Dynamic Authorization Failed - Posture with Guest Portal - ISE - WLC

Similar Messages

• ISE Alarm (WARNING): Dynamic Authorization Failed for Device

  Hi all,
  I am posting this discussion as previous posts that I have found in this forum have never been resolved or the resolution is not applicable to me.
  I am using ISE 1.1.1.268 and WLC 7.2.111.3 and NAC agent version 4.9.1.6 on Windows 7 Client machines.
  About once a day i get the error "ISE Alarm (WARNING): Dynamic Authorization Failed for Device".
  The device it is reffering to is my NAD, a WLC 5508 running 7.2.111.3
  I have looked at the logs and I cannot see anything in the logs which correcponds to this message so that I can troubleshoot further. Maybe I can if I am enabling the correct logging level on the correct ISE component.
  Can someone suggest the components and the logging level that I should set to get some more detail about this error?
  At the moment, I have only set debug logging on Active Directory. I have TRACE logging set on Posture, Runtime AAA & prrt-JNI.
  I do not want to enable too much debug logs, so I was wondering whether anyone can help with a specific element that I should be debugging.
  I thought debugging the posture element would be enough but when I look at the logs there is nothing there that relates to this message.
  Can anyone help?
  thanks
  Mario

  Firstly, I wouldn't run a production deployment of ISE on 1.1.1.... 1.1.3 Patch 1 or 1.1.4 is the way to go.
  Secondly, this error happen a lot, especially with Wireless, and it's not worth worrying about.  I've had a couple of TAC cases opened for this and some similar errors, generally they're caused by a Client going to sleep, leaving the coverage area or otherwise leaving the WLC while ISE is trying to do something with it.
  Only worry if you actually have a Client-impacting problem, which by the sounds of it, you don't.

• ISE: Dynamic Authorization Failed

  Hi,
  I am gettning warning messages in ISE saying
  Cause:
  Dynamic Authorization Failed for Device: 0002SWC003 (switch)
  Details:
  Dynamic Authorization Failed
  It is not only on that switch but on all switches I have configured. I am using 3560 IPBase 12.2(55)SE6. I have configured them according to Trustsec 2.1.
  My end devices are none-802.1x.
  I can't figure out what is causing this error.
  The thing is that I have not experienced any problem. In Live Authentications there are some 'Unknown' and 'Profiled' devices hitting the DenyAccess rule, but other then that everying is beeing Authorized fine.
  Anyone got an idea what could be causing this error?
  Regards,
  Philip

  This is what I have found out.. Using ISE Version 1.1.1.268. If you go the logs page
  Jan 10,13 7:39:12.147 AM
  Dynamic Authorization failed
  and then go to the details...
  Failure Reason > Authentication Failure Code Lookup
  Failure Reason :
  11213 No response received from Network Access Device
  Generated on:January 10, 2013 8:08:17 AM PST
  Description
  No response received from Network Access Device.
  Resolution Steps
  Check the connectivity between ISE and Network Access Device. Ensure that ISE is defined as Dynamic Authorization Client on Network Access Device and that CoA is supported on device.
  ...next check into Resolution Steps...

• 5417 Dynamic Authorization failed

  Hi guys,
  Does anyone meet this Radius Error in Cisco ISE 1.2 and the switch 2960 12.2(55)SE7 ?
  When i reauthentication the guest profile to the other profile using Radius CoA on the Self-Service Guest Workflow.
  The error is :
  Event
  5417 Dynamic Authorization failed
  Failure Reason
  11103 RADIUS-Client encountered error during processing flow
  Resolution
  Do the following: 1) Verify shared secret matches on the ISE Server and corresponding AAA Client, External AAA Server or External RADIUS Token Server. 2) Check the AAA Client or External Server for hardware problems. 3) Check the network devices that connect the AAA peer to ISE for hardware problems. 4) Check whether the network device or AAA Client has any known RADIUS compatibility issues.
  Root cause
  RADIUS-Client encountered an error during processing flow
  I checked all the resolution steps but the error sitll exsit.
  I would greatly appreciate any help you can give me in working this problem

  An internal error has been detected during the processing of an incoming RADIUS packet. Make sure that the client device is compatible with AD Agent, has been configured properly, and is functioning properly. Make sure that the same RADIUS shared secret has been properly configured, both in the client device and in AD Agent.
  http://www.cisco.com/c/en/us/td/docs/security/ibf/setup_guide/ad_agent_setup_guide/ibf10_log_msgs.html

