https://community.cisco.com/t5/network-security/asa-9-0-support-for-coa/m-p/2224131#M348945 <P>At this point all of the end-of sales models will not be getting any significant functionality upgrade. That would include the RADIUS CoA that works with ISE.</P><P>Once a product goes end of sales (as they did back last September), generally any new software releases that come out are for bug fixes.</P> Mon, 14 Jul 2014 22:48:04 GMT Marvin Rhoads 2014-07-14T22:48:04Z https://community.cisco.com/t5/network-security/asa-9-0-support-for-coa/m-p/2224122#M348936 <P>Does anyone know if ASA 9.x code supports <SPAN style="font-size: 10pt;">Change of Authorization (CoA). I have looked through the release notes and can't find anything. </SPAN></P> Tue, 12 Mar 2019 01:51:24 GMT https://community.cisco.com/t5/network-security/asa-9-0-support-for-coa/m-p/2224122#M348936 jrobey284 2019-03-12T01:51:24Z https://community.cisco.com/t5/network-security/asa-9-0-support-for-coa/m-p/2224123#M348937 <HTML><HEAD></HEAD><BODY><P>It does not yet support it. Last I heard it would be later this year - possibly in 9.2.</P><P></P><P>For now you need to put an ISE IPEP inline to get CoA for VPN users using an ASA headend.</P></BODY></HTML> Thu, 30 May 2013 20:34:08 GMT https://community.cisco.com/t5/network-security/asa-9-0-support-for-coa/m-p/2224123#M348937 Marvin Rhoads 2013-05-30T20:34:08Z https://community.cisco.com/t5/network-security/asa-9-0-support-for-coa/m-p/2224124#M348938 <HTML><HEAD></HEAD><BODY><P>Is there any update on CoA support on ASA ?</P><P></P><P>Any plans to make CoA feature as open standard ? so that customers having non-Cisco products can benefit from advanced ISE features such as Posture assessment.</P><P></P><P>Regards,</P><P>Akhtar</P></BODY></HTML> Mon, 25 Nov 2013 07:16:19 GMT https://community.cisco.com/t5/network-security/asa-9-0-support-for-coa/m-p/2224124#M348938 Akhtar Samo 2013-11-25T07:16:19Z https://community.cisco.com/t5/network-security/asa-9-0-support-for-coa/m-p/2224125#M348939 <HTML><HEAD></HEAD><BODY><P>Last I heard, it's still projected for 9.2. Haven't heard the exact date yet.</P><P></P><P>I doubt it would be made an open standard as it is a competitive differentiator.</P></BODY></HTML> Mon, 25 Nov 2013 14:06:27 GMT https://community.cisco.com/t5/network-security/asa-9-0-support-for-coa/m-p/2224125#M348939 Marvin Rhoads 2013-11-25T14:06:27Z https://community.cisco.com/t5/network-security/asa-9-0-support-for-coa/m-p/2224126#M348940 <HTML><HEAD></HEAD><BODY><P>Thanks.</P><P></P><P>The problem in implementing CoA and MAB is when it comes to customers buying ISE and having a multivendor environment (Juniper/Nortel switches) are left with only ISE's authentication functionality on end points. I know they have an option for IPEP but that doesn't make sense for a client having high number of non-cisco switches connected to end points.</P><P></P><P>Regards,</P><P></P><P>Akhtar</P></BODY></HTML> Wed, 27 Nov 2013 10:31:56 GMT https://community.cisco.com/t5/network-security/asa-9-0-support-for-coa/m-p/2224126#M348940 Akhtar Samo 2013-11-27T10:31:56Z https://community.cisco.com/t5/network-security/asa-9-0-support-for-coa/m-p/2224127#M348941 <HTML><HEAD></HEAD><BODY><P>Ok, so as of 2 days ago, the latest I have heard about the ASA update is 1st Quarter of this year. Now, I will of course take this with a grain of salt, as we have been told this CoA update would be coming for 2 years. Last I had heard before this was by the end of this year.</P><P></P><P>Either way, I just read there is a vulnerability in RADIUS CoA on the ASA? How can there be a vulnerability in something that isn't supported? </P><P><A class="jive-link-external-small" href="http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-0655">http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-0655</A></P><P></P><P>Maybe I am not thinking of the same thing? </P><P></P><P>But whatever it is, I am still very anxious to get this update working, because having to have the IPN between the ASA traffic and the network has caused a few kinks in my moving our ASA into a firewall role on top of the current VPN role.</P><P></P><P>Thanks,</P><P>Dirk</P></BODY></HTML> Sun, 26 Jan 2014 16:29:06 GMT https://community.cisco.com/t5/network-security/asa-9-0-support-for-coa/m-p/2224127#M348941 dirkmelvin 2014-01-26T16:29:06Z https://community.cisco.com/t5/network-security/asa-9-0-support-for-coa/m-p/2224128#M348942 <HTML><HEAD></HEAD><BODY><P>I found the same vulnerability when searching for CoA support. Not sure what to make of that. Hoping we get CoA support soon. Is there any reference as to how to this interoperates with ISE and AuthZ rules etc..? What is the use case scenario?</P></BODY></HTML> Tue, 18 Feb 2014 21:53:11 GMT https://community.cisco.com/t5/network-security/asa-9-0-support-for-coa/m-p/2224128#M348942 Jacob Gibb 2014-02-18T21:53:11Z https://community.cisco.com/t5/network-security/asa-9-0-support-for-coa/m-p/2224129#M348943 <P>Of course it has now been revised to 1st half of this year, sure to slip again to 2nd half.</P><P>Use scenario is, as we are using it today, we have to have a physical ISE (IPN) Inline Posture Node to handle the CoA because that function is not native in the ASA.</P><P>So a user connects with Anyconnect, (and they have Cisco NAC installed), the NAC agent then contacts the ISE policy server to see what rules it needs to check and comply with, then ISE policy server says if you meet these rules then we check what 'group' you belong to, in order to determine what ACL is assigned.</P><P>The planned change will eliminate the need for the IPN and ISE server to be separate devices. Right now the IPN HAS to be physical, and our ISE Policy server is a VM. So when all this is updated we can remove the VM and only have the physical device, but it no longer has to be INLINE for the ASA VPN Posture functions.</P><P>Also, was told that ISE v1.3 will be required in addition to the ASA update.</P><P>So for this to work BOTH need to be released.</P><P>&nbsp;</P> Wed, 12 Mar 2014 14:42:30 GMT https://community.cisco.com/t5/network-security/asa-9-0-support-for-coa/m-p/2224129#M348943 dirkmelvin 2014-03-12T14:42:30Z https://community.cisco.com/t5/network-security/asa-9-0-support-for-coa/m-p/2224130#M348944 <P>It appears that the CoA is in version 9.2.1. As far as I can tell, the 5500 non-x models stop at 9.1. Is there not going to be a maintenance 9.1 release to include CoA for non-x ASAs?</P> Mon, 14 Jul 2014 22:33:34 GMT https://community.cisco.com/t5/network-security/asa-9-0-support-for-coa/m-p/2224130#M348944 MARK BAKER 2014-07-14T22:33:34Z https://community.cisco.com/t5/network-security/asa-9-0-support-for-coa/m-p/2224131#M348945 <P>At this point all of the end-of sales models will not be getting any significant functionality upgrade. That would include the RADIUS CoA that works with ISE.</P><P>Once a product goes end of sales (as they did back last September), generally any new software releases that come out are for bug fixes.</P> Mon, 14 Jul 2014 22:48:04 GMT https://community.cisco.com/t5/network-security/asa-9-0-support-for-coa/m-p/2224131#M348945 Marvin Rhoads 2014-07-14T22:48:04Z