RADIUS CoA Port Bounce query

Hello
I have a question relating to RADIUS CoA Port Bounce.
I'm planning to deploy 802.1x with ISE 1.3 to:
802.1x authenticate corporate desktop PCs (with anyconnect client installed for user and machine authentication) - on successful machine authentication, ISE will dynamically assign a VLAN
Profile Cisco IP phones
In order for an authenticated corporate desktop to pick up an IP address on its dynamically assigned VLAN I was thinking of using CoA Port Bounce. If this desktop was connecting through a successfully profiled Cisco IP phone, am I right in saying that the resulting Port Bounce will also affect the phone (phone will de-register from callmanager)?
Thanks
Andy

Hi Andy, if you are using PoE then a port-bounce the phone would definitely drop from the network and Call Manager. The phone would basically power down and then power back up.
Now with that being said you should keep in mind that a port-bounce would remove the existing dot1x session and will a new session would be initialized. Thus, the endpoint would end up starting at the original VLAN again and then getting the new VLAN after authorization :) So I guess what I am trying to say is that port-bounce is not the solution for this. Instead, you should consider:
1. Using dACLs instead of dynamic VLANs. That way you can have everyone in the same VLAN but use different dACLs to define network access
2. Continue to use dynamic VLANs but keep in mind that some "dumb" devices won't detect the VLAN change, thus not grabbing a new IP address. The good news is that most modern devices will detect the VLAN change and should grab a new IP. For instance, you should not have any issues with Windows 7 and newer devices
My recommendation is to go with option #1 though as that has always worked for me. 
I hope this helps!
Thank you for rating helpful posts!

Similar Messages

  • ISE and CoA 'port bounce' on WLC 7.2

    Hi,
    Im trying to get a vlan change done with CoA and MAB on a WLC 7.2 but it looks like it doese't disconnect the client, hence no new dhcp request.
    Everything is working except 'port bounce'. I can see the new vlan in the controller, if i do a ifconfig /renew on the client it gets the new subnet and everything works as it should. If i remove the endpoint in ISE it swaps the vlan again on the controller, but no port bounce...
    Is it possible to do this at all?
    Page 244/245  in the Configuration guide -  RADISUS NAC -Guidelines and Limitations says:
    VLAN select is not supported
    ISE 1.1.1
    WLC 7.2
    Thanks
    Message was edited by: Mikael Gustafsson

    Hi,
    So in general there is no easy solution to do a vlan change for guest users on a wireless?
    What Im trying to do is to separate the guest vlan from the rest of the network.
    Were the user first get the vlan with the ISE interface in, with ACL for DNS and guest portal. And DHCP proxy from WLC.
    After authentication he would get the guest vlan with only DHCP proxy and a default gw at the fw 
    I did try the CoA DHCP option on the guest portal and it's not a good solution, the user needs interact to accept an applet install , and it's (from what I understand from the UG) only working on windows.  (and I didnt get it to work)
    Thanks
    Message was edited by: Mikael Gustafsson

  • RADIUS COA on software version 12.4 using 3845 router

    We  working to provide dynamic badwidth control by using RADIUS COA to 3845 router.
    When we issue the COA 3845 rejects the message with invalid session id message.
    We are using following instructions to craft RADIUS COA  message.
    http://www.cisco.com/en/US/docs/ios/12_4t/12_4t2/htipmaaa.html

