cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Choose one of the topics below for ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC!
We will not comment or assist with your TAC case in these forums.

263
Views
2
Helpful
7
Replies
Rising star

Can ISE send a CoA in an Authorization Profile?

Hello

Customer asked if/how ISE can trigger a CoA in an Authorization Profile.  I can't see how this is done in ISE.

Use case.  Windows user authentication to trigger a VLAN change, using standard Windows supplicant.

They want to be able to bounce a wired port and force the user onto a different VLAN.   The NAS is a Meraki Security appliance and it only listens for 802.1X frames for 8 seconds, and then defaults into a guest VLAN.  By the time the user types in the AD username and password, the device is already in the Guest VLAN.

One option is to disable the Guest VLAN and have the PC hand around in Layer 2 limbo, waiting for the user auth.

But the Meraki docs do mention ISE and CoA ...

https://documentation.meraki.com/MS/Access_Control/Change_of_Authorization_with_RADIUS_(CoA)_on_MS_Switches

Everyone's tags (4)
7 REPLIES
Cisco Employee

Re: Can ISE send a CoA in an Authorization Profile?

Not that I know of

You could build a guest portal with a link to

A portal that has a kick off disconnect perhaps? Call the api?

Rising star

Re: Can ISE send a CoA in an Authorization Profile?

I would have to ask Meraki the same question. Perhaps they alluded to the case where profiling is used to switch VLANs.  I believe in that case ISE would send the CoA?  I don't know much about profiling - but this is not what the customer wants.

Contributor

Re: Can ISE send a CoA in an Authorization Profile?

So what you are asking is if it’s possible to switch vlans after authentication? Sounds like the customer wants the default VLAN to be the guest VLAN. Is that the goal here? The desired functionality isn’t clear to me yet.

Warning: I either dictated this to my device, or typed it with my thumbs. Erroneous words are a feature, not a typo.

Cisco Employee

Re: Can ISE send a CoA in an Authorization Profile?

I don’t see how profiling has anything to do with dot1x failure to mab?

Rising star

Re: Can ISE send a CoA in an Authorization Profile?

I am quoting the Meraki documentation from the URL I mentioned in my opening post.

Now Meraki have sold me the dream ... and they mention ISE is a Radius server (see below).

But they fail to explain how ISE is supposed to achieve this.  That is what I want to know.

How does one marry up the statement above (changing VLAN when auth is 802.1X, and CoA using ISE)

More Meraki goodness ...

Cisco Employee

Re: Can ISE send a CoA in an Authorization Profile?

If George is correct on the intend, then it does not require CoA at all. VLAN will be a set of tagged attributes included in the matched authorization profile.

ISE profiling has a global CoA Type at [Administration > System > Settings > Profiling] and default to No CoA. And, individual profile policies may override for CoA. If it set to perform CoA and if ISE detects a profiling event that would result in a different authorization policy rule, then ISE will trigger a CoA.

Highlighted
Cisco Employee

Re: Can ISE send a CoA in an Authorization Profile?

Arne,

Yes, of course ISE supports RADIUS CoA. However, CoA does not happen in a RADIUS Authorization. CoA is initiated by the RADIUS server (ISE) asynchronously outside of the authentication request/response based on some other event (administrator, threat, API, etc.).

You may be asking if Meraki support RADIUS CoA. According to How To: Integrate Meraki Networks with ISE , they do.

A single 8-second timeout is incredibly short for 802.1X as you have found. We suggest 10 seconds x 3 retries as best practice as recommended in How To: Universal IOS Switch Config for ISE, Step 17.

Even if the authentication fell through to a MAB with Guest default, a good desktop supplicant would initiate an EAPoL-Start when the user enters their 802.1X credentials when not in response to an 802.1X EAP challenge which would then trigger the switch to do a RADIUS re-authentication.

If for some reason that is not working, you could potentially try doing a short RADIUS Attribute 27 (Session-Timeout) and 29 (Terminate-Action) to cause a re-authentication for Guest. Keep in mind that this could greatly increase the load on ISE for endpoints stuck in this state.

CreatePlease to create content
Ask the Expert- Webex Hybrid Services Solutions