I am getting the Change of Authorization (CoA) Failed. Am getting this on all the switches configured for ISE

ISE Version : 2.1.0.474

Switch         Version          ROM

C4506-E      03.06.03.E   15.0(1r)SG10

C6509-E     12.2(33)SXJ1 12.2(17r)SX5

Our endpoints is both 802.1x and non 802.1x. The endpoints with MAB are successful authenticated but the problem is that the COA is not working so that the ISE can identify the AD username.

We are using EasyConnect (PassiveID)

Please see below

 Dynamic Authorization Failed for Device

image - CoA Warning.png

I have go through the suggested actions.

CoA type on the ISE is set to Reauth

image- CoA type

ISE is connected to DC

image - ISE-connected-DC.png

image - ISE-join-DC

Configured CoA on both switches

aaa server radius dynamic-author

client XX.XX.XX.XX server-key passkey

client XX.XX.XX.XX server-key passkey

server-key passkey

Evaluation configuration Validator on the C6509 switch. As you can see below the “radius-server vsa send accounting and radius-server vsa send authentication “ is configured.

 image- C6509

But on the C4506, this have the same configuration with the above switch but the Evaluate configuration Validator complain about this commands

 image - C4506

aaa group server radius ISE-Group

server name ISE-1

server name ISE-2

radius server ISE-1

address ipv4 XX.XX.XX.XX auth-port 1812 acct-port 1813

key PASSKEY

!

radius server ISE-2

address ipv4 XX.XX.XX.XX auth-port 1812 acct-port 1813

key Passkey

!

Can you please help.  I can send you the authorization and authentication policy set if that can help

Best Regards,

Tokunboh Lapite (Toks)