Request, len 140

Feb 28 19:34:21.940 UTC: COA: 10.122.1.82 request queued

Feb 28 19:34:21.940 UTC: RADIUS: authenticator 62 6B 15 C9 C7 A5 CA 88 - 4F B2 EE 4C A0 3D 9F 50

Feb 28 19:34:21.948 UTC: RADIUS: NAS-IP-Address [4] 6 10.122.1.66

Feb 28 19:34:21.948 UTC: RADIUS: Event-Timestamp [55] 6 1362080061

Feb 28 19:34:21.948 UTC: RADIUS: Message-Authenticato[80] 18

Feb 28 19:34:21.948 UTC: RADIUS: BC B3 BA 2A 11 BD 63 0B 22 7E 82 AA C2 A5 F7 C4 [ *c"~]

Feb 28 19:34:21.948 UTC: RADIUS: Vendor, Cisco [26] 41

Feb 28 19:34:21.948 UTC: RADIUS: Cisco AVpair [1] 35 "subscriber:command=reauthenticate"

Feb 28 19:34:21.948 UTC: RADIUS: Vendor, Cisco [26] 49

Feb 28 19:34:21.948 UTC: RADIUS: Cisco AVpair [1] 43 "audit-session-id=0A7A014200000272048AF0F1"

Feb 28 19:34:21.948 UTC: COA: Message Authenticator decode passed

Feb 28 19:34:21.948 UTC: ++++++ CoA Attribute List ++++++

Feb 28 19:34:21.948 UTC: 07353140 0 00000001 nas-ip-address(585) 4 10.122.1.66

Feb 28 19:34:21.948 UTC: 0735375C 0 00000001 Event-Timestamp(430) 4 1362080061(512FB13D)

Feb 28 19:34:21.948 UTC: 0735376C 0 00000009 audit-session-id(794) 24 0A7A014200000272048AF0F1

Feb 28 19:34:21.948 UTC: 0735377C 0 00000009 ssg-command-code(475) 1 32

Feb 28 19:34:21.948 UTC:

Feb 28 19:34:21.957 UTC: AUTH-EVENT: auth_mgr_ch_search_record - Search record in IDC db failed

Feb 28 19:34:21.957 UTC: RADIUS/ENCODE(00000000):Orig. component type = Invalid

Feb 28 19:34:21.957 UTC: RADIUS(00000000): sending

Feb 28 19:34:21.957 UTC: RADIUS(00000000): Send CoA Nack Response to 10.122.1.82:40171 id 38, len 62

Feb 28 19:34:21.957 UTC: RADIUS: authenticator DF 18 2F 59 21 4F 84 E1 - 61 B8 43 B8 01 C5 58 B4

Feb 28 19:34:21.957 UTC: RADIUS: Reply-Message [18] 18

Feb 28 19:34:21.957 UTC: RADIUS: 4E 6F 20 76 61 6C 69 64 20 53 65 73 73 69 6F 6E [ No valid Session]

Feb 28 19:34:21.957 UTC: RADIUS: Dynamic-Author-Error[101] 6 Session Context Not Found [503]

Feb 28 19:34:21.957 UTC: RADIUS: Message-Authenticato[80] 18

Feb 28 19:34:21.957 UTC: RADIUS: 30 C9 AE 52 80 2E A2 54 FF F3 4B C7 28 31 A9 61 [ 0R.TK(1a]

ESWHQFL02-S#

-- Switch Config -

aaa authentication login default group tacacs+ local-case

aaa authentication login local_login local

aaa authentication enable default group tacacs+ enable

aaa authentication dot1x default group radius

aaa authorization exec default group tacacs+ local

aaa authorization commands 5 default group tacacs+ local

aaa authorization commands 15 default group tacacs+ local

aaa authorization network default group radius

aaa authorization network auth-list group DOT1X

aaa accounting dot1x default start-stop group radius

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 5 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting network default start-stop group tacacs+

!

aaa server radius dynamic-author

client 10.122.1.82 server-key 7 14141B180F0B

client 10.122.1.80 server-key 7 045802150C2E

!

aaa session-id common

radius-server attribute 6 on-for-login-auth

radius-server attribute 6 support-multiple

radius-server attribute 8 include-in-access-req

radius-server host 10.122.1.82 auth-port 1812 acct-port 1813 key 7 13061E010803

radius-server host 10.122.1.80 auth-port 1812 acct-port 1813 key 7 104D000A0618

radius-server deadtime 5

radius-server key 7 030752180500

radius-server vsa send accounting

radius-server vsa send authentication

nspasov · ‎03-01-2013

What version of code are you running on both ISE and the NAD?

Glnc66inc · ‎03-01-2013

cisco ise 1.1.2 and a 3750x (Version 12.2(58)SE2)

We have the fix for this...

We had to downgrade to 12.2.(55)se7 on the 3750 and allow radius attribute 25 on the switch config.

..

radius-server attribute 25 access-request include

..

CoA is now functioning properly...

nspasov · ‎03-01-2013

I was suspecting that the version of code could be the problem Also, you can always use ISE's "Evaluate ConfigurationValidator" which can be found under "Operations > Diagnostic Tools." It is not 100% cross platform accurate but it definitely helps catching small things that you missed.

In either case, good job on finding the solution and posting back here! (+5 from me).

If your issue is resolved please mark the thread as "answered"

Luis Rueda · ‎03-07-2013

Upgrade the IOS on the Catalyst 3750, we were having the same problem here and it was solved by upgrading to

Version 15.0(2)SE2.

Hope that helps.

Luis

vikasyad · ‎03-09-2013

As per the cisco recommendation IOSv12.2(52)SE is suitable for Catalyst 3750-X which will support all the features without any issues like MAB,802.1X,CWA,LWA,COA,VLAN,DACL,SAG as mentioned in the link below:

http://www.cisco.com/en/US/docs/security/ise/1.1.1/compatibility/ise_sdt.html.

I see you are using IOSv12.2(58)SE2,which is not recommended.So you can downgrade to IOSv12.2(52)SE which will solve your issues.