Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5114
Views
65
Helpful
38
Replies

CSCvg88945 CoA on Reprofile Still Not Fixed

Go to solution
paul
Level 10
Level 10

‎08-09-2018 11:18 AM - edited ‎08-09-2018 11:20 AM

<vent mode>

 

This bug has gone on for so long and it is key concept that has to work in ISE.  If there is a profile change and I have CoA set globally to Reauth or specifically set on the profile to Reauth ISE has to send out a CoA.  

 

I am testing this with 2.4 and it still doesn't work.  If things go from unknown to anything that works, but when there is a profile change say from Cisco-Device to Cisco-IP-Phone it doesn't work.

 

In particular, I have IND integrated with ISE setting custom endpoint attribute tags that allow be to switch SGT tags based on these  attributes.  Profiling with these attributes is working perfectly.  As soon as I change the security tag in IND the profile changes in ISE, but no CoA is sent.  If I manually CoA life it good.

 

You might say well what about the silly exception action work around.  That does work for the first flip, but then the profile is statically set and no more profiling can occur for that MAC.  So when I switch it back in IND it doesn't reprofile.

 

Can I get an accurate status of this bug or get it reclassified as not fixed?  If the devs need someone to truly test out a fix for them I am willing to do that.

 

</vent mode>

 

 

3 people had this problem
3 Accepted Solutions

Accepted Solutions

Go to solution
paul
Level 10
Level 10
In response to yvesmorneau

‎08-31-2018 07:39 PM

CSCvm22838 is the new bug to track this fix. It is not visible yet. Putting as much pressure from lots of angles to finally get this fixed. It is a critical feature in ISE that has been broken far too long.


View solution in original post

Go to solution
Justin Walker
Level 4
Level 4
In response to paul

‎09-17-2018 06:17 AM

My open TAC case was also linked to CSCvm22838.  TAC said 2.4 patch 4 for targeted release for a fix and tentative early October time frame for release. 

View solution in original post

Go to solution
paul
Level 10
Level 10
In response to shamax_1983

‎11-13-2018 06:41 AM

Update on this. I am testing a Hotfix provided by the Devs and my testing so far looks good. I have been able to move a device around via reprofiling and CoA are sent every time. Hopefully we will get this fixed once and for all. No word yet on when the official fix will be put into a patch.


View solution in original post

0 Helpful
38 Replies 38

Go to solution
thomas
Cisco Employee
Cisco Employee

‎08-09-2018 03:46 PM

 

image.png

 

2.3.0.903 means 2.3 Patch 3.

2.4.0.357 is the FCS of ISE 2.4.

 

Please call TAC if you want to troubleshoot with ISE 2.4 and re-open the bug.

 

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to thomas

‎08-09-2018 03:53 PM

It wasn’t working in 2.3 patch 3 either. I will open a TAC case. I would love to know how the devs tested this.
0 Helpful

Go to solution
umahar
Cisco Employee
Cisco Employee
In response to paul

‎08-10-2018 01:19 PM

Will this bug also affect if we change static identity group ?

I tried to showcase quarantine behaviour of ISE by moving and endpoint to blacklist but I did not see any CoA issued.

However it was working on 2.2 just fine.

0 Helpful

Go to solution
Damien Miller
VIP Alumni
VIP Alumni
In response to umahar

‎08-10-2018 01:30 PM

I've noticed something similar in 2.4. If I change the static identity group for an endpoint, I have to go clear the auth manually or do a reauth from the endpoint db page. COA is definitely working. Haven't had time to look deeper.
0 Helpful

Go to solution
paul
Level 10
Level 10
In response to umahar

‎08-10-2018 03:40 PM

It might affect that as well. I usually show case ANC Policy assignment for doing things like blacklisting. ANC policy was working last time I tested and doing the CoA, but haven't tested in 2.4. I can do that this weekend as well.




0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to paul

‎08-10-2018 02:19 PM

This issue has been escalated and Krishnan is engaging our engineering team.

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to hslai

‎08-10-2018 03:33 PM

I will test on 2.4 patch 2 this weekend. My IND customer has a TAC case open on it, 685006752. If I see the issue still on patch 2 with my large customer I can open a TAC case as well. Or because you have been able to recreate the issue Hsing is there a need to open a TAC case?


0 Helpful

Go to solution
paul
Level 10
Level 10
In response to paul

‎08-12-2018 05:40 PM

Hsing,

 

I have upgraded to patch 2, but need to do some testing after I resolve my live session issue.  I have a TAC case open on why I don't see live sessions.  That could be affecting my CoAs as well.  I am still seeing inconsistent results.

 

0 Helpful

Go to solution
Justin Walker
Level 4
Level 4
In response to paul

‎08-14-2018 10:32 AM

I'm seeing the same thing on a 2.4 patch 1 deployment today.   I thought I was going crazy for a bit until I saw this thread. 

 

I was trying to use IP address in one of my profiling policies, which was correctly changing the profile for the device after it got an IP address from DHCP but the device was stuck on my Monitor-Mode-MAB authz rule. 

 

 

What I've seen today:

1. Workstation connects > Profiled as Microsoft-Workstation > Static Set Corp-Printer Policy > No CoA

2. Printer connects > Profiled as Cannon-Device > Re-Profiled as Corp-Cannon-Device > No CoA

3. Security Device Connects > Unknown Device > Profiled as Corp-Security-Device > CoA reauthorizes session

 

Anytime it matches an existing Cisco profile first, the re-profiling works but it doesn't respect the global profiling CoA Reauth settings.   I even tried to set the CoA Reauth in the profile itself without any success. 

 

 

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to Justin Walker

‎08-14-2018 10:37 AM

Actually I think the only time CoA works is if it goes from Unknown to something else. If it goes from another to another profile I am not CoAs not matter if I do global or profile based CoAs.


Go to solution
Justin Walker
Level 4
Level 4
In response to paul

‎08-14-2018 10:44 AM

Oh your right,  I agree with your statement above.

 

It's pretty frustrating when you're expecting it to just work when doing a bunch of profiling rule build out. :) 

 

I opened a case with TAC as the accepted answer recommends.  Thankfully for troubleshooting purposes its pretty easy to replicate the issue. 

0 Helpful

Go to solution
bart.raat
Level 1
Level 1
In response to Justin Walker

‎08-27-2018 01:10 AM

We see the exact same behavior. Running 2.4 patch 2 at the moment.

 

It's working when going from unknown to another profile policy, however when we manually import the MAC address to an endpoint group it doesn't work.

When I configure an Exception Action to force a CoA for a specific profile policy it's also working but that's not a solution you want :)

 

I see the bug still has the status fixed, have you heard anything from TAC about this?

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to bart.raat

‎08-27-2018 05:40 AM

I am going to get a TAC case open today. It is definitely broken and has cause a major customer of mine an issue. So there will be some pressure to get this fixed.


0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to paul

‎08-27-2018 07:00 AM

Yes, please do open a TAC case. And, focus on the new issue that ISE profiling CoA requests with this Cisco AVP subscriber:reauthenticate-type=last

If ISE 2.3 not including such option in the same requests, then ask TAC to file a new bug.

0 Helpful
Customers Also Viewed These Support Documents