    Hi Manuel,
    I have PPPOE client running directly against 3845 and terminating PPOE. Authentication, authorization and accounting work against FreeRADIUS.
    Next step for us is to manage subscriber connections by sending COA to change service parameters.
    Our system sends RADIUS COA as in below.
    You can find the packet dumps, configuration and Cisco log below.
    Thank you for responding and looking forware to your next response.
    Igor
    *** Example with Shaping ***
    policy-map SHAPE-TEST
    class class-default
    shape average 48000
    Using: cisco-avpair = "ip:sub-qos-policy-out=SHAPE-TEST"
    ======================== Packet capture =================================
    No.     Time                          Source                Destination           Protocol Info
          1 2000-01-01 08:46:03.257911000 172.16.2.218          172.20.2.55           RADIUS   CoA-Request(43) (id=1, l=49)
    Frame 1: 91 bytes on wire (728 bits), 91 bytes captured (728 bits)
        Arrival Time: Jan  1, 2000 08:46:03.257911000 Eastern Standard Time
        Epoch Time: 946734363.257911000 seconds
        [Time delta from previous captured frame: 0.000000000 seconds]
        [Time delta from previous displayed frame: 0.000000000 seconds]
        [Time since reference or first frame: 0.000000000 seconds]
        Frame Number: 1
        Frame Length: 91 bytes (728 bits)
        Capture Length: 91 bytes (728 bits)
        [Frame is marked: False]
        [Frame is ignored: False]
        [Protocols in frame: eth:ip:udp:radius]
        [Coloring Rule Name: UDP]
        [Coloring Rule String: udp]
    Ethernet II, Src: HewlettP_af:82:b5 (2c:27:d7:af:82:b5), Dst: IntelCor_b3:18:58 (00:1b:21:b3:18:58)
        Destination: IntelCor_b3:18:58 (00:1b:21:b3:18:58)
            Address: IntelCor_b3:18:58 (00:1b:21:b3:18:58)
            .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
            .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        Source: HewlettP_af:82:b5 (2c:27:d7:af:82:b5)
            Address: HewlettP_af:82:b5 (2c:27:d7:af:82:b5)
            .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
            .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        Type: IP (0x0800)
    Internet Protocol, Src: 172.16.2.218 (172.16.2.218), Dst: 172.20.2.55 (172.20.2.55)
        Version: 4
        Header length: 20 bytes
        Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
            0000 00.. = Differentiated Services Codepoint: Default (0x00)
            .... ..0. = ECN-Capable Transport (ECT): 0
            .... ...0 = ECN-CE: 0
        Total Length: 77
        Identification: 0x5b26 (23334)
        Flags: 0x00
            0... .... = Reserved bit: Not set
            .0.. .... = Don't fragment: Not set
            ..0. .... = More fragments: Not set
        Fragment offset: 0
        Time to live: 128
        Protocol: UDP (17)
        Header checksum: 0x8244 [correct]
            [Good: True]
            [Bad: False]
        Source: 172.16.2.218 (172.16.2.218)
        Destination: 172.20.2.55 (172.20.2.55)
    User Datagram Protocol, Src Port: 57459 (57459), Dst Port: radius-dynauth (3799)
        Source port: 57459 (57459)
        Destination port: radius-dynauth (3799)
        Length: 57
        Checksum: 0x6ec3 [validation disabled]
            [Good Checksum: False]
            [Bad Checksum: False]
    Radius Protocol
        Code: CoA-Request (43)
        Packet identifier: 0x1 (1)
        Length: 49
        Authenticator: f8ce880960a402b9809f0c173c6c8530
        [The response to this request is in frame 2]
        Attribute Value Pairs
            AVP: l=10  t=Acct-Session-Id(44): 000000C3
                Acct-Session-Id: 000000C3
            AVP: l=19  t=Vendor-Specific(26) v=Cisco(9)
                VSA: l=13 t=Cisco-Policy-Down(38): POLICE-TEST
                    Cisco-Policy-Down: POLICE-TEST
    0000  00 1b 21 b3 18 58 2c 27 d7 af 82 b5 08 00 45 00   ..!..X,'......E.
    0010  00 4d 5b 26 00 00 80 11 82 44 ac 10 02 da ac 14   .M[&.....D......
    0020  02 37 e0 73 0e d7 00 39 6e c3 2b 01 00 31 f8 ce   .7.s...9n.+..1..
    0030  88 09 60 a4 02 b9 80 9f 0c 17 3c 6c 85 30 2c 0a   ..`.......
    0040  30 30 30 30 30 30 43 33 1a 13 00 00 00 09 26 0d   000000C3......&.
    0050  50 4f 4c 49 43 45 2d 54 45 53 54                  POLICE-TEST
    No.     Time                          Source                Destination           Protocol Info
          2 2000-01-01 08:46:03.259029000 172.20.2.55           172.16.2.218          RADIUS   CoA-NAK(45) (id=1, l=47)
    Frame 2: 89 bytes on wire (712 bits), 89 bytes captured (712 bits)
        Arrival Time: Jan  1, 2000 08:46:03.259029000 Eastern Standard Time
        Epoch Time: 946734363.259029000 seconds
        [Time delta from previous captured frame: 0.001118000 seconds]
        [Time delta from previous displayed frame: 0.001118000 seconds]
        [Time since reference or first frame: 0.001118000 seconds]
        Frame Number: 2
        Frame Length: 89 bytes (712 bits)
        Capture Length: 89 bytes (712 bits)
        [Frame is marked: False]
        [Frame is ignored: False]
        [Protocols in frame: eth:ip:udp:radius]
        [Coloring Rule Name: UDP]
        [Coloring Rule String: udp]
    Ethernet II, Src: IntelCor_b3:18:58 (00:1b:21:b3:18:58), Dst: HewlettP_af:82:b5 (2c:27:d7:af:82:b5)
        Destination: HewlettP_af:82:b5 (2c:27:d7:af:82:b5)
            Address: HewlettP_af:82:b5 (2c:27:d7:af:82:b5)
            .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
            .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        Source: IntelCor_b3:18:58 (00:1b:21:b3:18:58)
            Address: IntelCor_b3:18:58 (00:1b:21:b3:18:58)
            .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
            .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        Type: IP (0x0800)
    Internet Protocol, Src: 172.20.2.55 (172.20.2.55), Dst: 172.16.2.218 (172.16.2.218)
        Version: 4
        Header length: 20 bytes
        Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
            0000 00.. = Differentiated Services Codepoint: Default (0x00)
            .... ..0. = ECN-Capable Transport (ECT): 0
            .... ...0 = ECN-CE: 0
        Total Length: 75
        Identification: 0xe66e (58990)
        Flags: 0x00
            0... .... = Reserved bit: Not set
            .0.. .... = Don't fragment: Not set
            ..0. .... = More fragments: Not set
        Fragment offset: 0
        Time to live: 254
        Protocol: UDP (17)
        Header checksum: 0x78fd [correct]
            [Good: True]
            [Bad: False]
        Source: 172.20.2.55 (172.20.2.55)
        Destination: 172.16.2.218 (172.16.2.218)
    User Datagram Protocol, Src Port: radius-dynauth (3799), Dst Port: 57459 (57459)
        Source port: radius-dynauth (3799)
        Destination port: 57459 (57459)
        Length: 55
        Checksum: 0xa044 [validation disabled]
            [Good Checksum: False]
            [Bad Checksum: False]
    Radius Protocol
        Code: CoA-NAK (45)
        Packet identifier: 0x1 (1)
        Length: 47
        Authenticator: 8edb97b90c05e6ed7c1ce06688723520
        [This is a response to a request in frame 1]
        [Time from request: 0.001118000 seconds]
        Attribute Value Pairs
            AVP: l=21  t=Reply-Message(18): No Matching Session
                Reply-Message: No Matching Session
            AVP: l=6  t=Error-Cause(101): Session-Context-Not-Found(503)
                Error-Cause: Session-Context-Not-Found (503)
    0000  2c 27 d7 af 82 b5 00 1b 21 b3 18 58 08 00 45 00   ,'......!..X..E.
    0010  00 4b e6 6e 00 00 fe 11 78 fd ac 14 02 37 ac 10   .K.n....x....7..
    0020  02 da 0e d7 e0 73 00 37 a0 44 2d 01 00 2f 8e db   .....s.7.D-../..
    0030  97 b9 0c 05 e6 ed 7c 1c e0 66 88 72 35 20 12 15   ......|..f.r5 ..
    0040  4e 6f 20 4d 61 74 63 68 69 6e 67 20 53 65 73 73   No Matching Sess
    0050  69 6f 6e 65 06 00 00 01 f7                        ione.....
    =~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2012.09.21 10:00:43 =~=~=~=~=~=~=~=~=~=~=~=
    ABN-3845#
    ABN-3845#sho run
    Building configuration...
    Current configuration : 2831 bytes
    version 12.4
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    hostname ABN-3845
    boot-start-marker
    boot-end-marker
    enable password ipdradm
    aaa new-model
    aaa authentication ppp default local group radius
    aaa authentication ppp mounir group radius local
    aaa authorization network default local group radius
    aaa authorization network mounir group radius
    aaa accounting update periodic 1
    --More--        
    aaa accounting exec mounir start-stop group radius
    aaa accounting network default start-stop group radius
    aaa accounting network mounir start-stop group radius
    aaa server radius dynamic-author
    client 172.16.2.183
    client 172.20.2.234
    client 172.20.2.204
    client 172.16.2.218
    server-key ipdradm
    port 3799
    auth-type session-key
    aaa session-id common
    dot11 syslog
    ip cef
    ip domain name a-bb.net
    ip name-server 172.16.0.25
    multilink bundle-name authenticated
    --More--        
    vpdn-group mounir
    ! Default L2TP VPDN group
    accept-dialin
      protocol pppoe
      virtual-template 11
    l2tp tunnel receive-window 1024
    voice-card 0
    no dspfarm
    --More--        
    archive
    log config
      hidekeys
    policy-map POLICE-TEST
    class class-default
        police 48000 9000 18000 conform-action transmit  exceed-action drop  violate
    -action drop
    bba-group pppoe global
    --More--        
    virtual-template 11
    interface Loopback0
    ip address 172.29.1.5 255.255.255.255
    interface GigabitEthernet0/0
    ip address 172.20.2.55 255.255.255.0
    duplex auto
    speed auto
    media-type rj45
    interface GigabitEthernet0/1
    ip address 10.30.1.1 255.255.255.0
    duplex auto
    speed auto
    media-type rj45
    pppoe enable group global
    interface GigabitEthernet0/1.1
    encapsulation dot1Q 2
    interface Virtual-Template11
    --More--        
    ip unnumbered GigabitEthernet0/1
    ppp authentication pap mounir
    ppp authorization mounir
    ppp accounting mounir
    interface Virtual-Template15
    ip unnumbered Loopback0
    no peer default ip address
    ppp authentication pap mounir
    ppp authorization mounir
    ppp accounting mounir
    router ospf 1
    router-id 172.29.1.5
    log-adjacency-changes
    redistribute connected subnets
    network 172.20.2.0 0.0.0.255 area 0
    network 172.29.1.5 0.0.0.0 area 0
    ip forward-protocol nd
    no ip http server
    --More--        
    no ip http secure-server
    logging 172.20.2.150
    radius-server attribute 32 include-in-access-req
    radius-server attribute 32 include-in-accounting-req
    radius-server attribute 25 access-request include
    radius-server attribute nas-port format d
    radius-server host 172.20.2.204 auth-port 1812 acct-port 1813 key ipdradm
    radius-server key ipdradm
    radius-server vsa send cisco-nas-port
    radius-server vsa send accounting
    radius-server vsa send authentication
    control-plane
    --More--        
    line con 0
    line aux 0
    line vty 0 4
    password ipdradm
    scheduler allocate 20000 1000
    end
    ABN-3845#
    ABN-3845#
    ABN-3845#
    ABN-3845#debug aaa coa
    AAA CoA packet processing debugging is on
    ABN-3845#debug radius
    Radius protocol debugging is on
    Radius protocol brief debugging is off
    Radius protocol verbose debugging is off
    Radius packet hex dump debugging is off
    Radius packet protocol debugging is on
    Radius elog debugging debugging is off
    Radius packet retransmission debugging is off
    Radius server fail-over debugging is off
    Radius elog debugging debugging is off
    ABN-3845#
    ABN-3845#
    ABN-3845#
    ABN-3845#
    ABN-3845#
    ABN-3845#
    ABN-3845#
    *Sep 21 13:59:05.380: RADIUS/ENCODE(000000BA):Orig. component type = PPoE
    *Sep 21 13:59:05.380: RADIUS/ENCODE(000000BA): Acct-session-id pre-pended with N
    as Port = 0/0/1/1
    *Sep 21 13:59:05.380: RADIUS(000000BA): Config NAS IP: 0.0.0.0
    *Sep 21 13:59:05.380: RADIUS(000000BA): Config NAS IP: 0.0.0.0
    *Sep 21 13:59:05.380: RADIUS(000000BA): sending
    *Sep 21 13:59:05.380: RADIUS/ENCODE: Best Local IP-Address 172.20.2.55 for Radiu
    s-Server 172.20.2.204
    *Sep 21 13:59:05.380: RADIUS(000000BA): Send Accounting-Request to 172.20.2.204:
    1813 id 1646/40, len 322
    *Sep 21 13:59:05.380: RADIUS:  authenticator 65 F4 15 61 6F AD B1 76 - 45 35 D5
    42 9A 3E 2F C7
    *Sep 21 13:59:05.380: RADIUS:  Acct-Session-Id     [44]  18  "0/0/1/1_000000C3"
    *Sep 21 13:59:05.380: RADIUS:  Vendor, Cisco       [26]  41 
    *Sep 21 13:59:05.380: RADIUS:   Cisco AVpair       [1]   35  "client-mac-address
    =f8d1.11a7.167a"
    *Sep 21 13:59:05.380: RADIUS:  Framed-Protocol     [7]   6   PPP               
           [1]
    *Sep 21 13:59:05.380: RADIUS:  Framed-IP-Address   [8]   6   10.30.1.2         
    *Sep 21 13:59:05.380: RADIUS:  User-Name           [1]   9   "ipdradm"
    *Sep 21 13:59:05.380: RADIUS:  Vendor, Cisco       [26]  35 
    *Sep 21 13:59:05.380: RADIUS:   Cisco AVpair       [1]   29  "connect-progress=L
    AN Ses Up"
    *Sep 21 13:59:05.380: RADIUS:  Vendor, Cisco       [26]  31 
    *Sep 21 13:59:05.380: RADIUS:   Cisco AVpair       [1]   25  "nas-tx-speed=10000
    00000"
    *Sep 21 13:59:05.380: RADIUS:  Vendor, Cisco       [26]  31 
    *Sep 21 13:59:05.380: RADIUS:   Cisco AVpair       [1]   25  "nas-rx-speed=10000
    00000"
    *Sep 21 13:59:05.380: RADIUS:  Acct-Session-Time   [46]  6   143522            
    *Sep 21 13:59:05.380: RADIUS:  Acct-Input-Octets   [42]  6   6382156           
    *Sep 21 13:59:05.380: RADIUS:  Acct-Output-Octets  [43]  6   2559911           
    *Sep 21 13:59:05.380: RADIUS:  Acct-Input-Packets  [47]  6   224941            
    *Sep 21 13:59:05.380: RADIUS:  Acct-Output-Packets [48]  6   161500            
    *Sep 21 13:59:05.380: RADIUS:  Acct-Authentic      [45]  6   RADIUS            
           [1]
    *Sep 21 13:59:05.380: RADIUS:  Acct-Status-Type    [40]  6   Watchdog          
           [3]
    *Sep 21 13:59:05.380: RADIUS:  NAS-Port-Type       [61]  6   Ethernet          
           [15]
    *Sep 21 13:59:05.380: RADIUS:  Vendor, Cisco       [26]  15 
    *Sep 21 13:59:05.380: RADIUS:   cisco-nas-port     [2]   9   "0/0/1/1"
    *Sep 21 13:59:05.380: RADIUS:  NAS-Port            [5]   6   16777217          
    *Sep 21 13:59:05.380: RADIUS:  NAS-Port-Id         [87]  9   "0/0/1/1"
    *Sep 21 13:59:05.380: RADIUS:  Service-Type        [6]   6   Framed            
           [2]
    *Sep 21 13:59:05.380: RADIUS:  NAS-IP-Address      [4]   6   172.20.2.55       
    *Sep 21 13:59:05.380: RADIUS:  Unsupported         [151] 10 
    *Sep 21 13:59:05.380: RADIUS:   44 36 34 41 36 36 31 33                        
    [D64A6613]
    *Sep 21 13:59:05.380: RADIUS:  Nas-Identifier      [32]  19  "ABN-3845.a-bb.net"
    *Sep 21 13:59:05.380: RADIUS:  Acct-Delay-Time     [41]  6   0                 
    *Sep 21 13:59:09.804: RADIUS: acct-timeout for 2DC0CAF4 now 5, acct-jitter -1, a
    cct-delay-time (at 2DC0CC30) now 4
    ABN-3845#
    ABN-3845#
    *Sep 21 13:59:32.708: RADIUS: COA  received from id 1 172.16.2.218:50186, CoA Re
    quest, len 49
    *Sep 21 13:59:32.708: COA: 172.16.2.218 request queued
    *Sep 21 13:59:32.708:  ++++++ CoA Attribute List ++++++
    *Sep 21 13:59:32.708: 65F0A840 0 00000009 string-session-id(337) 8 000000C3
    *Sep 21 13:59:32.708: 670B2A10 0 00000009 sub-policy-Out(345) 11 POLICE-TEST
    *Sep 21 13:59:32.708:
    *Sep 21 13:59:32.708: COA: No matching entry found
    *Sep 21 13:59:32.708: COA: Added Reply Message: No Matching Session
    *Sep 21 13:59:32.708: COA: Added NACK Error Cause: Session Context Not Found
    *Sep 21 13:59:32.708: COA: Sending NAK from port 3799 to 172.16.2.218/50186
    *Sep 21 13:59:32.708: RADIUS:  18  21  4E6F204D61746368696E672053657373696F6E
    *Sep 21 13:59:32.708: RADIUS:  101 6   000001F7
    ABN-3845#
    ABN-3845#
    ABN-3845#
    ABN-3845#
    ABN-3845#
    ABN-3845#
    ABN-3845#
    ABN-3845#
    ===================A

