02-02-2016 09:18 AM - edited 08-31-2022 12:19 AM
Hi All,
I am working on ISE. I have 2 authorization profiles. 1st profile is a default profile which will be pushed after the client is 802.1x authenticated.
With the help of probes, ISE discovers the client to be a windows-7 client, now after it updates the profile of the client,
now it is supposed to send COA(Reauth) to the authenticator(Access point here). So, that the 2nd profile can be pushed from ISE if it receives reauthentication Radius Access-Request from authenticator.
But the problem here is, ISE is not sending the COA in first place. COA is enabled in Settings also.
I am completely puzzled and confused. Ise used to send COA if client's profile updates.
I also deleted the endpoint and attempted re-authentication leading no good result.
What could have gone wrong? Why ISE is not sending COA? Do we have to delete client's mac-address from ISE DB or elsewhere and do freshly?
I am in urgent need of help. So, kindly assist.
Regards,
02-02-2016 09:25 AM
Rohit, which type of AP is this? CoA is sent to the NAD, in most of wireless environment it is the WLC.
Assuming CoA is enabled globally on the ISE, then ISE will send CoA when an endpoint transitions from UNKNOWN device profile to any of the known profiles. If the endpoint was already profiled as one of the known profile (i.e Workstation) then to more specific known profile (i.e. Windows 7), the CoA will not trigger.
Hosuk
02-03-2016 02:51 AM
Hey Hosuk,
Thanks for your prompt reply.
You are right. Generally NAD would be WLC for wireless, but i am required to support AP(Access point) a wireless device as a NAD for ISE. So, it is in a development phase.
Well, I have deleted the endpoint profile before trying out the reauthentication. Initially the ISE creates the endpoint with "Unknown" as device type, and later it learns from http probe that it is WIndows-workstation, then it is not sending the COA at all. I can share the setup with you if you can extend help. I confirmed it by doing wireshark capture.
Regards,
Rohit
02-03-2016 06:05 AM
Unfortunately ISE does not support Autonomous APs for most functions. With Autonomous APs you are able to do basic 802.1x authentication and dynamic VLAN during the initial authentication. Anything that requires an CoA will not work.
I recently worked through this in a lab and those are the only features that will work.
02-03-2016 06:13 AM
That's correct. Those AP's don't have the CoA function nor the URL redirection function.
In ISE 2.1 - we plan to release the 2nd phase of "3rd party support" - which should allow this to work, depending on the architecture.
-Aaron
02-03-2016 01:38 PM
I am working on supporting ISE with Autonomous APs. It is in development phase.
And i remember Ap's used to receive COA's, and i handled it by reponding to COA in the code.
I even handled url-redirect, and Ap now does url-redirect for its clients.
Now, can someone please help me figure out why is my ISE not sending COA. COA is enabled in settings too..
I can share my setup if needed.
Regards,
Rohit Kumar
02-03-2016 04:11 PM
I will contact you offline, unless someone else already done so.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: