topic CoA Terminate in Hotspot portal is not initiating DHCP refresh in Network Access Control

CoA Terminate in Hotspot portal is not initiating DHCP refresh

umahar — Thu, 16 Mar 2017 22:17:58 GMT

Hi,

I have configured my hotspot portal to send CoA terminate so that I could push guest on Wired to different VLAN but I dont see a session terminated of wired endpoint and the endpoint do not refresh their IPs in the new VLAN.

Is CoA Terminate same as CoA PortBounce ?

It does not look like from the packet capture as it does not have port-bounce cisco AVP attribute.

When I issue a CoA Port Bounce from ISE the endpoints come in the correct IP range.

I know that in the past Jason has mentioned that Vlan change is not recommended in guest portals due to inconsistency but I thought CoA Terminate should still be able to bounce the port.

Re: CoA Terminate in Hotspot portal is not initiating DHCP refresh

Jason Kunst — Fri, 17 Mar 2017 15:29:43 GMT

Investigating

Re: CoA Terminate in Hotspot portal is not initiating DHCP refresh

umahar — Fri, 17 Mar 2017 15:37:31 GMT

Attached are also the packet captures for CoA PortBounce and CoA Terminate.

Re: CoA Terminate in Hotspot portal is not initiating DHCP refresh

Craig Hyps — Fri, 17 Mar 2017 16:33:25 GMT

Correct. Terminate will not trigger IP refresh as host without agent/supplicant will not detect without link state change. If willing to send port bounce in all cases where session terminate is normally sent, then it would be possible to manipulate the NAD profile used for these wired switches so that terminate always results in port bounce.

Craig

Re: CoA Terminate in Hotspot portal is not initiating DHCP refresh

Jason Kunst — Fri, 17 Mar 2017 16:35:13 GMT

The key use case was wireless hotspot issues present before ISE 2.1 patch 1. The problem was that we would send a terminate after accepting an AUP. This caused the device to go through and scan SSID list and DHCP over and took upwards of 30 seconds. If there was a more preferred network higher in the scan list then it would try to connect to that instead. We added the ability in hotspot portal to send a re-auth which alleviated this problem.

Re: CoA Terminate in Hotspot portal is not initiating DHCP refresh

umahar — Fri, 17 Mar 2017 18:25:47 GMT

Thanks Craig. Which of the below options should I change for Terminate to send Port Bounce ?

Also do you think there are any disadvantages of making this change which could affect some other areas ?

It is for a big ISE/TrustSec customer so want to make sure that we dont break any working scenario.

Re: CoA Terminate in Hotspot portal is not initiating DHCP refresh

umahar — Fri, 17 Mar 2017 18:29:38 GMT

Jason I am testing this in wired and hence I do not see any difference in the behaviour between CoA Reauth and CoA Terminate. Even the packet captures of CoA Disconnect seem similar.

How are you telling the WLC to behave differently between these two options ?

Re: CoA Terminate in Hotspot portal is not initiating DHCP refresh

Jason Kunst — Fri, 17 Mar 2017 18:32:55 GMT

I am not telling the WLC to behave differently, its up to the hotspot portal to send a re-auth or disconnect, sorry it doesn’t work the same for wired side. It would be a nice enhancement to set this per portal. I know craig has some enhancement ideas around that

Re: CoA Terminate in Hotspot portal is not initiating DHCP refresh

Craig Hyps — Fri, 17 Mar 2017 18:50:12 GMT

You would need to duplicate the Cisco profile and assign it to the NAD in question. The tricky part is that you need to make sure you set this NAD Profile in the AuthZ Profile. AuthZ Policy Rule must then reference this profile. By disabling RFC5176 option under Disconnect you will cause all request for terminate to be sent using port bounce.

You would need to test your various use cases that entail CoA session terminate to assess impact. For wireless, session terminate should be sufficient to terminate connection and force DHCP. For wired you need bounce without supplicant to detect VLAN change. However, if port bounce all terminate, then need to expect client to start from square one on each terminate. That may be desired behavior, but need to test your wired use cases.

Re: CoA Terminate in Hotspot portal is not initiating DHCP refresh

umahar — Fri, 17 Mar 2017 19:15:09 GMT

I disabled the Disconnect option but the CoA request was sent using disable-host-port and the port was disabled.

Re: CoA Terminate in Hotspot portal is not initiating DHCP refresh

Craig Hyps — Fri, 17 Mar 2017 19:24:50 GMT

There are three Disconnect options in sequence of priority:

1) RFC5176

2) Port Bounce

3) Port Shutdown

If #2 is properly configured and #1 unchecked, then Port Bounce should be sent on Session Terminate. If you properly see #1 when enabled but #3 occurs when #1 disabled, then sounds like a defect. You could just change the definition for #1 to include port-bounce.

Re: CoA Terminate in Hotspot portal is not initiating DHCP refresh

umahar — Fri, 17 Mar 2017 20:56:39 GMT

Thanks for the logic Craig.

After playing around with it a couple of times I am able to send port bounce attributes (verified by packet captures) by disabling RFC5176 and also by having it identical to Port Bounce.

However the session is behaving as a normal disconnect/reauth and there is no port bounce

Re: CoA Terminate in Hotspot portal is not initiating DHCP refresh

Craig Hyps — Fri, 17 Mar 2017 21:46:52 GMT

Then sounds like an issue with switch not properly processing port-bounce request. If able to see port bounce with REST API or sending from Admin UI with exact same directive, then expect there may be some issue with your syntax under CoA config of NAD profile.

Re: CoA Terminate in Hotspot portal is not initiating DHCP refresh

Vladislav Atanasov — Wed, 29 Mar 2017 11:16:38 GMT

I am testing the similar scenario.

The switch I use is 3750V2-24PS.

What I see in ISE live log is:

Steps

	11202	Received disconnect and port shutdown dynamic authorization request
	11217	Prepared the disconnect dynamic authorization request
	11100	RADIUS-Client about to send request - ( port = 1700 , type = Cisco CoA )
	11101	RADIUS-Client received response

This makes me thin that the issue is in the ISE itself and not in the switch.

Could you comment?

Re: CoA Terminate in Hotspot portal is not initiating DHCP refresh

umahar — Wed, 29 Mar 2017 13:30:33 GMT

Try and run debug CoA on the switch.

When I use the customization recommended by Craig I get the below output on the switch.

When I try to issue CoA Portbounce from Live sessions I get the below output

It looks like the switch is not able to parse the customized CoA port-bounce.

What's strange is both the packet captures show the same AVP.

Re: CoA Terminate in Hotspot portal is not initiating DHCP refresh

Craig Hyps — Wed, 29 Mar 2017 14:21:42 GMT

May be time to open TAC case.

Re: CoA Terminate in Hotspot portal is not initiating DHCP refresh

umahar — Wed, 29 Mar 2017 15:55:47 GMT

Craig,

I take back that both packets are same when I manually edit the RFC5176 to include 'disable-host-port' AVP.

What I missed is the difference in CoA Code.

The CoA port bounce form Live Sessions look like

The CoA port bounce with customized AVP looks like

I think once the switch receives a CoA with code 40 it thinks it is a RFC disconnect-request and does not look into the Cisco AVP pairs to find the 'port-bounce' AV pairs.

I opened a TAC case who will recreate this in lab and probably file a bug.

I'll still try to make this work by disabling RFC5176 option.

However I am seeing inconsistency in this approach as the ISE is sending 'disable-port-host' sometimes instead of 'host-port-bounce' which could be very dangerous to implement in production.

Re: CoA Terminate in Hotspot portal is not initiating DHCP refresh

ajc — Mon, 23 Oct 2017 19:20:00 GMT

hi utkarsh,

I am just exploring the situation you posted but I could not find the ISE configuration part with the "disconnect" options. Could you please provide the path to this option?

thanks

Re: CoA Terminate in Hotspot portal is not initiating DHCP refresh

hslai — Mon, 23 Oct 2017 19:54:52 GMT

In case you are asking about the AVP, that would be in the NAD profile as Craig responded on Mar 17, 2017 11:50 AM.

For the CoA option in ISE hotspot portals, you would need ISE 2.1 Patch 1 or above. Below shows a screenshot from ISE 2.2. CoA Terminate is the disconnect option.

Re: CoA Terminate in Hotspot portal is not initiating DHCP refresh

umahar — Mon, 23 Oct 2017 21:30:43 GMT

Change of vlan is not generally recommended because port is not bounced and no new dhcp is issued.

We are using macros to achieve port bounce instead of CoA

Thanks,

Utkarsh