Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
448
Views
0
Helpful
1
Replies

ISE CoA Question - adding switch ip

Go to solution
ade5
Level 1
Level 1

‎11-20-2019 09:49 AM

Good morning,

so if I have a switch configured with the following ip on differnet vlans:

 

example:

vlan 1 - 10.10.1.5

vlan 10 - 10.10.2.5

 

Switch was added in ise using ip 10.10.2.5 . And so far all devices in the switch is using the 10.10.2.5 as the NAS . 

I am planning on removing 10.10.2.5 from the list of switch in ISE and add 10.10.1.5 to avoid service interruption. 

Does adding the switch ip 10.10.1.5 causes reauthentication on the current devices ? 

 

thanks

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP

‎11-20-2019 05:56 PM

There will be no re-auth of existing ISE sessions, because after you remove the 10.10.2.5, ISE won't be able to communicate to the NAS for sessions that came from 10.10.2.5 - it's a good question though. I think protocols like CoA will no longer work for EXISTING sessions because ISE will try to send CoA to 10.10.2.5 (but this is not in its client list). No idea. You'd have to test.

 

Best practice is to use the router/switch loopback address to send all your management traffic (incl TACACS+ and RADIUS) so that you don't tie these concepts to an ephemeral interface.

 

I would recommend configuring the NAS to send to 10.10.1.5 - and leave 10.10.2.5 in ISE for a week or so.  Check if there are any sessions still hanging around that have that NAS IP address. If not, then nuke 10.10.2.5 from the ISE Device List.

 

good luck! Let us know the outcome ;-)

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Arne Bier
VIP
VIP

‎11-20-2019 05:56 PM

There will be no re-auth of existing ISE sessions, because after you remove the 10.10.2.5, ISE won't be able to communicate to the NAS for sessions that came from 10.10.2.5 - it's a good question though. I think protocols like CoA will no longer work for EXISTING sessions because ISE will try to send CoA to 10.10.2.5 (but this is not in its client list). No idea. You'd have to test.

 

Best practice is to use the router/switch loopback address to send all your management traffic (incl TACACS+ and RADIUS) so that you don't tie these concepts to an ephemeral interface.

 

I would recommend configuring the NAS to send to 10.10.1.5 - and leave 10.10.2.5 in ISE for a week or so.  Check if there are any sessions still hanging around that have that NAS IP address. If not, then nuke 10.10.2.5 from the ISE Device List.

 

good luck! Let us know the outcome ;-)

0 Helpful
Customers Also Viewed These Support Documents