  • NAC port bounce feature not working with 3750 12.2(50)SE1 IOS...

    Guys, would like to know the support for NAC to cisco IOS 12.2(50)SE1 IPBase version (3750).
    We have the port bounce feature in test enviroment on switch 3560 with advance IP services IOS 12.2(46)SE and it was working fine, but now we are facing problem with 3750.
    Any clues...

    Hi Tarik,
    Thanks for your reply,  SNMP settings are perfect since am able to manage the switch from CAM, i can change the port settings as well and yes mac-notification change is added automatically except bouncing the ports between vlans.
    Am not sure but i suspect this could be the problem with IOS as it is IPBase, but in the test environment it was AdvanceIPservices and everything was perfect.

  • ACS 4.1 change Radius listen port

    In ACS 3.3 it was possible to specify the radius listen port with registry keys:
    [HKEY_LOCAL_MACHINE\SOFTWARE\Cisco\CiscoAAAv3.3\CSRadius]
    "AuthenticationPort"=dword:0000064e
    "AccountingPort"=dword:0000064f
    "AuthenticationPortNew"=dword:0000064c
    "AccountingPortNew"=dword:0000064d
    This does not work anymore in version 4.1.
    Does anyone know how to change the radius listen port in version 4.1 ?
    Thanks,
    Gerard van Bon

    In 4.x all registry config was moved into the sql anywhere db.
    If you can get hold the Sql Anywhere dev kit to get the Db edit app AND know your ACS database password and then can find the value in the table structure.. then yes you could change the RADIUS listen port.

  • WAP 121 support for RADIUS COA

    Hi,
    I am looking into purchasing WAP121 AP product and understand it supports 802.1x RADIUS.
    For an intergration with NAC product from Bradford, I need to know if WAP121 supports RADIUS COA standard or at least there is a way to disassociate a client through CLI command.
    Thanks in advance.
    -chang

    Dear Chang,
    Thank you for reaching the Small Business Support Community.
    None of the Small Business access points support the RADIUS CoA nor have CLI access, these are all GUI configurable devices with just the RADIUS feature.
    I suggest you to look for an eterprise device and inquire about this feature on the wireless support community forum;
    https://supportforums.cisco.com/community/netpro/wireless-mobility
    Please do not hesitate to reach me back if there is any further assistance I may help you with.
    Kind regards,
    Jeffrey Rodriguez S. .:|:.:|:.
    Cisco Customer Support Engineer
    *Please rate the Post so other will know when an answer has been found.

  • ISE WLC Port bounce with NAC

    Im having trouble renewing the IP address after a VLAN change after NAC Agent finishes its posture, the flow is as follows:
    1. Wireless client access into the network, is 802.1x
    2. NAC Agent succesfully validates posture and Coa is issued
    3. I see the new Vlan for that client on the WLC, however my captures indicate that no dhcp renewal is issued from the PC to the DHCP Server
    This is no guest access so the option for renew the VLAN dhcp is not a feasible one
    any comments will be gladly received.
    Thanks!

    Hello,
    I went through your query and for the same I have found the link below which may help in solving it:-
    http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_client_prov.html

  • WCS reports Radius server port 1813 up and down.

    Hi all,
    Help me on this, please. I use Radius server 172.20.104.253 and .254 port 1812 to authenticate some wireless clients. However, the .254 keep failling, deactivate on port 1813 (this is from the log); resulting some clients can't authenticate. How do I approach this? Why port 1813 fail effect the authentication which is on port 1812 ?
    Thanks.

    jedubois!
    I use Cisco ACS as my radius. For laptops, instead using pre-shared key, I use radius to authenticated the laptop. I create user/password on AD (username is laptop name). On laptop under Intel Proset/Wireless utility, I create a profile with this username. Upon startup, the Proset/Wireless utility authenticates this user this radius server; then gives the laptop wireless connectivity; no pre-shared key needed.
    On the WCS event view; radius server is timeout (activated and deactivated) every 2 seconds (like you said; it is default). But is on port 1813 and I config radius server on WCS on port 1812.
    My questions are what is ideal timeout on each radius server? and why radius server report timeout on port 1813 instead of 1812?
    FYI, I ping -t both of my radius servers. And radius servers are available all the time.
    Regards.

  • CSM port redirect query

    Dear All,
    I have the following scenario that I need to configure on CSM 4.2(12) (Cisco 6513).
    Scenario:
    Real IPs: 10.10.10.3 & 10.10.10.4
    VIP: 10.10.10.1
    When users will access 10.10.10.1 on port 81, 82, 83, 84 & 85. I want to forward port (redirect) this request to port 80.
    Is this possible.
    Can someone please post the required configuration for the above scenario.
    Client and Server vlans are in the same subnet.
    Thanks in advance
    Regards,
    Anser

    This is possible.
    All you need is specify the port you want to use by the rserver and by the vserver.
    for example
    serverfarm MyFarm
      rserver 10.10.10.3 80
        inservice
      rserver 10.10.10.4 80
        inservice
    vserver MYVIP81
      virtual 10.10.10.1 tcp port 81
      serverfarm MyFarm
      inservice
    Gilles.

  • Cannot get CoA switch to bounce port

    Hi, I am trying to clear up a VLAN change/IP addressing conflict and have configured the profile's associated CoA type to 'port bounce'. I also created an exception action to force CoA with an associate rule in the policy.
    I can see the device hit the correct profile upon MAB, and the correct VLAN is applied to the port. However, I never see the port bounce occuring, so the deviec does not know to release/renew it's IP address.
    Is there something I'm missing to get the CoA port bounce to happen? Here is my switchport config...
    interface GigabitEthernet1/5
    description ISE_TEST
    switchport access vlan 32
    switchport mode access
    switchport voice vlan 64
    ip access-group ACL-ALLOW in
    logging event link-status
    authentication event fail action next-method
    authentication event server dead action authorize vlan 2700
    authentication event server alive action reinitialize
    authentication host-mode multi-auth
    authentication open
    authentication order dot1x mab
    authentication priority dot1x mab
    authentication port-control auto
    authentication periodic
    authentication timer restart 600
    authentication timer reauthenticate server
    authentication violation restrict
    mab
    dot1x pae authenticator
    dot1x timeout tx-period 5
    service-policy input QoS-Input-Policy
    service-policy output QoS-Host-Port-Output-Policy
    end

    I did, but my issue was not related to the port bounce itself. It was because arp inspection was identifying the arp based off the ports initial VLAN. Once ISE changed the VLAN, ip arp was denying the port because the address had changed. I disabled arp inspection and it cleared up the issue.

  • CoA Session Query and invalid signature (err=2)!