• Dynamic Authorization Failed: DiconnectNAK

  I have WLC 7.6 and ISE 1.2 Patch 6.
  My use case is WLAN Guest Access with CWA. I have ISE Appliance 3395 (2 Admin/Mon, 2 PSN). Everything work fine so far.
  But from time to time I get these strange message (it does not matter if I do a manual Session termination in the Operations Tab) Everything is configured in the right way, since normal CWA works (CoA is working fine, but not always...).
  Here the corresponding Log-Entry:
  0000001241 2 0 2014-02-28 11:11:37.241 +01:00 0000106595 5417 NOTICE Dynamic-Authorization: Dynamic Authorization failed, ConfigVersionId=53, Device IP Address=a.b.c.d, Device Port=42121, DestinationIPAddress=a.b.c.d, DestinationPort=1700, RadiusPacketType=DisconnectRequest, Protocol=Radius, RequestLatency=3, NetworkDeviceName=xx-WLC01, NAS-IP-Address=172.16.226.26, Calling-Station-ID=1C:AB:A7:96:7B:99, Acct-Session-Id=53105c2a/1c:ab:a7:96:7b:99/336136, Acct-Terminate-Cause=Admin Reset, Event-Timestamp=1393582297, cisco-av-pair=audit-session-id=ac10e21a00052f6953105f07, AcsSessionID=ise-04/182359788/9392, Step=11044, Step=11017, Step=11100, Step=11101, Step=11048, NetworkDeviceGroups=Location#All Locations#xx_VPN, NetworkDeviceGroups=Device Type#All Device Types#Wireless Devices#WLC Foreign, CPMSessionID=ac10e21a00052f6953105f07, EndPointMACAddress=1C-AB-A7-96-7B-99, Location=Location#All Locations#xx_VPN,
  Has anybody ever had the same expirence, or is this a know issue?
  Thanks for feedback!

  Please go through the link below for best practice.
  http://www.redelijkheid.com/blog/2013/4/2/cisco-ise-change-of-authorization-coa-not-working

• Dynamic Authorization Failed

  hi
  I keep getting error meesages on the ISE in regards to RADIUS
  the error is
  Dynamic Authorization failed : 1213 No response received from Network Access Device
  i am using ISE version 1.1.1 and the NAD is a WLC running version 7.0.98.0
  i use ISE to authenticate users via PEAP. I deleted the NAD and re-added it twice but i still keep getting this issue. this set up was working fine for the last few weeks.
  i dont think location and device type would cause an issue to authentication under the NAD list
  anyone have any ideas?

  the option i.e drop down box wasnt there. lookin at the compatibility chart of ISE 1.1.1 and WLC, minimum version for WLC is 7.2.103.0
  Do you need to have RADIUS NAC enabled if the ISE is only used to authenticate corporate wireless users against AD. there is no CoA,
  the other function is to use RADIUS as network management logon. to WLC using the AD. depending on the AD group , one could get priv 15 or priv 5 access. i am also using device attribute by location so that remote offices network enigineer cannot log onto the WLC. i.e i created a NAD , put it in a location and use that location AND the AD group to qualify for priv 15 access.
  Coudl this policy interrupt the wireless RADIUS policy? Wireless policy is at the top of the list under authorization tab.

• ISE 1.2 - Dynamic Authorization Failed

  Hello!
  In my design network I use the ISE for CWA with a WLC, but when a client entrer his credentials, the CoA failed with this error : "11213 No response received from Network Access Device after sending a Dynamic Authorization request"
  This error is really strange because I can contact the ISE from the WLC. My ISE, and my broadcasted network are in the same VLAN, is it possible that this error come from this network architecture?
  My is is patched with the cumulative patch 7 and for information, I can do a "manual CoA" by disconnect/reconnect the client manually and after that the client has a network access.
  Used configuration for ISE and WLC : http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116087-configure-cwa-wlc-ise-00.html
  Thanks in advance if you have the least clue to resolve this issue.
  Kévin

  I will perform some additional testing and let you know my results.  I have this setup in the lab now with ISE 1.2 Patch 7 as well.... Since I only have a couple of PC's in the lab, I've noticed that I am unable to terminate the users session manually.  So I usually end up stopping and restarting the services. This is how i clear my live sessions.
  Is your setup in a Lab or Production?  If its in a lab can you restart ISE and your WLC.   I know when I first did my "debug client <mac>" My airespace ACL was showing the incorrect ACL ID.  After a reboot of ISE and recreating my WLC ACL it went away.   I haven't noticed my service IP ever showing up in ISE.  I usually see the users MAC address then a [email protected] "User Authentication" with his IP.  Next its the WLC MNGT Interface and finally the User Authorization again show Authz Internet-Only.
  My lab does not always function 100% so I am hoping after we go Live this weekend,  these flaky issues go away.  One of my problems is I don't have internet access.  Just a web server hosting a web page. I'll keep notes on anything I find that hopefully assist you.

