Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2724
Views
0
Helpful
6
Replies

Dynamic Authorization failed - COA centralized web authentication

Gustavo Andres Ponce Yumbato
Level 1
Level 1

‎04-16-2014 04:32 PM - edited ‎03-10-2019 09:38 PM

I configured a centralized web authentication with users in the Active Directory. The problem is CoA, but it is enable in the ISE and WLC.

CoA Problem:

 

WLC :

 

(Cisco Controller) >show radius rfc3576 statistics
RFC-3576 Servers:

Server Index..................................... 1
Server Address................................... 192.168.73.210
Disconnect-Requests.............................. 0
COA-Requests..................................... 0
Retransmitted Requests........................... 0
Malformed Requests............................... 0
Bad Authenticator Requests....................... 0
Other Drops...................................... 0
Sent Disconnect-Ack.............................. 0
Sent Disconnect-Nak.............................. 0
Sent CoA-Ack..................................... 0
Sent CoA-Nak..................................... 0
Server Index..................................... 2

1 person had this problem
Labels:
0 Helpful
6 Replies 6

KevinMuller
Level 1
Level 1

‎04-17-2014 06:46 AM

I have exactly the same problem. In your logging do you have also this kind of message :

*radiusCoASupportTransportThread: Apr 17 14:23:38.060: #AAA-3-COA_WRONG_NAS_IP: radiusCoAsupport.c:1023 Received IP address[xx.xx.xx.xx] for CoA Packet.

I have tried lot of different configuration but nothing works, I have to do a "Session reauthentication" manually in the live sessions page.

0 Helpful

Venkatesh Attuluri
Cisco Employee
Cisco Employee

‎04-18-2014 04:52 AM

 

check the following discussion

https://supportforums.cisco.com/discussion/11679106/ise-dynamic-authorization-failed

https://supportforums.cisco.com/discussion/11602806/dynamic-authorization-failed

0 Helpful

KevinMuller
Level 1
Level 1
In response to Venkatesh Attuluri

‎04-18-2014 05:33 AM

Thanks for your help, but already seen for my part.

If gustavoponce has the same problem as I have, manually reauthentication works fine, so I don't think it's a network issue, I'm thinking more of a parameters missing in WLC and/or ISE.

0 Helpful

Gustavo Andres Ponce Yumbato
Level 1
Level 1

‎04-21-2014 08:57 AM

Thanks everyone! but I could not solved it.

The scenario is as follows:

I configured a SSID : CAMPUS  in a university with  centralized web authentication. When an Active directory user login (students) will be redirect to vlan 101 and if is a guest user to vlan 102. The authentication is good! (ISE Log, pimage above) but I think Guest flow is not working because the authentication web appear again after login.

*AD/guest sequence for Guest Portal Authentication.

In WLC Nac state: Radius Nac, Allow AAA override and rfc 3576 is enable in ISE (reauth) and WLC, the versions are : ISE 1.2 PATCH 7 and WLC 7.4.121.

 

0 Helpful

Cheezus01
Level 1
Level 1
In response to Gustavo Andres Ponce Yumbato

‎05-13-2015 12:32 AM

I'm having this problem as well, were you able to solve it eventually?

0 Helpful

Network Engineering
Level 1
Level 1
In response to Cheezus01

‎11-22-2019 08:19 PM

Don't use the service interface.  Use the management interface.

0 Helpful
Customers Also Viewed These Support Documents