Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1807
Views
0
Helpful
2
Replies

ISE CWA with COA not work on 3750X.

Alexey Leontiev
Level 1
Level 1

‎12-20-2013 07:26 AM - edited ‎03-10-2019 09:12 PM

Hello.

I use ISE version 1.2.0.899 this patch number 4. I configure Central Web Auth for wired client.  In first time client open web brouser, and ISE redirect him to guest portal. User input correct credentionals, and after that switch ignor CoA packet. In ISE logs  "5417 Dynamic Authorization failed". If I use domain computer, authentification succecful whis use dot1x.  All on Port g1/0/1. I use 3750X this version IOS 15.0(2)SE2, 15.0(2)SE4, 15.0(2)SE5, 15.2(1). On all of this version ios I have this mistake.

Config:


3750X-ISE# sh running-config
Building configuration...
Current configuration : 9575 bytes
!
! No configuration change since last restart
! NVRAM config last updated at 01:29:01 GMT Wed Mar 30 2011
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 3750X-ISE
!
boot-start-marker
boot-end-marker
!
!
!
username admin privilege 15 secret 5 ----
username radius-test secret 5 -----
aaa new-model
!
!
aaa group server radius end
!
aaa group server radius ise
 server name ise3
 server name ise4
!
aaa authentication login default local
aaa authentication login CON none
aaa authentication enable default none
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa authorization network ise group radius
aaa accounting dot1x default start-stop group radius
!
!
!
!
!
aaa server radius dynamic-author
 client 192.168.102.53 server-key P@ssw0rd
 client 192.168.102.54 server-key P@ssw0rd
 client 192.168.102.51 server-key P@ssw0rd
 client 192.168.102.52 server-key P@ssw0rd
 server-key P@ssw0rd
!
aaa session-id common
clock timezone GMT 0 0
switch 1 provision ws-c3750x-24p
system mtu routing 1500
ip routing
!
!
ip dhcp snooping vlan 701-710
ip dhcp snooping
ip domain-name com.ru
ip device tracking
vtp mode transparent
!
!
device-sensor filter-list dhcp list DHCP-LIST
 option name host-name
 option name default-tcp-ttl
 option name requested-address
 option name parameter-request-list
 option name class-identifier
 option name client-identifier
 option name client-fqdn
!
device-sensor filter-list cdp list CDP-LIST
 tlv name device-name
 tlv name address-type
 tlv name version-type
 tlv name platform-type
 tlv name power-type
 tlv name external-port-id-type
device-sensor filter-spec dhcp include list DHCP-LIST
device-sensor filter-spec cdp include list CDP-LIST
device-sensor accounting
device-sensor notify all-changes
!
license boot level ipservices
!
!
!
dot1x system-auth-control
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
!
!
!
!
!
!
!
!
vlan internal allocation policy ascending
!
!
vlan 102
!
vlan 701
 name ISE-network1
!
!
lldp run
!
!
!
!
!
!
!
!
!
!
no macro auto monitor
!
interface FastEthernet0
 no ip address
 no ip route-cache
 shutdown
!
interface GigabitEthernet1/0/1
 switchport access vlan 701
 switchport mode access
 switchport nonegotiate
 authentication event fail action next-method
 authentication open
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 mab
 snmp trap mac-notification change added
 snmp trap mac-notification change removed
 dot1x pae authenticator
 spanning-tree portfast
!
interface Vlan102
 ip address 192.168.102.60 255.255.255.0
!
interface Vlan701
 ip address 192.168.107.1 255.255.255.240
 ip helper-address 192.168.102.50
 ip helper-address 192.168.102.53
!
ip http server
ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 192.168.102.1
!
ip access-list extended ACL-WEBAUTH-REDIRECT
 deny   udp any any eq domain
 deny   tcp any host 192.168.102.51
 deny   tcp any host 192.168.102.52
 deny   tcp any host 192.168.102.53
 deny   tcp any host 192.168.102.54
 permit tcp any any eq www
 permit tcp any any eq 443
!
!
!
snmp-server community test RO
snmp-server community test2 RW
snmp-server trap-source Vlan102
snmp-server source-interface informs Vlan102
snmp-server enable traps snmp linkdown linkup
snmp-server enable traps mac-notification change move
snmp-server host 192.168.102.53 version 2c test2
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 5 tries 3
radius-server host 192.168.102.53 auth-port 1812 acct-port 1813
radius-server host 192.168.102.54 auth-port 1812 acct-port 1813
radius-server host 192.168.102.54 key P@ssw0rd
radius-server host 192.168.102.53 pac key P@ssw0rd
radius-server key P@ssw0rd
!
!
!
line con 0
 login authentication CON
line vty 0 4
 exec-timeout 60 0
line vty 5 15
 exec-timeout 60 0
!
ntp master 5
ntp server 198.123.30.132 prefer
mac address-table notification change
mac address-table notification mac-move
end

Please, help me.

1 person had this problem
Labels:
0 Helpful
2 Replies 2

Saurav Lodh
Level 7
Level 7

‎04-22-2014 01:45 AM

Use these Cisco IOS commands to monitor and troubleshoot CoA functionality on the switch:

debug radius

debug aaa coa

debug aaa pod

debug aaa subsys

debug cmdhd [detail | error | events]

show aaa attributes protocol radius

0 Helpful

kaaftab
Level 4
Level 4

‎04-22-2014 06:43 PM

you need to check your authentication and authorization policy .For reference check Cisco how to guide for the step by step deployment

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents