I’m on an ISE deployment, and as with many projects, have a tight timeline. Fortunately, I did a good bit of work remotely the week prior to coming on site so much of the standard “housekeeping” regarding basic ISE config was in order when I got here. But, in the time up to arriving, I had a headache or two. The main issue was related to CoA not working for my test authentication attempts. I beat my head against the wall a bit but it finally ended up being a bug. It doesn’t appear to be a well known bug. The symptoms were basically the error “dynamic authorization failed” in ISE MnT. In other words, Change of Authorization (CoA) failed. The particular use case being tested was guest access. The guest would get the Central WebAuth (CWA) page as expected, and when they logged in MnT would show success for the user authentication, but failure for authorization showing the error I mentioned.
The issue is the licensing level of the switch. I was running 12.2(55)SE4 in the test environment and hitting this problem. After opening a TAC case and while holding for a third engineer (the first two went off shift before resolution), I found a bug in the release notes that shows the LAN Base licensing level does not support CoA properly (CSCtr75298). So, I downloaded a trial IP Base license for the switch and sure enough, CoA worked as expected. Then, I looked at the bug tool on Cisco’s site and saw that they fixed this issue in 12.2(55)SE5 with LAN Base. So, I proceeded to load that image, revert to the LAN Base license level and did see successful CoA.