topic Re: CSCvg88945 CoA on Reprofile Still Not Fixed in Network Access Control

CSCvg88945 CoA on Reprofile Still Not Fixed

paul — Thu, 09 Aug 2018 18:20:14 GMT

This bug has gone on for so long and it is key concept that has to work in ISE. If there is a profile change and I have CoA set globally to Reauth or specifically set on the profile to Reauth ISE has to send out a CoA.

I am testing this with 2.4 and it still doesn't work. If things go from unknown to anything that works, but when there is a profile change say from Cisco-Device to Cisco-IP-Phone it doesn't work.

In particular, I have IND integrated with ISE setting custom endpoint attribute tags that allow be to switch SGT tags based on these attributes. Profiling with these attributes is working perfectly. As soon as I change the security tag in IND the profile changes in ISE, but no CoA is sent. If I manually CoA life it good.

You might say well what about the silly exception action work around. That does work for the first flip, but then the profile is statically set and no more profiling can occur for that MAC. So when I switch it back in IND it doesn't reprofile.

Can I get an accurate status of this bug or get it reclassified as not fixed? If the devs need someone to truly test out a fix for them I am willing to do that.

</vent mode>

Re: CSCvg88945 CoA on Reprofile Still Not Fixed

thomas — Thu, 09 Aug 2018 22:46:30 GMT

2.3.0.903 means 2.3 Patch 3.

2.4.0.357 is the FCS of ISE 2.4.

Please call TAC if you want to troubleshoot with ISE 2.4 and re-open the bug.

Re: CSCvg88945 CoA on Reprofile Still Not Fixed

paul — Thu, 09 Aug 2018 22:53:23 GMT

It wasn’t working in 2.3 patch 3 either. I will open a TAC case. I would love to know how the devs tested this.

Re: CSCvg88945 CoA on Reprofile Still Not Fixed

umahar — Fri, 10 Aug 2018 20:19:53 GMT

Will this bug also affect if we change static identity group ?

I tried to showcase quarantine behaviour of ISE by moving and endpoint to blacklist but I did not see any CoA issued.

However it was working on 2.2 just fine.

Re: CSCvg88945 CoA on Reprofile Still Not Fixed

Damien Miller — Fri, 10 Aug 2018 20:30:33 GMT

I've noticed something similar in 2.4. If I change the static identity group for an endpoint, I have to go clear the auth manually or do a reauth from the endpoint db page. COA is definitely working. Haven't had time to look deeper.

Re: CSCvg88945 CoA on Reprofile Still Not Fixed

hslai — Fri, 10 Aug 2018 21:19:41 GMT

This issue has been escalated and Krishnan is engaging our engineering team.

Re: CSCvg88945 CoA on Reprofile Still Not Fixed

paul — Fri, 10 Aug 2018 22:33:19 GMT

I will test on 2.4 patch 2 this weekend. My IND customer has a TAC case open on it, 685006752. If I see the issue still on patch 2 with my large customer I can open a TAC case as well. Or because you have been able to recreate the issue Hsing is there a need to open a TAC case?

Re: CSCvg88945 CoA on Reprofile Still Not Fixed

paul — Fri, 10 Aug 2018 22:40:19 GMT

It might affect that as well. I usually show case ANC Policy assignment for doing things like blacklisting. ANC policy was working last time I tested and doing the CoA, but haven't tested in 2.4. I can do that this weekend as well.

Re: CSCvg88945 CoA on Reprofile Still Not Fixed

paul — Mon, 13 Aug 2018 00:40:35 GMT

Hsing,

I have upgraded to patch 2, but need to do some testing after I resolve my live session issue. I have a TAC case open on why I don't see live sessions. That could be affecting my CoAs as well. I am still seeing inconsistent results.

Re: CSCvg88945 CoA on Reprofile Still Not Fixed

Justin Walker — Tue, 14 Aug 2018 17:32:59 GMT

I'm seeing the same thing on a 2.4 patch 1 deployment today. I thought I was going crazy for a bit until I saw this thread.

I was trying to use IP address in one of my profiling policies, which was correctly changing the profile for the device after it got an IP address from DHCP but the device was stuck on my Monitor-Mode-MAB authz rule.

What I've seen today:

1. Workstation connects > Profiled as Microsoft-Workstation > Static Set Corp-Printer Policy > No CoA

2. Printer connects > Profiled as Cannon-Device > Re-Profiled as Corp-Cannon-Device > No CoA

3. Security Device Connects > Unknown Device > Profiled as Corp-Security-Device > CoA reauthorizes session

Anytime it matches an existing Cisco profile first, the re-profiling works but it doesn't respect the global profiling CoA Reauth settings. I even tried to set the CoA Reauth in the profile itself without any success.

Re: CSCvg88945 CoA on Reprofile Still Not Fixed

paul — Tue, 14 Aug 2018 17:37:19 GMT

Actually I think the only time CoA works is if it goes from Unknown to something else. If it goes from another to another profile I am not CoAs not matter if I do global or profile based CoAs.

Re: CSCvg88945 CoA on Reprofile Still Not Fixed

Justin Walker — Tue, 14 Aug 2018 17:44:28 GMT

Oh your right, I agree with your statement above.

It's pretty frustrating when you're expecting it to just work when doing a bunch of profiling rule build out. 🙂

I opened a case with TAC as the accepted answer recommends. Thankfully for troubleshooting purposes its pretty easy to replicate the issue.

Re: CSCvg88945 CoA on Reprofile Still Not Fixed

paul — Mon, 27 Aug 2018 12:40:05 GMT

I am going to get a TAC case open today. It is definitely broken and has cause a major customer of mine an issue. So there will be some pressure to get this fixed.

Re: CSCvg88945 CoA on Reprofile Still Not Fixed

hslai — Mon, 27 Aug 2018 14:00:11 GMT

Yes, please do open a TAC case. And, focus on the new issue that ISE profiling CoA requests with this Cisco AVP subscriber:reauthenticate-type=last

If ISE 2.3 not including such option in the same requests, then ask TAC to file a new bug.

Re: CSCvg88945 CoA on Reprofile Still Not Fixed

paul — Mon, 27 Aug 2018 14:04:05 GMT

The subscriber:reauthenticate-type=last was not an issue like I thought it. I will send you the TAC case after I get it open. I am collecting the support bundle now and putting together a PDF that shows the whole issue.

Re: CSCvg88945 CoA on Reprofile Still Not Fixed

yvesmorneau — Fri, 31 Aug 2018 19:16:38 GMT

We run ise 2.3 patch 3 (2.3(0.903)) and we still get the issues.

Re: CSCvg88945 CoA on Reprofile Still Not Fixed

paul — Sat, 01 Sep 2018 02:39:05 GMT

CSCvm22838 is the new bug to track this fix. It is not visible yet. Putting as much pressure from lots of angles to finally get this fixed. It is a critical feature in ISE that has been broken far too long.

Re: CSCvg88945 CoA on Reprofile Still Not Fixed

Justin Walker — Mon, 17 Sep 2018 13:17:21 GMT

My open TAC case was also linked to CSCvm22838. TAC said 2.4 patch 4 for targeted release for a fix and tentative early October time frame for release.

Re: CSCvg88945 CoA on Reprofile Still Not Fixed

Justin Walker — Thu, 11 Oct 2018 14:09:45 GMT

Well, 2.4 patch 4 has been released and no fix was included. Not only that, a couple of the TAC cases i have involving the issue have been asked to provide additional evidence of issues with the CoA after reprofile.

The easiest way I've been able to reproduce it (maybe its the only method doing it), is to set an IP Address condition in a new profile. The delay in the IP Address information being sent to ISE is just enough that a CoA action has to take place for the device to be authorized. The profile will match correctly, but the CoA is never sent.

Between the cases i have opened, the following bugs have been referenced... all terminated:

CSCvg88945
CSCvm22838
CSCvk25516

Anyone else having these issues, or made any progress with TAC?

Re: CSCvg88945 CoA on Reprofile Still Not Fixed

paul — Thu, 11 Oct 2018 14:20:58 GMT

Yes, the using IP address in a profile is a classic problem with the CoA on reprofile not working. The issue is worse when you use a profile because when ISE receives a RADIUS stop message it will remove the IP address from the endpoint causing it to reprofile. So the next time it connects it will hit the wrong rule and be stranded again.

I have a very high profile case on this. We are pushing the Devs from the Cisco sales side as well.