Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

ISE - Periodic Dynamic Auth Failures

I am running into an issue where I get a handful of Dynamic Auth Failure errors in ISE. In the results it's showing a CoANAK and the error cause is 200. In the steps it's showing:

11204 Received reauthenticate request

11220 Prepared the reauthenticate request

11100 RADIUS-Client about to send request

11101 RADIUS-Client received response

Which shows successful communications between ISE and the NAD. When I look at the logs for Radius Authentication for one of the hosts I see it pass MAB with one session ID then Dynamic Auth CoA Fail then pass dot1x with a different session ID.

I was reading up on the Dynamic Auth RFC (http://tools.ietf.org/html/rfc5176) and in Section 3.5 it states:

"Values 200-299 represent successful completion, so that these values may only be sent within CoA-ACK or Disconnect-ACK packets and MUST NOT be sent within a CoA-NAK or Disconnect-NAK packet."

Am I missing something here? Is anyone else having this issue?

Everyone's tags (2)
4 REPLIES

ISE - Periodic Dynamic Auth Failures

Is this for wireless or wired or both?

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
Community Member

ISE - Periodic Dynamic Auth Failures

Wired.

ISE - Periodic Dynamic Auth Failures

Do you have non Cisco phones that the clients connect to? Also what version and platform is the wired switch? Also can you post the running config of the port that you traced this back to?

If you issue a "show authentication session interface xxx" do you see multiple aaa-session-id for the same user?

You should be able to run a few debugs around the COA process and please make sure that the radius shared secret is the same as the server-key under the client settings for the "aaa server radius dynamic-author" configuration section.

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
Community Member

ISE - Periodic Dynamic Auth Failures

All Cisco Phones. Switches are 4510's running 03.02.03

Here's a sample port config:

!

interface GigabitEthernetX/X/X

switchport access vlan XX

switchport mode access

switchport voice vlan XX

srr-queue bandwidth share 10 10 60 20

queue-set 2

priority-queue out

authentication event fail action next-method

authentication host-mode multi-auth

authentication open

authentication order mab dot1x

authentication priority dot1x mab

authentication port-control auto

mab

mls qos trust device cisco-phone

mls qos trust cos

dot1x pae authenticator

dot1x timeout tx-period 10

spanning-tree portfast

spanning-tree guard root

service-policy input AutoQoS-Police-CiscoPhone

end

!

No I don't see multiple session id's for the same user. We are using EAP-TLS and cert auth.

Server keys are good. I've debugged a couple of these. Only thing I could find was the session ID is different between mab and dot1x.

492
Views
0
Helpful
4
Replies
CreatePlease to create content