ASA - ISE COA communications

Robertus Bleeker — Fri, 01 Feb 2019 21:30:26 GMT

Greetings,

The following question is related to the RADIUS communication between an ASA and ISE for CoA:

I am working with a customer who has a requirement to combine authorization attributes from both ISE (posture requirements) and Radiator (VLAN assignment) into a single RADIUS AAA response. Ideally we would like ISE to be the primary RADIUS server with Radiator as an external RADIUS server. However, it is our understanding that ISE cannot combine internal/external authorization attributes (either pass (proxy) on authorization attributes from external RADIUS or ignores attributes from the external RADIUS server and invoke ISE authorization attributes).

We would like to setup a test environment with Radiator as the primary RADIUS Server and ISE as the external RADIUS server. Any (posture-related) attributes from ISE will be passed on to the Radiator which will augment this with additional attributes (VLAN) and forward this to the ASA.

Question: What information does ISE use to identify the correct NAD (ASA) when sending a CoA? Does it use a RADIUS attribute ('Called-Station-ID" or "NAS-IP-Address) or the original IP address from the UDP packet?

Regards,

Rob

Re: ASA - ISE COA communications

Mohammed al Baqari — Fri, 01 Feb 2019 21:45:18 GMT

NAS-IP-Address is used. The source IP can be different if you nat the
packet, for example (which I haven't seen before to have radius behind nat).

Re: ASA - ISE COA communications

Mike.Cifelli — Sat, 02 Feb 2019 13:33:05 GMT

As Mohammed stated, it will use the NAS-IP-Address since the network device (ASA) is responsible for being the authenticator during the process that will ultimately grant access & authorize the supplicant based on your posture status conditions configured in ISE.

topic Re: ASA - ISE COA communications in Network Access Control

ASA - ISE COA communications

Re: ASA - ISE COA communications

Re: ASA - ISE COA communications