https://community.cisco.com/t5/network-access-control/juniper-ex-network-device-profile-with-coa/m-p/4786941#M580234 <P>Using Cisco AAA (Cisco prime Access registrar 9.2) and Juniper BNG, PoD is working find. With CoA 99% of times getting the error code 503: Session context not found. I have similar NAC configurations as yours. What could be wrong? Appreciate your response.</P> Fri, 03 Mar 2023 23:46:42 GMT szafar 2023-03-03T23:46:42Z https://community.cisco.com/t5/network-access-control/juniper-ex-network-device-profile-with-coa/m-p/4130553#M562111 <P>I recently worked with a customer that is deploying Juniper EX switches with their existing ISE 2.6 cluster for NAC. We found that the currently available Network Device Profile for Juniper EX switches did not provide the ability to perform CoA actions against an active session.<BR />After working with the customer and their Juniper resources, we confirmed that the Juniper switches being deployed do support the Cisco AV-Pair for 'subscriber:command=reauthenticate' to provide for basic CoA Reauth. Based on the customer testing, I have updated the XML file and attached it here for others to use. Please note that the Juniper switches do not support the additional Cisco AVP attributes for 'rerun' and 'last' so all three Re-authenticate attributes (Base, Rerun, Last) use only the single AV-Pair. As such, all three CoA actions have the same result.</P> <P>The Juniper resource also confirmed that the Juniper switches being deployed support CoA Port-Bounce based on <A href="https://www.juniper.net/documentation/en_US/junos/topics/topic-map/802-1x-authentication-switching-devices.html#id-understanding-radius-initiated-changes-to-an-authorized-user-session" target="_self">this document</A>. ISE does not have a default Dictionary for this AVP, so it requires manually adding the attribute and updating the Network Device Profile to use it (I could not include this in the attached XML as the import fails with a 'validation error' without the Dictionary being added first).</P> <P><EM><STRONG>Add the Dictionary:</STRONG></EM></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screen Shot 2020-08-05 at 12.35.59 pm.png" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/80820i2E9F04A18314231C/image-size/medium?v=v2&amp;px=400" role="button" title="Screen Shot 2020-08-05 at 12.35.59 pm.png" alt="Screen Shot 2020-08-05 at 12.35.59 pm.png" /></span></P> <P><STRONG><EM>Update the Juniper Network Device Profile:</EM></STRONG></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screen Shot 2020-08-05 at 12.53.05 pm.png" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/80821i54E7F71156FDEEEB/image-size/medium?v=v2&amp;px=400" role="button" title="Screen Shot 2020-08-05 at 12.53.05 pm.png" alt="Screen Shot 2020-08-05 at 12.53.05 pm.png" /></span></P> <P>&nbsp;</P> <P>This was validated by the customer using the following components:</P> <P>ISE 2.6 patch 6</P> <P><SPAN>Hardware EX4300-48P</SPAN></P> <P><SPAN>Junos:18.4R2-S2</SPAN></P> <P>&nbsp;</P> <P><SPAN>The NAC-related configuration provided by the Juniper resources was:</SPAN></P> <PRE>set access radius-server &lt;ip&gt; dynamic-request-port 3799 set access radius-server &lt;ip&gt; secret &lt;secret&gt; set access profile 8021x-auth accounting-order radius set access profile 8021x-auth authentication-order radius set access profile 8021x-auth radius authentication-server &lt;ip&gt; set access profile 8021x-auth radius accounting-server &lt;ip&gt; set access profile 8021x-auth radius options nas-port-type ethernet ethernet set access profile 8021x-auth radius-server &lt;ip&gt; port 1812 set access profile 8021x-auth radius-server &lt;ip&gt; dynamic-request-port 3799 set access profile 8021x-auth radius-server &lt;ip&gt; secret &lt;secret&gt; set access profile 8021x-auth radius-server &lt;ip&gt; source-address &lt;src-ip&gt; set access profile 8021x-auth accounting order radius set access profile 8021x-auth accounting accounting-stop-on-failure set access profile 8021x-auth accounting accounting-stop-on-access-deny set access profile 8021x-auth accounting coa-immediate-update set access profile 8021x-auth accounting update-interval 30 ! set firewall family inet filter v4_PROTECT_RE_FILTER term PERMIT_RADIUS_CoA from source-prefix-list MGMT_PREFIX set firewall family inet filter v4_PROTECT_RE_FILTER term PERMIT_RADIUS_CoA from source-prefix-list NSM_PREFIX set firewall family inet filter v4_PROTECT_RE_FILTER term PERMIT_RADIUS_CoA from protocol udp set firewall family inet filter v4_PROTECT_RE_FILTER term PERMIT_RADIUS_CoA from destination-port 3799 set firewall family inet filter v4_PROTECT_RE_FILTER term PERMIT_RADIUS_CoA then policer radius-policer set firewall family inet filter v4_PROTECT_RE_FILTER term PERMIT_RADIUS_CoA then count radius_coa set firewall family inet filter v4_PROTECT_RE_FILTER term PERMIT_RADIUS_CoA then accept</PRE> <P><SPAN>I hope this helps others looking at a similar deployment.</SPAN></P> Wed, 05 Aug 2020 05:02:16 GMT https://community.cisco.com/t5/network-access-control/juniper-ex-network-device-profile-with-coa/m-p/4130553#M562111 Greg Gibbs 2020-08-05T05:02:16Z https://community.cisco.com/t5/network-access-control/juniper-ex-network-device-profile-with-coa/m-p/4133230#M562242 Thank you Greg! This is a great contribution! Mon, 10 Aug 2020 17:55:25 GMT https://community.cisco.com/t5/network-access-control/juniper-ex-network-device-profile-with-coa/m-p/4133230#M562242 thomas 2020-08-10T17:55:25Z https://community.cisco.com/t5/network-access-control/juniper-ex-network-device-profile-with-coa/m-p/4629447#M575387 <P>Thank you Greg</P> Fri, 10 Jun 2022 09:27:45 GMT https://community.cisco.com/t5/network-access-control/juniper-ex-network-device-profile-with-coa/m-p/4629447#M575387 JPavonM 2022-06-10T09:27:45Z https://community.cisco.com/t5/network-access-control/juniper-ex-network-device-profile-with-coa/m-p/4786941#M580234 <P>Using Cisco AAA (Cisco prime Access registrar 9.2) and Juniper BNG, PoD is working find. With CoA 99% of times getting the error code 503: Session context not found. I have similar NAC configurations as yours. What could be wrong? Appreciate your response.</P> Fri, 03 Mar 2023 23:46:42 GMT https://community.cisco.com/t5/network-access-control/juniper-ex-network-device-profile-with-coa/m-p/4786941#M580234 szafar 2023-03-03T23:46:42Z https://community.cisco.com/t5/network-access-control/juniper-ex-network-device-profile-with-coa/m-p/4945864#M584773 <P>Hi,</P><P>I believe, that attribute name of item 52 is "Juniper-AV-Pair". Value Port-Bounce seems to be OK. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span>&nbsp;<A href="https://www.juniper.net/documentation/us/en/software/junos/user-access/topics/topic-map/802-1x-authentication-switching-devices.html" target="_blank">https://www.juniper.net/documentation/us/en/software/junos/user-access/topics/topic-map/802-1x-authentication-switching-devices.html</A></P><P>Jozef</P> Mon, 23 Oct 2023 08:49:25 GMT https://community.cisco.com/t5/network-access-control/juniper-ex-network-device-profile-with-coa/m-p/4945864#M584773 jozefklacko 2023-10-23T08:49:25Z