• LWA guest portal ISE & 4400 7.0.x

  Has anyone managed to guest LWA working with ISE for wireless guest portal access?  Examples seem to skip bits and I can't find anyone that has managed to get it working.  I have Cisco 4400 WLCs running latest 7.0 code and ISE 1.1.2.
  All guest portal examples seem to be CWA which only works on 7.2 code.
  Am I without hope getting this working on 7.0 code?

  We got LWA guest portal to work between ISE & 4400 7.0, before we migrated to CWA w/ a 5508.
  Can't remember exactly which documents we used, but your best bet is the TrustSec 2.0 (not 2.1) guide:
  http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/TrustSec_2.0/trustsec_2.0_dig.pdf
  and the WLC example:
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076f974.shtml
  Keep in mind if you use LWA, you'll need two SSL certs - one on WLC, and one on ISE.
  With CWA, only one cert is needed on ISE.

• ISE, guest portal on WLC

  Hi,
  Currently we have wireless guest login through a guest portal in the WLC. Is it possible to implement ISE and keep the guest portal in the WLC?
  Example:
  User connects to a SSID with an laptop. That laptop is profiled as not belogning to the company network and is then redirected to the WLC guest portal.
  All the guides I find is about having the guest portal in the ISE.
  Regards
  Philip

  You can use LWA for this . he WLC redirects  the HTTP traffic to an internal or external server where the user is prompted to  authenticate. The WLC then fetches the credentials (sent back via an HTTP GET  request in the case of external server) and makes a RADIUS authentication. In  the case of a guest user, an external server (such as Identity Service Engine  (ISE) or NAC Guest Server (NGS)) is required as the portal provides features  such as device registering and self-provisioning.
  Refer to the following link for  configuration  example
  http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bead09.shtml

• ISE 1.2 not logging failed authentications on guest portal (CWA)

  Hi there
  I think this is a bug but wanted to check, if someone knows a good reason why failed authentication attemps with non-existing user account are not logged on ISE 1.2 (CWA).
  The different cases:
  Case 1: existing user / wrong password -> logged
  Case 2: no user / any password -> logged
  Case 3: no user / no password -> logged
  Case 4: non-existing user / any password -> not logged
  In my opinion this is a critical case to be logged because this could be an indicator of a DoS attack or a password penetration test.
  Thanks in advance and best regards
  Dominic

  Hi vatullu
  thanks man, you helped me a lot.
  Regards
  Dominic

• Cisco ISE 1.2 Guest Portal customization with vWLC redirect

  Hello Support Community,
  we have a problem regarding customized web authentication on ISE 1.2 with Package ISE12CustomPortalPackage-v4.zip. We have a Virtual Wireless Controller where we do a redirect to ISE. When we use default guest portal on https://x.x.x.x:8443/guestportal/Login.action authentication and authorization works fine. When we do redirect to Cisco templates on https://x.x.x.x:8443/guestportal/portals/example/Login.html customized login page is displayed and after correct authentication guest successful page is displayed but we can't go to any webserver although ISE shows authentication and authorization as successful. When we try to reach a webserver after successful authentication we get redirected to customized login site. Virtual Wireless Controller shows client aus "Webauth Required" after successful authentication. Central Web Authentication isn't possible because we have a different AAA Server for 802.1X and only use wired guest access on a particular VLAN from WLC. Are there any known issues regarding customization template or is there something wrong regarding our redirect?
  I hope somebody can help us.
  Best Regards
  Benjamin

