topic Re: CTS-enabled C9500 ignores ISE' CoAs in Network Access Control

CTS-enabled C9500 ignores ISE' CoAs

Andrii Oliinyk — Wed, 07 Jul 2021 07:08:25 GMT

Gents

C9500 runs 16.12.4. switch CTS&CoA enabled:

CTS Environment Data
====================
Current state = COMPLETE
Last status = Successful
Local Device SGT:
SGT tag = 2-00:SGT_CTS_DEVICE
Server List Info:
Installed list: CTSServerList1-0006, 3 server(s):
*Server: 10.100.5.62, port 1812, A-ID ID1
Status = ALIVE
auto-test = TRUE, keywrap-enable = FALSE, idle-time = 60 mins, deadtime = 20 secs
*Server: 10.101.5.60, port 1812, A-ID ID2
Status = ALIVE
auto-test = TRUE, keywrap-enable = FALSE, idle-time = 60 mins, deadtime = 20 secs
*Server: 10.101.5.62, port 1812, A-ID ID3
Status = ALIVE
auto-test = TRUE, keywrap-enable = FALSE, idle-time = 60 mins, deadtime = 20 secs
Security Group Name Table:
0-00:Unknown
2-00:SGT_CTS_DEVICE
Environment Data Lifetime = 86400 secs
Last update time = 06:53:16 UTC Wed Jul 7 2021
Env-data expires in 0:23:59:19 (dd:hr:mm:sec)
Env-data refreshes in 0:23:59:19 (dd:hr:mm:sec)
Cache data applied = NONE
State Machine is running

aaa server radius dynamic-author
client 10.100.5.62 server-key <PSK>
client 10.101.5.62 server-key <PSK>
client 10.101.5.60 server-key <PSK>

Advanced TrustSec Settings have "Send configuration changes to device" checked with CoA

everytime CTS on the switch gets refreshed one of the ISEs sends CoA to switch. & switch fully ignores it (No NACK/No ACK). CoAs r confirmed as delivered to switch with packet capture.
Any ideas?

Re: CTS-enabled C9500 ignores ISE' CoAs

andrewswanson — Fri, 09 Jul 2021 15:22:08 GMT

You mentioned that your "Advanced TrustSec Settings have "Send configuration changes to device" checked with CoA". Underneath this setting you specify which ISE node to send the CoA from (on ISE 2.4 anyway). Is this set to one of the ISE nodes you have configured as dynamic author on the switch? I had a similar issue as you - I found that I had configured the PSNs as dynamic-author but was sending CoA from a PAN.

hth
Andy

Re: CTS-enabled C9500 ignores ISE' CoAs

Andrii Oliinyk — Fri, 09 Jul 2021 15:42:23 GMT

Hi Andy

i appreciate your input. In fact in cube of interest (SW 2.1) there is no option to select node. What i've passed throu was noticing that one of my PSNs (one both configured rad-server group & as dynamic authZ client also configured as AAA server in TrastSec components) have been sending CoA ignored by switch. Then i've removed it from all the mentioned sections & found PAN has started to send CoA (obviously it was not in either rad-server group or dynamic authZ list). But when i added it to just dynamic authZ list issue disappeared. So far case with PSN looks quite wierd.