topic Re: ISE sending CoA-requests for reauthentication in Network Access Control

ISE sending CoA-requests for reauthentication

pontusd — Thu, 14 Sep 2023 06:54:14 GMT

Hi,
I have a problem with Cisco ISE 2.7 guest access. I can see in live logs that clients have been authenticated correctly but after every successful authentication ISE sending a CoA-request for reauthentication. This is happening every 5 seconds and keeps going forever. In this case we have Cisco ISE acting radius for an Aruba Wireless network.

Re: ISE sending CoA-requests for reauthentication

ahollifield — Thu, 14 Sep 2023 12:23:16 GMT

This is expected behavior to make sure the client has access to the network after a successful portal login.
https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/bulletin-c25-2943876.html
https://community.cisco.com/t5/security-knowledge-base/how-to-cisco-ise-captive-portals-with-aruba-wireless/ta-p/4633904

Re: ISE sending CoA-requests for reauthentication

pontusd — Thu, 14 Sep 2023 13:15:23 GMT

Ok I see,
But we still have problem with clients that constantly being connect and disconnected from the guest wifi every 5-10 second (same time as the CoA-requests). Do you think this is an ISE problem or Aruba problem?

Re: ISE sending CoA-requests for reauthentication

ahollifield — Thu, 14 Sep 2023 14:26:16 GMT

Right after they join? Or constantly? I'm possible to say. Are you using the Aruba network device provfile in the article I linked? That NDP is much more modern than the one provided natively in ISE. Is this IAP? Mobility Controller on AOS8.x? Gateway on AOS10? Aruba Central?

Re: ISE sending CoA-requests for reauthentication

Arne Bier — Thu, 14 Sep 2023 21:33:58 GMT

@pontusd - if you perform a tcpdump on the PSN that the Aruba WLC is using, you might get some extra clues. Does the Aruba send any RADIUS Accounting to ISE?

Re: ISE sending CoA-requests for reauthentication

pontusd — Fri, 15 Sep 2023 07:07:58 GMT

yes I am using the custom Aruba network profile in ISE, we are using IAP without controller or Aruba Central, just virtual controller on the APs with AOS8.
The clients flapping between connected/disconnected constantly after the first successful portal authentication.

Re: ISE sending CoA-requests for reauthentication

pontusd — Fri, 15 Sep 2023 07:12:39 GMT

Doesn't see any interesting in the TCP dumps. Yes I had accounting ON at the Aruba SSID configuration. I turned it off now and I it seems to be better. But the problem with connect/disconnect still exists of course.

Re: ISE sending CoA-requests for reauthentication

ahollifield — Fri, 15 Sep 2023 10:52:33 GMT

Accounting should be enabled for proper ISE session/license management.

Re: ISE sending CoA-requests for reauthentication

ahollifield — Fri, 15 Sep 2023 10:53:07 GMT

So is this driven by CoA packets from ISE or not? ISE should only be sending one CoA. Do you have ISE defined as a Dynamic Authorization server on the IAP?

Re: ISE sending CoA-requests for reauthentication

pontusd — Tue, 19 Sep 2023 12:21:01 GMT

Yes ISE is defined as Dynamic Authorization server on IAP. We have seen that the problem only exists when clients using an BYOD MAC-group in ISE (still using guest wifi), but when clients using Guest Portal on ISE it works fine. Check my Authorization profiles below.

Aruba client logs:

deauth Sapcp Ageout (internal ageout) (seq num 0)

deauth Denied; Ageout (seq num 0)