  Hello Neno,
  1. I attached screenshots below.
  2. There is nothing related to this client.
  3. I attached Debug below.
  We are currently using MAB on our switches as a fallback to our 802.1X on our wired access. Order and Priority currently is 802.1X/MAB/Auth-Fail-VLAN. CWA is based on a failed MAC-Authentication which leads to an Authorization Profile to permit access with Webauth.
  If you configure Wired guest access on WLC there isn't a possibility to configure MAC-Authentication.
  CWA on our switches isn't possible because we are currently using failed MAC-Authentication to direct clients to our Auth-Fail-VLAN which has restricted access secured by SVI-ACL which allows us HTTP Access to printers (manual Cert Deployment) and automated Cert enrollment to our computers.
  Best Regards
  Benjamin

• ISE Guest portal digital public certificate with dual deployment

  I have a deployment of ISe which has a primary and secondary node.  We are using ISE for Guest web access and it's Guest portal functionality.
  I have installed a public VeriSign certificate onto the primary node so that guest users don't certificate errors when they get redirected to the guest portal.
  We have a DNS server with an entty for the guest portal URL e.g. guest.company.com with the IP adresses of both ISE servers.
  When users are loggin onto the guest wireless it is pot luck whether or not they get the primary ISE node because of the DNS round robin of the ISE IP addresses.
  Is there anyway to make the secondary ISE node use the Verisign certificate as well or do I need to buy another certificate which is linked to the secondary ISE nodes FQDN?
  (the certificate I have currently has a CN of the FQDN of the primary ISE server with subject alternative names of the secondary ISE node and the guest web redirect URL).
  Any help would very much be appreciated.
  thanks
  Craig

  Hi Craig,
  Please check the below link with a similar prob,  might help.
  https://supportforums.cisco.com/thread/2161878

• ISE - sponsor guest portal with smartcard authentication

  Team, any support for sponsor guest portal authentication with the smartcard?
  If not then can someone plese create feature request to Cisco, smartcards are being rolled out more and more.
  Bilal

  We've got it working in our agency.  It's front ended by an 5540 ASA that sends the users attributes to ISE and then loops ISE to authenticate via AD. I've got a pretty sweet write up on it from our advanced services rep.  The guys are legit when it comes to work around and I just finished testing this with ISE 1.3. If you guys are interested I'll attach it tomorrow. 
  Attached configuration guide.   Note for 1.3 the Sponsor Group Policy has been removed.  Just make sure the Sponsor Group is configured and add the store to locate the user.  In our case its AD.
  If you have questions just PM me and Ill be glad to assist.
  -Ryan 

• ISE 1.3 Sponsored Guest Portal Login Failure

  Hello Team,
  Ive created a guest account in the sponsor portal for a test guest user, however the state remains in "created" state.
  Now when the user tries to log on via the sponsored guest portal the error back is "invalid username or password".
  In ISE logs it says :
  Overview
  Event
  5418 Guest Authentication Failed
  Username
  bnawaz01 
  Endpoint Id
  Endpoint Profile
  Authorization Result
  Actions
  Troubleshoot Authentication
  View Diagnostic Messages
  Audit Network Device Configuration
  View Network Device Configuration
  View Server Configuration Changes
  -->Authentication Details
  Source Timestamp
  2014-12-24 08:49:05.551
  Received Timestamp
  2014-12-24 08:49:05.553
  Policy Server
  DC1-ISE-DMZ01
  Event
  5418 Guest Authentication Failed
  Failure Reason
  Account is not yet active.
  Resolution
  Root cause
  Username
  bnawaz01
  User Type
  GuestUser
  Endpoint Id
  Endpoint Profile
  IP Address
  Authentication Identity Store
  Guest Users
  Identity Group
  GuestType_Contractor (default)
  Audit Session Id
  Authentication Method
  PAP_ASCII
  Authentication Protocol
  PAP_ASCII
  Service Type
  Network Device
  Device Type
  Location
  NAS IP Address
  NAS Port Id
  NAS Port Type
  Authorization Profile
  Posture Status
  Security Group
  Response Time 
  Any ideas why this might be, if im doing something wrong and how to fix?
  Thank you
  Bilal

  I have had the same issue, the fault is caused by the time zone in the sponsor groups being set by default to UTC, so if you are in London the accounts wont become available until UTC time. The best practice is to add a local time zone and remove UTC at initial configuration
  To resolve this create a new local time zone in Guest Access>Settings>Guest Locations and SSIDs then under Guest Access>Configure>Sponsor Groups amend the time zone properties in each sponsor group
  One other problem is if you do not remove this at initial configuration you don't seem to be able to get rid of UTC, not really an issue unless you forget when creating new sponsor groups

