I am running into an issue where I get a handful of Dynamic Auth Failure errors in ISE. In the results it's showing a CoANAK and the error cause is 200. In the steps it's showing:
11204 Received reauthenticate request
11220 Prepared the reauthenticate request
11100 RADIUS-Client about to send request
11101 RADIUS-Client received response
Which shows successful communications between ISE and the NAD. When I look at the logs for Radius Authentication for one of the hosts I see it pass MAB with one session ID then Dynamic Auth CoA Fail then pass dot1x with a different session ID.
Do you have non Cisco phones that the clients connect to? Also what version and platform is the wired switch? Also can you post the running config of the port that you traced this back to?
If you issue a "show authentication session interface xxx" do you see multiple aaa-session-id for the same user?
You should be able to run a few debugs around the COA process and please make sure that the radius shared secret is the same as the server-key under the client settings for the "aaa server radius dynamic-author" configuration section.
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...