cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1030
Views
0
Helpful
0
Replies

Change of Authorization issue in ISE

tlapite77
Level 1
Level 1

 

I am getting the Change of Authorization (CoA) Failed. Am getting this on all the switches configured for ISE

 

ISE Version : 2.1.0.474

 

Switch         Version          ROM

C4506-E      03.06.03.E   15.0(1r)SG10

C6509-E     12.2(33)SXJ1 12.2(17r)SX5

 

Our endpoints is both 802.1x and non 802.1x. The endpoints with MAB are successful authenticated but the problem is that the COA is not working so that the ISE can identify the AD username.

 

We are using EasyConnect (PassiveID)

 

 

Please see below

 

 Dynamic Authorization Failed for Device

image - CoA Warning.png

I have go through the suggested actions.

 

CoA type on the ISE is set to Reauth

 

image- CoA type

ISE is connected to DC

image - ISE-connected-DC.png

image - ISE-join-DC

 

Configured CoA on both switches

 

aaa server radius dynamic-author

client XX.XX.XX.XX server-key passkey

client XX.XX.XX.XX server-key passkey

server-key passkey

 

Evaluation configuration Validator on the C6509 switch. As you can see below the “radius-server vsa send accounting and radius-server vsa send authentication “ is configured.

 

 image- C6509

But on the C4506, this have the same configuration with the above switch but the Evaluate configuration Validator complain about this commands

 image - C4506

 

aaa group server radius ISE-Group

server name ISE-1

server name ISE-2

 

radius server ISE-1

address ipv4 XX.XX.XX.XX auth-port 1812 acct-port 1813

key PASSKEY

!

radius server ISE-2

address ipv4 XX.XX.XX.XX auth-port 1812 acct-port 1813

key Passkey

!

 

Can you please help.  I can send you the authorization and authentication policy set if that can help

 

 

 

Best Regards,

 

Tokunboh Lapite (Toks)

0 Replies 0