    When the portal/radius client sends a CoA-Req (session query); the ISG responds with a CoA-ACK however the portal receives an error message stating   “rad_verify: Received CoA-ACK packet from client 172.X.X.X port 3799 with invalid signature (err=2)!  (Shared secret is incorrect.)
    The same happens when the a CoA-Re (session query) is sent from the Radius Client with an invalid/non-existing portbundle number.
    We were expecting an ACK in the first and a NAK in the second case!
    Did any one see this before? Please provide inputs if any?
    Thanks!

    Thank You Admani, I have already done that but just wanted to know if anyone else noticed the same and have a solution if any?

  • ISE 1.2 Patch 8 - Wired CoA Bug

    Hi all,
    Just wondering if anyone else is having CoA issues using patch 8 on wired infrastructure? I was troubleshooting CoA this morning in a 5 node deployment (1 x Admin, 1 x Monitoring, 1 x secondary admin/monitoring and 2 x PSN) and found that CoA was not working. I did a debug aaa pod and it said that POD message was dropped due to an unconfigured client and listed off the IP address of the primary admin node that I had initiated the CoA from (in the gui).
    I thought this was strange in that I have always believed the CoA comes from the PSNs. I stopped the primary admin and did the same test using the secondary admin and the same error presented this time with the ip address of the secondary admin. I then proceeded to add the admin nodes as dynamic author clients and CoA started to work properly.
    So in summary I am wondering whether this is a bug, a misunderstanding on my part or a change to the way that ISE CoA now works?

    CoA Not Initiating on Client Machine
    Symptoms or
    Issue
    Cisco ISE is not able to identify the specified Network Access Device (NAD).
    Conditions Click the magnifying glass icon in Authentications to display the steps in the
    Authentication Report. The logs display the following error message:
    • 11007 Could not locate Network Device or AAA Client Resolution
    Possible Causes • The administrator did not correctly configure the Network Access Device
    (NAD) type in Cisco ISE.
    • Could not find the network device or the AAA Client while accessing NAS by
    IP during authentication.
    Resolution • Add the NAD in Cisco ISE again, verifying the NAD type and settings.
    • Verify whether the Network Device or AAA client is correctly configured in
    Administration > Network Resources > Network Devices
    Symptoms or
    Issue
    Users logging into the Cisco ISE network are not experiencing the required Change
    of Authorization (CoA).
    Conditions Cisco ISE uses port 1700 by default for communicating RADIUS CoA requests from
    supported network devices.
    Possible Causes Cisco ISE network enforcement points (switches) may be missing key configuration
    commands, may be assigning the wrong port (for example, a port other than 1700),
    or have an incorrect or incorrectly entered key.
    Resolution Ensure the following commands are present in the switch configuration file (required
    on switch to activate CoA and configure the switch):
    aaa server radius dynamic-author
    client <Monitoring_node_IP_address> server-key <radius_key>

  • CoA issues between ISE and 3750x

    We are having an issue using the cisco ise 1.1.2 and a 3750x (Version 12.2(58)SE2)
    When the radius sends a reauthentication CoA message to the switch, the switch responds with a 'session contect not found' reply. I have upgraded the code to the latest levels on both the ise and switch and still have the same resultts.
    This reauthenticate is needed after the NAC profiler determines the pc is complient. I am receiving the complient message from the pc and switch, but becuase the switch never reauthentices the client after the CoA request, the client is never granted full access.
    I am not sure if the radius server is sending the wrong session id, or if the switch is looking at it wrong.
    Please Help...!!!!!
    -Debug --
    Log Buffer (10000 bytes):
    Feb 28 19:34:21.940 UTC: RADIUS: COA  received from id 38 10.122.1.82:40171, CoA Request, len 140
    Feb 28 19:34:21.940 UTC: COA: 10.122.1.82 request queued
    Feb 28 19:34:21.940 UTC: RADIUS:  authenticator 62 6B 15 C9 C7 A5 CA 88 - 4F B2 EE 4C A0 3D 9F 50
    Feb 28 19:34:21.948 UTC: RADIUS:  NAS-IP-Address      [4]   6   10.122.1.66
    Feb 28 19:34:21.948 UTC: RADIUS:  Event-Timestamp     [55]  6   1362080061
    Feb 28 19:34:21.948 UTC: RADIUS:  Message-Authenticato[80]  18
    Feb 28 19:34:21.948 UTC: RADIUS:   BC B3 BA 2A 11 BD 63 0B 22 7E 82 AA C2 A5 F7 C4              [ *c"~]
    Feb 28 19:34:21.948 UTC: RADIUS:  Vendor, Cisco       [26]  41
    Feb 28 19:34:21.948 UTC: RADIUS:   Cisco AVpair       [1]   35  "subscriber:command=reauthenticate"
    Feb 28 19:34:21.948 UTC: RADIUS:  Vendor, Cisco       [26]  49
    Feb 28 19:34:21.948 UTC: RADIUS:   Cisco AVpair       [1]   43  "audit-session-id=0A7A014200000272048AF0F1"
    Feb 28 19:34:21.948 UTC: COA: Message Authenticator decode passed
    Feb 28 19:34:21.948 UTC:  ++++++ CoA Attribute List ++++++
    Feb 28 19:34:21.948 UTC: 07353140 0 00000001 nas-ip-address(585) 4 10.122.1.66
    Feb 28 19:34:21.948 UTC: 0735375C 0 00000001 Event-Timestamp(430) 4 1362080061(512FB13D)
    Feb 28 19:34:21.948 UTC: 0735376C 0 00000009 audit-session-id(794) 24 0A7A014200000272048AF0F1
    Feb 28 19:34:21.948 UTC: 0735377C 0 00000009 ssg-command-code(475) 1 32
    Feb 28 19:34:21.948 UTC:
    Feb 28 19:34:21.957 UTC: AUTH-EVENT: auth_mgr_ch_search_record - Search record in IDC db failed
    Feb 28 19:34:21.957 UTC: RADIUS/ENCODE(00000000):Orig. component type = Invalid
    Feb 28 19:34:21.957 UTC: RADIUS(00000000): sending
    Feb 28 19:34:21.957 UTC: RADIUS(00000000): Send CoA Nack Response to 10.122.1.82:40171 id 38, len 62
    Feb 28 19:34:21.957 UTC: RADIUS:  authenticator DF 18 2F 59 21 4F 84 E1 - 61 B8 43 B8 01 C5 58 B4
    Feb 28 19:34:21.957 UTC: RADIUS:  Reply-Message       [18]  18
    Feb 28 19:34:21.957 UTC: RADIUS:   4E 6F 20 76 61 6C 69 64 20 53 65 73 73 69 6F 6E  [ No valid Session]
    Feb 28 19:34:21.957 UTC: RADIUS:  Dynamic-Author-Error[101] 6   Session Context Not Found [503]
    Feb 28 19:34:21.957 UTC: RADIUS:  Message-Authenticato[80]  18
    Feb 28 19:34:21.957 UTC: RADIUS:   30 C9 AE 52 80 2E A2 54 FF F3 4B C7 28 31 A9 61          [ 0R.TK(1a]
    ESWHQFL02-S#
    ESWHQFL02-S#
    -- Switch Config -
    aaa authentication login default group tacacs+ local-case
    aaa authentication login local_login local
    aaa authentication enable default group tacacs+ enable
    aaa authentication dot1x default group radius
    aaa authorization exec default group tacacs+ local
    aaa authorization commands 5 default group tacacs+ local
    aaa authorization commands 15 default group tacacs+ local
    aaa authorization network default group radius
    aaa authorization network auth-list group DOT1X
    aaa accounting dot1x default start-stop group radius
    aaa accounting exec default start-stop group tacacs+
    aaa accounting commands 5 default start-stop group tacacs+
    aaa accounting commands 15 default start-stop group tacacs+
    aaa accounting network default start-stop group tacacs+
    aaa server radius dynamic-author
    client 10.122.1.82 server-key 7 14141B180F0B
    client 10.122.1.80 server-key 7 045802150C2E
    aaa session-id common
    radius-server attribute 6 on-for-login-auth
    radius-server attribute 6 support-multiple
    radius-server attribute 8 include-in-access-req
    radius-server host 10.122.1.82 auth-port 1812 acct-port 1813 key 7 13061E010803
    radius-server host 10.122.1.80 auth-port 1812 acct-port 1813 key 7 104D000A0618
    radius-server deadtime 5
    radius-server key 7 030752180500
    radius-server vsa send accounting
    radius-server vsa send authentication

    As per the cisco recommendation IOSv12.2(52)SE is suitable for Catalyst 3750-X which will support all  the features without any issues like  MAB,802.1X,CWA,LWA,COA,VLAN,DACL,SAG as mentioned in the link below:
    http://www.cisco.com/en/US/docs/security/ise/1.1.1/compatibility/ise_sdt.html.
    I see you are using IOSv12.2(58)SE2,which is not recommended.So you can  downgrade to IOSv12.2(52)SE which will solve your issues.

  • CoA Session Context Not Found

    Hello Guys,
    I am using a Cisco 2951 with 15.3(3)M1, and when doing some tests with CoA i got the following error:      
    *Nov  7 10:34:24.780: COA: 1.1.1.1 request queued
    *Nov  7 10:34:24.780: RADIUS:  authenticator 52 CF BB 58 BB D5 69 4E - 59 3B 09 75 E9 83 54 4C
    *Nov  7 10:34:24.780: RADIUS:  User-Name           [1]   2   ""
    *Nov  7 10:34:24.780: RADIUS:  Acct-Session-Id     [44]  10  "0000002B"
    *Nov  7 10:34:24.780: RADIUS:  Vendor, Cisco       [26]  42
    *Nov  7 10:34:24.780: RADIUS:   Cisco AVpair       [1]   36  "subscriber:command=reauthenticate "
    *Nov  7 10:34:24.780: RADIUS:  Message-Authenticato[80]  18
    *Nov  7 10:34:24.780: RADIUS:   B6 78 8B EA DE 3B 73 26 57 53 C0 E7 47 89 2C 6D         [ x;s&WSG,m]
    *Nov  7 10:34:24.780: COA: Message Authenticator decode passed
    *Nov  7 10:34:24.780:  ++++++ CoA Attribute List ++++++
    *Nov  7 10:34:24.780: 01EEAF6C 0 00000081 username(450) 0
    *Nov  7 10:34:24.780: 01EEB7EC 0 00000001 session-id(408) 4 43(2B)
    *Nov  7 10:34:24.780: 01EEB820 0 00000081 ssg-command-code(490) 1 32
    *Nov  7 10:34:24.780:
    *Nov  7 10:34:24.780:  ++++++ Received CoA response Attribute List ++++++
    *Nov  7 10:34:24.780: 01EEB7EC 0 00000082 reply-message(273) 16 No valid Session
    *Nov  7 10:34:24.780: 01EEB820 0 00000002 error-cause(272) 4 Session Context Not Found
    This is very strange, because the session-id is correct.
    Can anyone advice me on this? Thanks!
    David