• ISE Wired guest portal redirect even after authentication

  Hi
  I have configured both Wired and Wireless guest authentication via guest portal. Wireless is working fine, however the when trying with Wired, the redireciton page is keep getting even after user authenticated.
  I'm not seen the redirection authorization policy in my logs however I can see only the user authentication logs (successful). Attached is my configuration and logging output.
  Here is what I see on the interface
  ABQT-3FLR-ACC-01#sh authentication sessions interface gigabitEthernet 4/0/19
              Interface:  GigabitEthernet4/0/19
            MAC Address:  a0b3.ccca.2ab1
             IP Address:  10.1.3.16
              User-Name:  A0-B3-CC-CA-2A-B1
                 Status:  Authz Success
                 Domain:  DATA
         Oper host mode:  multi-auth
       Oper control dir:  both
          Authorized By:  Authentication Server
            Vlan Policy:  N/A
       URL Redirect ACL:  ACL-WEBAUTH-REDIRECT
           URL Redirect:  https://xxxx-TW-ISE-2.xxx.xxx.qa:8443/guestportal/gateway?sessionId=AC14011F000001571E52779F&action=cwa
        Session timeout:  N/A
           Idle timeout:  N/A
      Common Session ID:  AC14011F000001571E52779F
        Acct Session ID:  0x00000309
                 Handle:  0xE6000158
  Runnable methods list:
         Method   State
         dot1x    Failed over
         mab      Authc Success
  Here is the ACL
  Extended IP access list ACL-WEBAUTH-REDIRECT
      10 deny udp any any eq domain (1344 matches)
      20 deny ip any host 172.20.5.12 (8122 matches)
      30 deny ip any host 172.20.5.14
      40 permit tcp any any eq www (3124 matches)
      50 permit tcp any any eq 443 (202927 matches)
      60 permit tcp any any eq 8080 (114 matches)
      70 permit ip any any (8056 matches)

  Hi Mohannad,
  Thanks for your response.
  Actually the as per the configuration it should work, I'm still trying to find out what is what has gone wrong with this configuration. Infact I have tested with 3560 switch with the same config and it worked. only difference here is we used 2960S switch.
  We need to find out why the next Auth policy is not hitting once user is authenticated.
  Here is the port configuration and the authen status of the port.
  ABQT-3FLR-ACC-01#sh running-config interface gig4/0/19
  Building configuration...
  Current configuration : 427 bytes
  interface GigabitEthernet4/0/19
  switchport access vlan 103
  switchport mode access
  switchport voice vlan 135
  authentication event fail action next-method
  authentication host-mode multi-auth
  authentication order dot1x mab
  authentication priority dot1x mab webauth
  authentication port-control auto
  authentication violation restrict
  mab
  dot1x pae authenticator
  dot1x timeout tx-period 10
  spanning-tree portfast
  end
  ABQT-3FLR-ACC-01#
  Mar 31 12:32:14.127: %AAA-3-BADSERVERTYPEERROR: Cannot process accounting server type tacacs+ (UNKNOWN)
  ABQT-3FLR-ACC-01#
  ABQT-3FLR-ACC-01#sh atuh
  ABQT-3FLR-ACC-01#sh atu
  ABQT-3FLR-ACC-01#sh authe
  ABQT-3FLR-ACC-01#sh authentication se
  ABQT-3FLR-ACC-01#sh authentication sessions in
  ABQT-3FLR-ACC-01#sh authentication sessions interface gi
  ABQT-3FLR-ACC-01#sh authentication sessions interface gigabitEthernet 4/0/19
              Interface:  GigabitEthernet4/0/19
            MAC Address:  0015.c5b4.fd4a
             IP Address:  10.1.3.23
              User-Name:  00-15-C5-B4-FD-4A
                 Status:  Authz Success
                 Domain:  DATA
         Oper host mode:  multi-auth
       Oper control dir:  both
          Authorized By:  Authentication Server
            Vlan Policy:  N/A
       URL Redirect ACL:  ACL-WEBAUTH-REDIRECT
           URL Redirect:  https://ABQ-TW-ISE-2.abq.gov.qa:8443/guestportal/gateway?sessionId=AC14011F0000018A32B4D906&action=cwa
        Session timeout:  N/A
           Idle timeout:  N/A
      Common Session ID:  AC14011F0000018A32B4D906
        Acct Session ID:  0x00000394
                 Handle:  0x3E00018B
  Runnable methods list:
         Method   State
         dot1x    Failed over
         mab      Authc Success