Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ISE CWA with COA not work on 3750X.

Hello.

I use ISE version 1.2.0.899 this patch number 4. I configure Central Web Auth for wired client.  In first time client open web brouser, and ISE redirect him to guest portal. User input correct credentionals, and after that switch ignor CoA packet. In ISE logs  "5417 Dynamic Authorization failed". If I use domain computer, authentification succecful whis use dot1x.  All on Port g1/0/1. I use 3750X this version IOS 15.0(2)SE2, 15.0(2)SE4, 15.0(2)SE5, 15.2(1). On all of this version ios I have this mistake.

Config:


3750X-ISE# sh running-config

Building configuration...

Current configuration : 9575 bytes

!

! No configuration change since last restart

! NVRAM config last updated at 01:29:01 GMT Wed Mar 30 2011

!

version 15.0

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname 3750X-ISE

!

boot-start-marker

boot-end-marker

!

!

!

username admin privilege 15 secret 5 ----

username radius-test secret 5 -----

aaa new-model

!

!

aaa group server radius end

!

aaa group server radius ise

server name ise3

server name ise4

!

aaa authentication login default local

aaa authentication login CON none

aaa authentication enable default none

aaa authentication dot1x default group radius

aaa authorization network default group radius

aaa authorization network ise group radius

aaa accounting dot1x default start-stop group radius

!

!

!

!

!

aaa server radius dynamic-author

client 192.168.102.53 server-key P@ssw0rd

client 192.168.102.54 server-key P@ssw0rd

client 192.168.102.51 server-key P@ssw0rd

client 192.168.102.52 server-key P@ssw0rd

server-key P@ssw0rd

!

aaa session-id common

clock timezone GMT 0 0

switch 1 provision ws-c3750x-24p

system mtu routing 1500

ip routing

!

!

ip dhcp snooping vlan 701-710

ip dhcp snooping

ip domain-name com.ru

ip device tracking

vtp mode transparent

!

!

device-sensor filter-list dhcp list DHCP-LIST

option name host-name

option name default-tcp-ttl

option name requested-address

option name parameter-request-list

option name class-identifier

option name client-identifier

option name client-fqdn

!

device-sensor filter-list cdp list CDP-LIST

tlv name device-name

tlv name address-type

tlv name version-type

tlv name platform-type

tlv name power-type

tlv name external-port-id-type

device-sensor filter-spec dhcp include list DHCP-LIST

device-sensor filter-spec cdp include list CDP-LIST

device-sensor accounting

device-sensor notify all-changes

!

license boot level ipservices

!

!

!

dot1x system-auth-control

!

spanning-tree mode rapid-pvst

spanning-tree extend system-id

!

!

!

!

!

!

!

!

!

vlan internal allocation policy ascending

!

!

vlan 102

!

vlan 701

name ISE-network1

!

!

lldp run

!

!

!

!

!

!

!

!

!

!

no macro auto monitor

!

interface FastEthernet0

no ip address

no ip route-cache

shutdown

!

interface GigabitEthernet1/0/1

switchport access vlan 701

switchport mode access

switchport nonegotiate

authentication event fail action next-method

authentication open

authentication order dot1x mab

authentication priority dot1x mab

authentication port-control auto

mab

snmp trap mac-notification change added

snmp trap mac-notification change removed

dot1x pae authenticator

spanning-tree portfast

!

interface Vlan102

ip address 192.168.102.60 255.255.255.0

!

interface Vlan701

ip address 192.168.107.1 255.255.255.240

ip helper-address 192.168.102.50

ip helper-address 192.168.102.53

!

ip http server

ip http secure-server

!

ip route 0.0.0.0 0.0.0.0 192.168.102.1

!

ip access-list extended ACL-WEBAUTH-REDIRECT

deny   udp any any eq domain

deny   tcp any host 192.168.102.51

deny   tcp any host 192.168.102.52

deny   tcp any host 192.168.102.53

deny   tcp any host 192.168.102.54

permit tcp any any eq www

permit tcp any any eq 443

!

!

!

snmp-server community test RO

snmp-server community test2 RW

snmp-server trap-source Vlan102

snmp-server source-interface informs Vlan102

snmp-server enable traps snmp linkdown linkup

snmp-server enable traps mac-notification change move

snmp-server host 192.168.102.53 version 2c test2

!

radius-server attribute 6 on-for-login-auth

radius-server attribute 8 include-in-access-req

radius-server attribute 25 access-request include

radius-server dead-criteria time 5 tries 3

radius-server host 192.168.102.53 auth-port 1812 acct-port 1813

radius-server host 192.168.102.54 auth-port 1812 acct-port 1813

radius-server host 192.168.102.54 key P@ssw0rd

radius-server host 192.168.102.53 pac key P@ssw0rd

radius-server key P@ssw0rd

!

!

!

line con 0

login authentication CON

line vty 0 4

exec-timeout 60 0

line vty 5 15

exec-timeout 60 0

!

ntp master 5

ntp server 198.123.30.132 prefer

mac address-table notification change

mac address-table notification mac-move

end

Please, help me.

2 REPLIES

Use these Cisco IOS commands

Use these Cisco IOS commands to monitor and troubleshoot CoA functionality on the switch:

debug radius

debug aaa coa

debug aaa pod

debug aaa subsys

debug cmdhd [detail | error | events]

show aaa attributes protocol radius

Silver

you need to check yo

you need to check your authentication and authorization policy .For reference check Cisco how to guide for the step by step deployment

744
Views
0
Helpful
2
Replies