    Hello Manuel,
    Thanks for all your help. Here is the show output
    LNS#show subscriber session uid 47 detailed internal
    Subscriber session handle: EC00005E, state: connected, service: Local Term
    Unique Session ID: 47
    Identifier: [email protected]
    SIP subscriber access type(s): VPDN/PPP
    Root SIP Handle: 5300005D, PID: 313
    Child SIP Handle: 7900002F, PID: 318
    Current SIP options: Req Fwding/Req Fwded
    Session Up-time: 19:52:55, Last Changed: 19:52:55
    Switch handle: 211E
    Interface: Virtual-Access2.2
    Policy information:
      Context 10EC39C0: Handle 7B00002F
      AAA_id 0000003B: Flow_handle 0
      Authentication status: authen
    Policy internals:
      Policy state                        : wait-for-events
      Authorization type                  : AAA service
      Active key                          : apply-config-only
      Authorization active key            : Auth-User
      Last top level rule type            : session-service-found
      Client                              : SM
      Last message from client            : Apply Config Success
      Last message to client              : Apply Config Success
      Current key list from client        :
        Identifier: Auth-Domain = "xxx.xx"
        Identifier: Protocol-Type = 0 (PPP Access Protocol)
        Identifier: Session-Handle = 3959423070 (EC00005E)
        Identifier: Tunnel-Name = "LNS"
        Identifier: Media-Type = 2 (IP)
        Identifier: Input Interface = "GigabitEthernet0/1.2000"
        Identifier: AAA-Acct-Enbl = 1 (YES)
        Identifier: Authen-Status = 0 (Authenticated)
        Identifier: Nasport = Vty Terminal: port 47 IP 69.17.193.90
        Identifier: Auth-User = "[email protected]"
      Network plumbing done yet           : Yes
      Network plumbing directive proposed : None
      AIE handle                          : 2B00002F
      AIE user ID                         : 47
      AAA user ID                         : 0000003B/59
      Authorization index                 : 0
      Authorization priority              : 1
      Context                             : 7B00002F
      North handle                        : 00000000
      North callback                      : 00000000
      South handle                        : EC00005E
      South callback                      : 06B898A8
      Current access-type                 : PPP
      All access-types                    : [0] VPDN
                                          : [1] PPP
      No more keys available from         : PPP
      Session activated                   : Yes
    Session inbound features:
    Feature: QoS Policy Map
      Input Policy Map: INTERNET-15Mb-IN
    Session outbound features:
    Feature: QoS Policy Map
      Output Policy Map: INTERNET-15Mb-OUT
    Configuration sources associated with this session:
    Interface: Virtual-Template1, Active Time = 19:52:55
    Pending status associated with this session:
    Bind status: Success, Delay delete: No, Pending mask: 0
    And the debug output for a reauthenticate command
    *Nov  8 10:21:58.367: RADIUS: COA  received from id 1 x.x.x.x:60590, CoA Request, len 108
    *Nov  8 10:21:58.367: COA: x.x.x.x request queued
    *Nov  8 10:21:58.367: RADIUS:  authenticator 1D 92 FF 04 43 EA 0E 11 - DE 49 2F AE 81 46 42 78
    *Nov  8 10:21:58.367: RADIUS:  User-Name           [1]   18  [email protected]
    *Nov  8 10:21:58.367: RADIUS:  Acct-Session-Id     [44]  10  "0000003B"
    *Nov  8 10:21:58.367: RADIUS:  Vendor, Cisco       [26]  42
    *Nov  8 10:21:58.367: RADIUS:   Cisco AVpair       [1]   36  "subscriber:command=reauthenticate "
    *Nov  8 10:21:58.367: RADIUS:  Message-Authenticato[80]  18
    *Nov  8 10:21:58.367: RADIUS:   7F CA 0A 96 A7 4C 5F 05 57 33 4D 36 D6 7A 37 7E         [ L_W3M6z7~]
    *Nov  8 10:21:58.367: COA: Message Authenticator decode passed
    *Nov  8 10:21:58.367:  ++++++ CoA Attribute List ++++++
    *Nov  8 10:21:58.367: 01FCE77C 0 00000081 username(450) 16 [email protected]
    *Nov  8 10:21:58.367: 01FCFBAC 0 00000001 session-id(408) 4 59(3B)
    *Nov  8 10:21:58.367: 01FCFBE0 0 00000081 ssg-command-code(490) 1 32
    *Nov  8 10:21:58.367:
    *Nov  8 10:21:58.367: RADIUS/ENCODE(00000000):Orig. component type = Invalid
    *Nov  8 10:21:58.367: RADIUS(00000000): sending
    *Nov  8 10:21:58.367: RADIUS(00000000): Send CoA Nack Response to 69.17.193.4:60590 id 1, len 62
    *Nov  8 10:21:58.367: RADIUS:  authenticator A3 EC 85 01 C3 31 E2 B3 - 25 22 38 79 DA 8E 95 46
    *Nov  8 10:21:58.367: RADIUS:  Reply-Message       [18]  18
    *Nov  8 10:21:58.367: RADIUS:   4E 6F 20 76 61 6C 69 64 20 53 65 73 73 69 6F 6E  [ No valid Session]
    *Nov  8 10:21:58.367: RADIUS:  Dynamic-Author-Error[101] 6   Session Context Not Found [503]
    *Nov  8 10:21:58.367: RADIUS:  Message-Authenticato[80]  18
    *Nov  8 10:21:58.367: RADIUS:   AC 83 2A 7C DE 7D 78 8E B7 91 C9 F0 16 8B 86 D2              [ *|}x]
    Even the PoA is not working
    *Nov  8 10:24:04.022: RADIUS: POD  received from id 4 x.x.x.x:57061, POD Request, len 66
    *Nov  8 10:24:04.022: POD: 69.17.193.4 request queued
    *Nov  8 10:24:04.022:  ++++++ POD Attribute List ++++++
    *Nov  8 10:24:04.022: 01FCFBAC 0 00000081 username(450) 16
    [email protected]
    *Nov  8 10:24:04.022: 01FCE77C 0 00000001 session-id(408) 4 59(3B)
    *Nov  8 10:24:04.022: 01FCE7B0 0 00000081 Message-Authenticator(274) 16 20 2C D0 32 B2 B7 70 BC CE 0F 57 30 8A 0B 52 B7
    *Nov  8 10:24:04.022:
    *Nov  8 10:24:04.022: RADIUS/ENCODE(00000000):Orig. component type = Invalid
    *Nov  8 10:24:04.022: RADIUS(00000000): sending
    *Nov  8 10:24:04.022: RADIUS(00000000): Send Disconnect Nack Response to x.x.x.x:57061 id 4, len 44
    *Nov  8 10:24:04.022: RADIUS:  authenticator 86 6C A4 7E EC E6 D8 DA - 30 03 38 E7 51 03 78 86
    *Nov  8 10:24:04.022: RADIUS:  Reply-Message       [18]  18
    *Nov  8 10:24:04.022: RADIUS:   4E 6F 20 76 61 6C 69 64 20 53 65 73 73 69 6F 6E  [ No valid Session]
    *Nov  8 10:24:04.022: RADIUS:  Dynamic-Author-Error[101] 6   Session Context Not Found [503] *Nov  8 10:24:04.022: RADIUS: POD  received from id 4 x.x.x.x:57061, POD Request, len 66
    *Nov  8 10:24:04.022: POD: x.x.x.x request queued
    *Nov  8 10:24:04.022:  ++++++ POD Attribute List ++++++
    *Nov  8 10:24:04.022: 01FCFBAC 0 00000081 username(450) 16 [email protected]
    *Nov  8 10:24:04.022: 01FCE77C 0 00000001 session-id(408) 4 59(3B)
    *Nov  8 10:24:04.022: 01FCE7B0 0 00000081 Message-Authenticator(274) 16 20 2C D0 32 B2 B7 70 BC CE 0F 57 30 8A 0B 52 B7
    *Nov  8 10:24:04.022:
    *Nov  8 10:24:04.022: RADIUS/ENCODE(00000000):Orig. component type = Invalid
    *Nov  8 10:24:04.022: RADIUS(00000000): sending
    *Nov  8 10:24:04.022: RADIUS(00000000): Send Disconnect Nack Response to x.x.x.x:57061 id 4, len 44
    *Nov  8 10:24:04.022: RADIUS:  authenticator 86 6C A4 7E EC E6 D8 DA - 30 03 38 E7 51 03 78 86
    *Nov  8 10:24:04.022: RADIUS:  Reply-Message       [18]  18
    *Nov  8 10:24:04.022: RADIUS:   4E 6F 20 76 61 6C 69 64 20 53 65 73 73 69 6F 6E  [ No valid Session]
    *Nov  8 10:24:04.022: RADIUS:  Dynamic-Author-Error[101] 6   Session Context Not Found [503]
    Thanks!!
    David

  • Problem with EAP and RADIUS

    Hi *,
      I have the following problem with RADIUS and EAP authentication.
    Radius server sends an "Access-Accept" packet to my AP, but the station does not authenticate.
    I've tried with different encryption configuration and with different authentication methods under "dot11 essid", but nothing changes...
    What could it be?
    Debug piece and configuration follows:
    *Jan 25 14:23:34.795: RADIUS/ENCODE(00000012): acct_session_id: 17*Jan 25 14:23:34.795: RADIUS(00000012): sending*Jan 25 14:23:34.799: RADIUS:   4E 47 56 7A 78 65 4A 4F 55 31 47 40 77 6C 61 6E  [NGVzxeJOU1G@wlan]*Jan 25 14:23:34.799: RADIUS:   2E 6D 6E 63 30 30 31 2E 6D 63 63 30 30 31 2E 33  [.mnc001.mcc001.3]*Jan 25 14:23:34.799: RADIUS:   67 70 70 6E 65 74 77 6F 72 6B 2E 6F 72 67        [gppnetwork.org]*Jan 25 14:23:34.799: RADIUS:  NAS-Port-Type       [61]  6   802.11 wireless           [19]*Jan 25 14:23:34.799: RADIUS:  NAS-Port            [5]   6   265                       *Jan 25 14:23:34.799: RADIUS:  NAS-Port-Id         [87]  5   "265"*Jan 25 14:23:34.799: RADIUS:  NAS-IP-Address      [4]   6   192.168.173.2             *Jan 25 14:23:34.811: RADIUS/DECODE: EAP-Message fragments, 20, total 20 bytes*Jan 25 14:23:34.831: RADIUS/ENCODE(00000012):Orig. component type = DOT11*Jan 25 14:23:34.831: RADIUS:  AAA Unsupported Attr: ssid              [265] 8   *Jan 25 14:23:34.831: RADIUS:   57 69 66 69 45 41                                [WifiEA]*Jan 25 14:23:34.831: RADIUS:  AAA Unsupported Attr: interface         [157] 3   *Jan 25 14:23:34.831: RADIUS:   32                                               [2]*Jan 25 14:23:34.831: RADIUS(00000012): Config NAS IP: 192.168.173.2*Jan 25 14:23:34.831: RADIUS/ENCODE(00000012): acct_session_id: 17*Jan 25 14:23:34.835: RADIUS(00000012): sending*Jan 25 14:23:34.835: RADIUS:   10 01 00 01 07 05 00 00 D9 37 C3 D9 79 3E 33 EA  [?????????7??y>3?]*Jan 25 14:23:34.835: RADIUS:   F3 7D 73 43 BF BA D0 6A                          [?}sC???j]*Jan 25 14:23:34.835: RADIUS:  NAS-Port-Type       [61]  6   802.11 wireless           [19]*Jan 25 14:23:34.835: RADIUS:  NAS-Port            [5]   6   265                       *Jan 25 14:23:34.835: RADIUS:  NAS-Port-Id         [87]  5   "265"*Jan 25 14:23:34.835: RADIUS:  NAS-IP-Address      [4]   6   192.168.173.2             *Jan 25 14:23:35.035: RADIUS: Received from id 1645/64 192.168.177.158:1812, Access-Challenge, len 304*Jan 25 14:23:35.039: RADIUS:   46 10 78 5F 5F B0 CB 6C 0B 05 00 00 DA C3 BF 28  [F?x__??l???????(]*Jan 25 14:23:35.039: RADIUS:   E0 18 2B 95 97 C2 0A D7 40 53 FE 62              [??+?????@S?b]*Jan 25 14:23:35.039: RADIUS(00000012): Received from id 1645/64*Jan 25 14:23:35.039: RADIUS/DECODE: EAP-Message fragments, 60+220, total 280 bytes*Jan 25 14:23:35.355: RADIUS/ENCODE(00000012):Orig. component type = DOT11*Jan 25 14:23:35.355: RADIUS:  AAA Unsupported Attr: ssid              [265] 8   *Jan 25 14:23:35.355: RADIUS:   57 69 66 69 45 41                                [WifiEA]*Jan 25 14:23:35.355: RADIUS:  AAA Unsupported Attr: interface         [157] 3   *Jan 25 14:23:35.359: RADIUS:   92 DA 5E 26 CF 40 01 22 7A 8E F5 C1              [??^&?@?"z???]*Jan 25 14:23:35.359: RADIUS:  NAS-Port-Type       [61]  6   802.11 wireless           [19]*Jan 25 14:23:35.359: RADIUS:  NAS-Port            [5]   6   265                       *Jan 25 14:23:35.359: RADIUS:  NAS-Port-Id         [87]  5   "265"*Jan 25 14:23:35.359: RADIUS:  NAS-IP-Address      [4]   6   192.168.173.2             *Jan 25 14:23:35.367: RADIUS: Received from id 1645/65 192.168.177.158:1812, Access-Accept, len 30*Jan 25 14:23:35.367: RADIUS:  authenticator 8C 2C 1B 97 82 BB 6C 7F - AA D3 4A AB CA 22 8B B7*Jan 25 14:23:35.367: RADIUS:  EAP-Message         [79]  10  *Jan 25 14:23:35.367: RADIUS:   03 01 00 04 00 00 00 00                          [????????]*Jan 25 14:23:35.371: RADIUS(00000012): Received from id 1645/65*Jan 25 14:23:35.371: RADIUS/DECODE: EAP-Message fragments, 8, total 8 bytes*Jan 25 14:23:35.671: %DOT11-7-AUTH_FAILED: Station d023.dbb8.d6a9 Authentication failed
    Config:
    aaa new-model!aaa group server radius rad_eap server-private 192.168.177.158 auth-port 1812 acct-port 1813 key 7 044803071D2448!aaa authentication login eap_methods group rad_eapaaa authorization exec default if-authenticated aaa authorization network default if-authenticated !         aaa session-id commonip name-server 192.168.177.45!                dot11 ssid WifiEAP1   vlan 10   authentication open eap eap_methods    authentication shared eap eap_methods   authentication key-management wpa optional   guest-mode!         bridge irb!         interface Dot11Radio0 no ip address no ip route-cache !        encryption vlan 10 mode ciphers aes-ccm tkip wep128 !        broadcast-key vlan 10 change 300 !        ssid WifiEAP1 !        antenna gain 0 station-role root!         interface Dot11Radio0.10 encapsulation dot1Q 10 native no ip route-cache bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled!         interface GigabitEthernet0 ip address 192.168.173.3 255.255.255.0 no ip route-cache!         interface GigabitEthernet0.1 encapsulation dot1Q 10 native no ip route-cache bridge-group 1 no bridge-group 1 source-learning bridge-group 1 spanning-disabled!         interface BVI1 ip address 192.168.173.2 255.255.255.0 no ip route-cache!ip radius source-interface BVI1 bridge 1 route ip
    thanks so much!

    Stefano: not sure if related but there is an unsupported attribute in the debugs:
    Jan 25 14:23:35.355: RADIUS:  AAA Unsupported Attr:
    *Jan 25 14:23:35.355: RADIUS:   57 69 66 69 45 41
    *Jan 25 14:23:35.355: RADIUS:  AAA Unsupported Attr: interface
    Try to eliminate any configured attributes on radius except those in IETF radius. Then try again.
    You may also chech by removing the shared eap as suggested above. Let us know if this works.
    Sent from Cisco Technical Support iPad App

Maybe you are looking for

  • How to allocate the workflow to the action defnitions in solution manager

    Hi, we are having solution manager with the CHARM configured, and currently we are looking for the trigger of mail and workitem for change of action. the work flow is designed for that, but how to assign the workflow to the condition and processing t

  • IPhone 6 Plus - No video sound in sports apps

    I can hear music played to my external speakers via bluetooth or simply through my iPhone 6 Plus speakers.  I can hear music played on Vevo (music app) and the YouTube app. However, I can't hear any sound at all from any videos in my sports apps (Tea

  • Drill Down Reporting Tool

    Has anybody worked on the Drill Down Reporting Tool of SAP? I need some help on the output layout. We need to display some characteristics on the output and by default the output brings out characteristic text and not the characteristic itself. Does

  • Data in BW Data Source

    Hi Experts, while doing the transactions in R/3 system, the particular transactions are directly populated to respective (appropriate ) database tables. In the case of BW DataSources underlying in R/3 system the above statement is true? i.e. the data

  • Outlook 2010 Terminal Services; Error when sending mail "Content within this application coming... "About:Internet"

    Hi All, We have Outlook 2010 running on Terminal Services for one of our clients. Frequently users experience an error when trying to send mail.  A message pops up stating the follow (sorry I cannot post pictures or links yet which would make this mu