topic Re: ISE 2.0, COA and profiling access points on switch in Network Access Control

ISE 2.0, COA and profiling access points on switch

trondaker — Fri, 21 Feb 2020 18:33:26 GMT

Hi,

We want to dynamically profile access-points on 2960-switches when they are plugged in to a standard port. Were using 1832i and 2702i. The profiling seems to work fine, they access-point is profiled with the correct endpoint profile, and gets put into the right identity group. The problem is however that MAB happens first, so the access-point goes into a quaratine VLAN. I have attached a COA Port bounce to this profile, but it doesnt seem to happen. If i cant bounce the port, i cant get the access point into the vlan tied to the identity group.

Anyone have a clue as to why i cant bounce the port? The device sensor and ISE seems to be doing everything right as to classification - the question is, is it possible to get ISE to assign vlan as it profiles the device? Because here it seems MAB happens before ISE is done profiling, and then its too late, at least if the port wont bounce.

Port config:

switchport mode access
authentication event fail action authorize vlan 666
authentication event no-response action authorize vlan 666
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication violation protect
mab
dot1x pae authenticator
spanning-tree portfast

Global:

aaa authentication dot1x default group ISE
aaa authorization network default group ISE
aaa accounting dot1x default start-stop group ISE

device-sensor accounting
device-sensor notify all-changes

dot1x system-auth-control

radius-server vsa send accounting

Re: ISE 2.0, COA and profiling access points on switch

Mohammed al Baqari — Mon, 04 Sep 2017 13:10:53 GMT

You don't see to have CoA on your 2960 switch. Depending on your switch IOS, it might not support CoA.

Sample config:

aaa server radius dynamic-author
client 10.10.10.10 server-key *******
server-key *******

Check cisco feature navigator to see if your IOS version on 2960 supports CoA

Re: ISE 2.0, COA and profiling access points on switch

trondaker — Mon, 04 Sep 2017 17:52:12 GMT

Thanks for your reply! That is indeed missing, adding it now and testing tomorrow. This is a 2960X, but also need it on a 2960+, seems to have the command in our current IOS at least.

But is this way of doing it correct? Or is it possible to do this without bouncing the port?

Re: ISE 2.0, COA and profiling access points on switch

Mohammed al Baqari — Mon, 04 Sep 2017 18:30:15 GMT

Ideally once you connect the AP it will profiled as cisco device since its 1st time seen. ISE will then trigger nmap scan along with other checks. once all the checks completed and ap is detected (e.g. aironet 2600) ise will trigger coa for the switch to reauthenticate the device and assign the corresponding policy.

So port bouce not required generally. now i have seen cases where this automation doesn't take place and port bouce needed. So use it as fallback.

Please remember to rate useful posts