topic Re: Cisco ISE and Switch in Network Access Control

Cisco ISE and Switch

wayne loh — Sat, 05 Oct 2024 10:46:33 GMT

Hi All,

I have weird issue recently on Cisco ISE and need to seek for some advise. I have deployed the Cisco ISE and switches to adapt the dot1x and mab authentication. however I notice each authorization policy changes will not immediately take effect, even after some period of time and i need to shut the port/interface and no shut again in order for it to work.

Anyone facing such issue or did I miss any configuration?

Thanks

Re: Cisco ISE and Switch

Flavio Miranda — Sat, 05 Oct 2024 12:51:05 GMT

@wayne loh

This is configuration related. Look for COA port bounce. I am sharing this link for reference but pretty for there will be plenty.

https://www.cisco.com/en/US/docs/ios-xml/ios/san/configuration/15-e/san-coa-supp.html#GUID-02AC45FF-2D37-4315-BD85-A88035DDC288

Re: Cisco ISE and Switch

MHM Cisco World — Sat, 05 Oct 2024 13:09:13 GMT

Show authentication session interface x/x

Show authentication session interface x/x detail

Share this please

Show aaa server

Share these please

MHM

Re: Cisco ISE and Switch

thomas — Sat, 05 Oct 2024 13:14:12 GMT

ISE is a RADIUS protocol server. RADIUS is a request/response protocol upon session initiation or timeout. Policy is not updated in realtime across network devices everytime you make a little change. That would cause a massive spike in your RADIUS traffic everytime you made a change.

Reauthentication should occur when each existing session times out. Are you setting a reauthentication timer or session-timeout in your authorization profile?

Re: Cisco ISE and Switch

wayne loh — Sat, 05 Oct 2024 14:39:22 GMT

Hi Thomas,

Understand that, i dont expect it to be in realtime but the fact is it should update in certain intervals like what you said reauthentication (switch setting or Authz profile), but isnt it the CoA also will be doing this as well to initial the changes to NAD (push) if there is authorization profile changes?

Thanks.

Re: Cisco ISE and Switch

Arne Bier — Sat, 05 Oct 2024 20:27:29 GMT

As Flavio hinted, the issue is most likely the CoA is not configured correctly. Check that the dynamic-authorization on the switch is configured with the IP address of the ISE PSN, and using the same shared secret. Plus, also specify the source interface and a VRF (if used) for RADIUS traffic. Test the CoA via ISE Context Visibility.