https://community.cisco.com/t5/network-access-control/ise-2-3-apative-network-control-problem/m-p/3204000#M551703 <P>I've been triggering the CoA by going to the Adaptive Network Control settings on the Primary Admin node and then (trying to!) quarantine the Client that way by entering the Client's MAC Address.&nbsp; In the real world it will come from FirePower via pxGrid, but that way doesn't work either at the moment (same error messages coming back from the switch).</P> Tue, 24 Oct 2017 06:10:53 GMT RichardAtkin 2017-10-24T06:10:53Z https://community.cisco.com/t5/network-access-control/ise-2-3-apative-network-control-problem/m-p/3203714#M551695 <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="RADIUS Attributes in Config VS Packet Trace" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/2370i836E934955EF59E4/image-size/large?v=v2&amp;px=999" role="button" title="Trace1.png" alt="RADIUS Attributes in Config VS Packet Trace" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">RADIUS Attributes in Config VS Packet Trace</span></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Switch is added to TEST Device Profile" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/2369iE986833540FC4C70/image-size/large?v=v2&amp;px=999" role="button" title="Config1.png" alt="Switch is added to TEST Device Profile" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Switch is added to TEST Device Profile</span></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Error logs from ISE" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/2368i28E722FA3A4058DB/image-size/large?v=v2&amp;px=999" role="button" title="Log1.png" alt="Error logs from ISE" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Error logs from ISE</span></span></P> <P>Evening..</P> <P>&nbsp;</P> <P>I have a problem with ISE.&nbsp; I'm using ISE 2.3 (not patch 1 yet) and we're running Adaptive Network Control against some HP switches.&nbsp; I've been around the mill with the attributes it needs and I'm sure I've got that cracked now, but it still doesn't work.&nbsp; I ended up doing a packet trace and it looks like ISE isn't sending the attributes that are configured for it.</P> <P>&nbsp;</P> <P>Above screenshots show what I've configured VS what ISE is actually transmitting...</P> <P>&nbsp;</P> <P>I assume its either a bug or I've done something daft somewhere... any tips please!?</P> <P>&nbsp;</P> <P>Cheers.</P> Fri, 21 Feb 2020 18:36:44 GMT https://community.cisco.com/t5/network-access-control/ise-2-3-apative-network-control-problem/m-p/3203714#M551695 RichardAtkin 2020-02-21T18:36:44Z https://community.cisco.com/t5/network-access-control/ise-2-3-apative-network-control-problem/m-p/3203889#M551700 <P>When dealing with custom device profiles (like your 'test' derivative of an HP Profile) I have come across some funnies too.&nbsp; But not CoA related.&nbsp; In my case I had forgotten to attribute the custom profile to my Authorization Profile (default=Cisco).&nbsp; Once I did that, the thing worked.</P> <P>&nbsp;</P> <P>In your case it looks a bit suspect (like a bug) - but how do you trigger the CoA?&nbsp; Via the PAN Context GUI?&nbsp; I can see Cisco AVPairs in that CoA and that should not be the case.&nbsp;</P> Mon, 23 Oct 2017 22:40:26 GMT https://community.cisco.com/t5/network-access-control/ise-2-3-apative-network-control-problem/m-p/3203889#M551700 Arne Bier 2017-10-23T22:40:26Z https://community.cisco.com/t5/network-access-control/ise-2-3-apative-network-control-problem/m-p/3204000#M551703 <P>I've been triggering the CoA by going to the Adaptive Network Control settings on the Primary Admin node and then (trying to!) quarantine the Client that way by entering the Client's MAC Address.&nbsp; In the real world it will come from FirePower via pxGrid, but that way doesn't work either at the moment (same error messages coming back from the switch).</P> Tue, 24 Oct 2017 06:10:53 GMT https://community.cisco.com/t5/network-access-control/ise-2-3-apative-network-control-problem/m-p/3204000#M551703 RichardAtkin 2017-10-24T06:10:53Z https://community.cisco.com/t5/network-access-control/ise-2-3-apative-network-control-problem/m-p/3204062#M551705 <P>I've been looking closer at the Cisco AV Pairs that ISE is sending and they match with the default 'Cisco' device profile.&nbsp; So, I think ANC instructions sent from ISE are just using their default Cisco Device Profile settings instead of using the custom device profile attributes that I've associated with the switch.</P> <P>&nbsp;</P> <P>I've rebooted ISE - no change.&nbsp; Deleted and re-created the switch as a NAD - no change.</P> <P>&nbsp;</P> <P>Next step is to try 2.3 patch 1, but the release notes don't say anything about it.</P> <P>&nbsp;</P> <P>After that? TAC...</P> Tue, 24 Oct 2017 08:37:37 GMT https://community.cisco.com/t5/network-access-control/ise-2-3-apative-network-control-problem/m-p/3204062#M551705 RichardAtkin 2017-10-24T08:37:37Z https://community.cisco.com/t5/network-access-control/ise-2-3-apative-network-control-problem/m-p/3205358#M551707 <P>I think you've done more than your homework already!&nbsp; Yes, TAC case is next step.&nbsp; Maybe you have found a new bug.</P> <P>I have created over 20 TAC cases since July of this year and half of them resulted in new bug ID's.&nbsp; The product is riddled with bugs.&nbsp; It's not really fit for "off the shelf" usage without a lot of hand holding from the TAC.&nbsp;</P> <P>&nbsp;</P> Thu, 26 Oct 2017 00:03:26 GMT https://community.cisco.com/t5/network-access-control/ise-2-3-apative-network-control-problem/m-p/3205358#M551707 Arne Bier 2017-10-26T00:03:26Z