cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1235
Views
3
Helpful
7
Replies

Looking for IOD of SF500 to use "reautheticate" method of SNMP CoA at ISE 2.4

tminh
Cisco Employee
Cisco Employee

Hi,

We are doing the Posture assessment with PC <-> SF500 <-> ISE 2.4.

We wants to use the SNMP COA Reauthenticate for posture assessment.

on PC, we have AnyConnect running to check the posture.

I would like to ask for the OID of SF500 for SNMP CoA reauthenticate provided by ISE 2.4?

Many thanks for advice,

Minh

tminh@cisco.com

1 Accepted Solution

Accepted Solutions

After 802.1x authentication and posture assessment, ISE caches the posture status  (e.g Compliant) and sends CoA  to device (SF). The SF sends MAB authentication and 802.1x due to CoA  and the posture status changes to  "NotApplicable "  and that causes for loop.

View solution in original post

7 Replies 7

smashash
Cisco Employee
Cisco Employee

Hi Minh,

Currently there is not SNMP OID for re-authenticate option as far as  i know.

Please use 'Port Bounce' option for posture assessment flow  to get re-authenticate behavior with below values:

Hi Salomon,

Thank you for your advice.

could you please advise in more details about "use 'Port Bounce' option for posture assessment flow  to get re-authenticate"?

When I use this port bounce with shut/noshut , I am facing to the loop. It means PC conects again, redo the posture assessment then port shut -> port noshut -> reauthen -> re posture assessment...

I do not know how to break this loop?

rgds,

Minh

Answered offline (via WebEx).

Could only say you are great and thank you very much!

Please share

tminh
Cisco Employee
Cisco Employee

Hi Jason and Salomon,

Salomon has changed the Configuration SF500 as following:

- in the interface where PC is connected in, change "dot1x authentication 802.1x MAC" to "dot1x authentication 802.1x" , i.e remove the option MAB authentication, keep just 802.1x.

After this change when posture assessment by Anyconnect is "Compliant" => ISE does the SNMP CoA with "port bounce" action and PC stays in "compliant" status without looping as in previous situation.

when we change the condition of posture assessment and the assessment gives "nonCompliant" status, ISE orders switch to change the interface to an another VLAN correctly.

So in summary, the loop is not occured anymore and SNMP CoA to SF500 solved.

@Salomon,

could you please explian why when we have just "802.1x" instead of "802.1 x MAC", the loop is not happen?

I am not yet understand this phenomena.

Thanks and rgds,

Minh

After 802.1x authentication and posture assessment, ISE caches the posture status  (e.g Compliant) and sends CoA  to device (SF). The SF sends MAB authentication and 802.1x due to CoA  and the posture status changes to  "NotApplicable "  and that causes for loop.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: