topic first time CoA in Network Access Control

first time CoA

edondurguti — Mon, 11 Mar 2019 02:25:58 GMT

I have this problem where first time users hit default reject profile because they are not being profiled. They remain unknown until i reconnect. Can this be because of the access point is 1231 converted to lightweight. (it does support change of vlan though). I have CoA set to ReAuth. Still not sure if this is a packet of disconnect issue with that AP. if someone faced this id appreciate the help

Sent from Cisco Technical Support iPhone App

first time CoA

Tarik Admani — Thu, 16 Aug 2012 03:12:35 GMT

If the AP is lightweight then the COA should be processed to the controller. If this is a standalone AP then yes that is the reason why you are facing this issue. For devices that do not support COA (i.e. ASAs and standalone APs) then you consider positioning and inline posture node (ipep) in order to hand the coa services...here is the documentation that covers the basics of the ipep node and how it bridges this limitation:

http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_ipep_deploy.html#wp1198610

Thanks,

Tarik Admani
*Please rate helpful posts*

Re: first time CoA

edondurguti — Thu, 16 Aug 2012 03:17:02 GMT

Ur a hard working man. I appreciate. No its a lightweight AP. And as I said when they connect first time. They get to be unknown(even with mac only profiling) and they are rejected cuz last default is set to deny. They only need to reconnect and everything is fine. Have u seen this. Ive read about FirstTimeProfile but it doesnt seem to bounce them as it should for some reason. Is there anything that needs to be done?

Sent from Cisco Technical Support iPhone App

Re: first time CoA

Tarik Admani — Thu, 16 Aug 2012 03:25:47 GMT

I understand now. If you have coa set to reauth there is already a built in condition so that when a endpoint is profiled for the first time (goes from unknown to known) then COA is triggered:

http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_prof_pol.html#wp1555378

What version of ISE are you currently running also what version is your controller? If you are using mac filtering you need to be on WLC version 7.2.110 in order to support coa (radius nac) with mac filtering.

If you dont mind can you post a screenshot of when this occurs, before you reauthenticate and check the endpoint database does it still show as uknown or does it show mapped. In the authentication reports do you see an red entries with dynamic authorization is failing? Does this happen on all SSIDs on this AP?

Thanks,

Tarik Admani
*Please rate helpful posts*

Re: first time CoA

edondurguti — Thu, 16 Aug 2012 03:43:19 GMT

cisco ise 1.1.1, WLC 7.0.220.0

Yes it adds up as a workstation in the identities after failing, cuz when I reconnect I'm all good, but if i dont reconnect I'm just stuck and eventually after 20 minutes it tries again and it succeeds.

here is a screenshot

P.s Radius State on WLC is None but I've tried both same scenario.

P.s.s I did read that link before I posted :}

Re: first time CoA

Tarik Admani — Thu, 16 Aug 2012 04:16:43 GMT

Hmm,

Do you have the AAA override set on the controller? It seems as if everything is working fine on the controller side but when the coa hits it seems as if the endpoint is matching the Profiled:Workstation endpoint group that is why you hit the deny access policy. Are you profiling these endpoints using the dhcp attribute?

Can you post a screenshot of your authorization policies.

Thanks,

Tarik Admani
*Please rate helpful posts*

Re: first time CoA

edondurguti — Thu, 16 Aug 2012 04:25:03 GMT

Tarik,

yes I do have AAA override on the WLC,

here is the screenshot:

Re: first time CoA

edondurguti — Thu, 16 Aug 2012 04:30:58 GMT

if you noticed on my first screenshot the profiled workstation is matched with permit access after I reconnect.

I do use DHCP option for profiling but I've tried even with mac address where I added mac attributes to WORKSTATION profile for example if mac CONTAINS OUI = Intel = Workstation still the same.

Re: first time CoA

Tarik Admani — Thu, 16 Aug 2012 04:36:10 GMT

Hi,

Do you have the radius probe enabled? Please enable it if you dont,it should speeds things up if ISE can profile the endpoint using the calling station id, instead of waiting for the dhcp traffic to arrive after authentication succeds.

Thanks,

Tarik Admani
*Please rate helpful posts*

Re: first time CoA

edondurguti — Thu, 16 Aug 2012 04:41:30 GMT

I do have it enabled, I am currently at home will go to work tomorrow and try.

how do I differentiate between calling station ID? cuz that's not as a profiling attribute as of right now in the workstation profile. (I'd love to be able to differentiate windows machines through radius)

Re: first time CoA

edondurguti — Thu, 16 Aug 2012 04:47:21 GMT

I see,

It has to be a mac address for calling station ID.

Unforutnately for me i have like 5k and they all start differently, can't match the OUI to it.

I'll see how to figure this out tomorrow at work, thanks for your help.

Re: first time CoA

Tarik Admani — Thu, 16 Aug 2012 04:50:04 GMT

You shouldnt have to configure any profiling policies, internally the ISE node should know the calling station id is the mac address and should roll up in the MACOUI check.

Thanks,

Tarik Admani
*Please rate helpful posts*

Re: first time CoA

edondurguti — Thu, 16 Aug 2012 04:52:35 GMT

I see what you mean, I do understand how it works.

I will try something tomorrow, I think this is only doing it to the laptops not to iDevices as far as I can recall.

I will post updates tomorrow, I have some ideas that I need to try out.

I highly appreciate your help

Re: first time CoA

edondurguti — Thu, 16 Aug 2012 13:18:50 GMT

Nope it does same thing even for iDevices, maybe a TAC case?

first time CoA

Tarik Admani — Thu, 16 Aug 2012 15:16:03 GMT

Hi,

Do you have the profiling services still enabled on the deployment page? Before opening a TAC case could you delete the endpoint, enable the profiler component to trace (http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_logging.html#wp1054671), reproduce the issue and then download the profiler.log file (http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_mnt.html#wpxref46056)

attach it here and take another screenshot of the first authentication, the COA request and then when you reattempt the connection and match the profile. (also download the log after you follow all these steps).

Thanks,

Tarik Admani
*Please rate helpful posts*

Re: first time CoA

edondurguti — Thu, 16 Aug 2012 15:46:21 GMT

I do have profiling enabled

here are the files

btw, do i need to do debugging from secondary ( cuz the secondary node is set as the primary monitoring role)

https://dl.dropbox.com/u/75261564/ise.logs.zip

first time CoA

Tarik Admani — Thu, 16 Aug 2012 15:49:21 GMT

Hi,

We are taking the logs from the node itself, the monitoring node is for the authentications.

Thanks,

Tarik Admani
*Please rate helpful posts*

first time CoA

edondurguti — Thu, 16 Aug 2012 15:50:21 GMT

done,

got it from the primary are you able to download the files?

Re: first time CoA

Tarik Admani — Thu, 16 Aug 2012 15:56:07 GMT

I downloaded them, do you have a screenshot of the timeframe on when you reproduced the issue?

I would like get the timestamps and mac on when you attempted it.

disregard, i just opened the zip file.

Thanks,

Tarik Admani
*Please rate helpful posts*

Re: first time CoA

edondurguti — Thu, 16 Aug 2012 15:57:39 GMT

they are on the sides for authorization, it's all withing 3 minutes