cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2682
Views
2
Helpful
6
Replies

ISE not sending COA-Reauth

rbalaram
Cisco Employee
Cisco Employee

Hi All,

 

I am working on ISE. I have 2 authorization profiles. 1st profile is a default profile which will be pushed after the client is 802.1x authenticated.

 

With the help of probes, ISE discovers the client to be a windows-7 client, now after it updates the profile of the client,

now it is supposed to send COA(Reauth) to the authenticator(Access point here). So, that the 2nd profile can be pushed from ISE if it receives reauthentication Radius Access-Request from authenticator.

 

But the problem here is, ISE is not sending the COA in first place. COA is enabled in Settings also.

 

I am completely puzzled and confused. Ise used to send COA if client's profile updates.

I also deleted the endpoint and attempted re-authentication leading no good result.

 

What could have gone wrong? Why ISE is not sending COA? Do we have to delete client's mac-address from ISE DB or elsewhere and do freshly?

I am in urgent need of help. So, kindly assist.

 

Regards,

6 Replies 6

howon
Cisco Employee
Cisco Employee

Rohit, which type of AP is this? CoA is sent to the NAD, in most of wireless environment it is the WLC.

Assuming CoA is enabled globally on the ISE, then ISE will send CoA when an endpoint transitions from UNKNOWN device profile to any of the known profiles. If the endpoint was already profiled as one of the known profile (i.e Workstation) then to more specific known profile (i.e. Windows 7), the CoA will not trigger.

Hosuk

Hey Hosuk,

Thanks for your prompt reply.

You are right. Generally NAD would be WLC for wireless, but i am required to support AP(Access point) a wireless device as a NAD for ISE. So, it is in a development phase.

Well, I have deleted the endpoint profile before trying out the reauthentication. Initially the ISE creates the endpoint with "Unknown" as device type, and later it learns from http probe that it is WIndows-workstation, then it is not sending the COA at all. I can share the setup with you if you can extend help. I confirmed it by doing wireshark capture.

Regards,

Rohit

Unfortunately ISE does not support Autonomous APs for most functions. With Autonomous APs you are able to do basic 802.1x authentication and dynamic VLAN during the initial authentication. Anything that requires an CoA will not work.

I recently worked through this in a lab and those are the only features that will work.

That's correct. Those AP's don't have the CoA function nor the URL redirection function.

In ISE 2.1 - we plan to release the 2nd phase of "3rd party support" - which should allow this to work, depending on the architecture.

-Aaron

I am working on supporting ISE with Autonomous APs. It is in development phase.

And i remember Ap's used to receive COA's, and i handled it by reponding to COA in the code.

I even handled url-redirect, and Ap now does url-redirect for its clients.

Now, can someone please help me figure out why is my ISE not sending COA. COA is enabled in settings too..

I can share my setup if needed.

Regards,

Rohit Kumar

rbalaram@cisco.com

I will contact you offline, unless someone else already done so.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: