Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2513
Views
5
Helpful
3
Replies

ASA VPN ISE Posture CoA Rejected when same ISE IP is used for ASA TACACS Device Administration

Jason Granat
Level 5
Level 5

‎01-06-2016 07:05 PM - edited ‎03-10-2019 11:22 PM

Basic issue: when multiple aaa-server groups exist in the ASA config with the same IP address, ie: one group for TACACS and another for RADIUS that both point to the same ISE node, the ASA rejects the CoA issued by ISE when posture check completes.

How can we perform both TACACS device administration concurrently with RADIUS for posture check?

ASA version 9.5(2)

ISE version 2.0.0.306 Patch 1

Failure example:

vpn(config)# sh run aaa-server
aaa-server TACACS_ISE protocol tacacs+
aaa-server TACACS_ISE (inside) host 192.168.35.22
 key *****
aaa-server RADIUS_ISE (inside) host 192.168.35.22
 key *****
 authentication-port 1812
 accounting-port 1813
 radius-common-pw *****
 acl-netmask-convert auto-detect
vpn(config)# show debug
debug aaa url-redirect enabled at level 1
debug radius dynamic-authorization
vpn(config)# Got AV-Pair with value profile-name=Windows7-Workstation
Got AV-Pair with value profile-name=Windows7-Workstation
aaa_url_redirect: Added url redirect:https://ise.securitydemo.net:8443/portal/gateway?sessionId=c0a822fd0001d000568dd25e&portal=0d2ed780-6d90-11e5-978e-005056bf2f0a&action=cpp&token=f4b3e7a2ff67fc2ad05ad55525ffab38 acl:ACL-POSTURE-REDIRECT for 10.168.35.102
Received RAD_COA_REQUEST
Request Authenticator verification failed.
CoA message from 192.168.35.22 is malformed or cannot be validated.
Received RAD_COA_REQUEST
Request Authenticator verification failed.
CoA message from 192.168.35.22 is malformed or cannot be validated.
vpn(config)#

If I remove the ISE IP from the TACACS group then the CoA is accepted by the ASA:

vpn(config)# no aaa-server TACACS_ISE (inside) host 192.168.35.22
vpn(config)#
vpn(config)# sh run aaa-server
aaa-server TACACS_ISE protocol tacacs+
aaa-server RADIUS_ISE (inside) host 192.168.35.22
 key *****
 authentication-port 1812
 accounting-port 1813
 radius-common-pw *****
 acl-netmask-convert auto-detect
vpn(config)#
vpn(config)# Got AV-Pair with value profile-name=Windows7-Workstation
Got AV-Pair with value profile-name=Windows7-Workstation
aaa_url_redirect: Added url redirect:https://ise.securitydemo.net:8443/portal/gateway?sessionId=c0a822fd0001e000568dd31d&portal=0d2ed780-6d90-11e5-978e-005056bf2f0a&action=cpp&token=dde760c1b17a16e758da60788275b1a0 acl:ACL-POSTURE-REDIRECT for 10.168.35.102
Received RAD_COA_REQUEST
Got AV-Pair with value audit-session-id=c0a822fd0001e000568dd31d
Request sent to AAA.
Received message COA_MSG_AAA_RESPONSE
aaa_url_redirect: Deleted url redirect for 10.168.35.102

vpn(config)#

1 person had this problem
Labels:
0 Helpful
3 Replies 3

Jason Granat
Level 5
Level 5

‎01-07-2016 12:54 PM

Heh, so as long as the aaa-server group with dynamic authorization comes first in the CLI the problem does not occur... go figure... :)  So... good to know if you are deploying ASA/ISE/VPN Posture/TACACS!

 

vpn(config)# sh run aaa-server
aaa-server RADIUS_ISE protocol radius
authorize-only
interim-accounting-update periodic 1
dynamic-authorization
aaa-server RADIUS_ISE (inside) host 192.168.35.22
key *****
authentication-port 1812
accounting-port 1813
radius-common-pw *****
acl-netmask-convert auto-detect
aaa-server ZTACACS protocol tacacs+
aaa-server ZTACACS (inside) host 192.168.35.22
key *****
vpn(config)# Got AV-Pair with value profile-name=Windows7-Workstation
Got AV-Pair with value profile-name=Windows7-Workstation
aaa_url_redirect: Added url redirect:https://ise.securitydemo.net:8443/portal/gateway?sessionId=c0a822fd00028000568ecd1b&portal=0d2ed780-6d90-11e5-978e-005056bf2f0a&action=cpp&token=f67befb38cffe289f0591bc4543eb5c6 acl:ACL-POSTURE-REDIRECT for 10.168.35.103
Received RAD_COA_REQUEST
Got AV-Pair with value audit-session-id=c0a822fd00028000568ecd1b
Request sent to AAA.
Received message COA_MSG_AAA_RESPONSE
aaa_url_redirect: Deleted url redirect for 10.168.35.103

vpn(config)#

bforan
Level 1
Level 1
In response to Jason Granat

‎05-05-2016 11:29 AM

I am running into the same issue, but I cannot seem to get my TACACS config to move down under RADIUS no matter my naming convention.  Did you do any other trickery besides adding the Z in front?

0 Helpful

Jason Granat
Level 5
Level 5
In response to bforan

‎05-06-2016 11:02 AM

At the time I couldn't figure out any other tricks, but that worked so I didn't really bother with it after that...

0 Helpful
Customers Also Viewed These Support Documents