cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1214
Views
5
Helpful
3
Replies
Highlighted
Contributor

ASA VPN ISE Posture CoA Rejected when same ISE IP is used for ASA TACACS Device Administration

Basic issue: when multiple aaa-server groups exist in the ASA config with the same IP address, ie: one group for TACACS and another for RADIUS that both point to the same ISE node, the ASA rejects the CoA issued by ISE when posture check completes.

How can we perform both TACACS device administration concurrently with RADIUS for posture check?

ASA version 9.5(2)

ISE version 2.0.0.306 Patch 1

Failure example:

vpn(config)# sh run aaa-server
aaa-server TACACS_ISE protocol tacacs+
aaa-server TACACS_ISE (inside) host 192.168.35.22
 key *****
aaa-server RADIUS_ISE (inside) host 192.168.35.22
 key *****
 authentication-port 1812
 accounting-port 1813
 radius-common-pw *****
 acl-netmask-convert auto-detect
vpn(config)# show debug
debug aaa url-redirect enabled at level 1
debug radius dynamic-authorization
vpn(config)# Got AV-Pair with value profile-name=Windows7-Workstation
Got AV-Pair with value profile-name=Windows7-Workstation
aaa_url_redirect: Added url redirect:https://ise.securitydemo.net:8443/portal/gateway?sessionId=c0a822fd0001d000568dd25e&portal=0d2ed780-6d90-11e5-978e-005056bf2f0a&action=cpp&token=f4b3e7a2ff67fc2ad05ad55525ffab38 acl:ACL-POSTURE-REDIRECT for 10.168.35.102
Received RAD_COA_REQUEST
Request Authenticator verification failed.
CoA message from 192.168.35.22 is malformed or cannot be validated.
Received RAD_COA_REQUEST
Request Authenticator verification failed.
CoA message from 192.168.35.22 is malformed or cannot be validated.
vpn(config)#

If I remove the ISE IP from the TACACS group then the CoA is accepted by the ASA:

vpn(config)# no aaa-server TACACS_ISE (inside) host 192.168.35.22
vpn(config)#
vpn(config)# sh run aaa-server
aaa-server TACACS_ISE protocol tacacs+
aaa-server RADIUS_ISE (inside) host 192.168.35.22
 key *****
 authentication-port 1812
 accounting-port 1813
 radius-common-pw *****
 acl-netmask-convert auto-detect
vpn(config)#
vpn(config)# Got AV-Pair with value profile-name=Windows7-Workstation
Got AV-Pair with value profile-name=Windows7-Workstation
aaa_url_redirect: Added url redirect:https://ise.securitydemo.net:8443/portal/gateway?sessionId=c0a822fd0001e000568dd31d&portal=0d2ed780-6d90-11e5-978e-005056bf2f0a&action=cpp&token=dde760c1b17a16e758da60788275b1a0 acl:ACL-POSTURE-REDIRECT for 10.168.35.102
Received RAD_COA_REQUEST
Got AV-Pair with value audit-session-id=c0a822fd0001e000568dd31d
Request sent to AAA.
Received message COA_MSG_AAA_RESPONSE
aaa_url_redirect: Deleted url redirect for 10.168.35.102

vpn(config)#

3 REPLIES 3
Highlighted
Contributor

Heh, so as long as the aaa

Heh, so as long as the aaa-server group with dynamic authorization comes first in the CLI the problem does not occur... go figure... :)  So... good to know if you are deploying ASA/ISE/VPN Posture/TACACS!

 

vpn(config)# sh run aaa-server
aaa-server RADIUS_ISE protocol radius
authorize-only
interim-accounting-update periodic 1
dynamic-authorization
aaa-server RADIUS_ISE (inside) host 192.168.35.22
key *****
authentication-port 1812
accounting-port 1813
radius-common-pw *****
acl-netmask-convert auto-detect
aaa-server ZTACACS protocol tacacs+
aaa-server ZTACACS (inside) host 192.168.35.22
key *****
vpn(config)# Got AV-Pair with value profile-name=Windows7-Workstation
Got AV-Pair with value profile-name=Windows7-Workstation
aaa_url_redirect: Added url redirect:https://ise.securitydemo.net:8443/portal/gateway?sessionId=c0a822fd00028000568ecd1b&portal=0d2ed780-6d90-11e5-978e-005056bf2f0a&action=cpp&token=f67befb38cffe289f0591bc4543eb5c6 acl:ACL-POSTURE-REDIRECT for 10.168.35.103
Received RAD_COA_REQUEST
Got AV-Pair with value audit-session-id=c0a822fd00028000568ecd1b
Request sent to AAA.
Received message COA_MSG_AAA_RESPONSE
aaa_url_redirect: Deleted url redirect for 10.168.35.103

vpn(config)#

Highlighted
Beginner

I am running into the same

I am running into the same issue, but I cannot seem to get my TACACS config to move down under RADIUS no matter my naming convention.  Did you do any other trickery besides adding the Z in front?

Highlighted
Contributor

At the time I couldn't figure

At the time I couldn't figure out any other tricks, but that worked so I didn't really bother with it after that...