03-01-2018 12:41 AM
Can ISE proxy CoA from 3rd Party Radius?
We just had a test using the ISE and 3rd party Radius. ISE proxy user access request to 3rd party Radius. The authentication is successful. But if 3rd party Radius sent CoA, ISE would drop it while ISE direct CoA is Okay.
The End point ID and the Session ID are the same.
How can ISE proxy CoA from 3rd party radius to the wireless clients?
These were live logs from ISE:
CoA from 3rd party Radius failed:
Policy Server ise23
Event 5405 RADIUS Request dropped
Failure Reason 11007 Could not locate Network Device or AAA Client
Resolution Verify whether the Network Device or AAA client is configured in: Administration >
Network Resources > Network Devices
Root cause Could not find the network device or the AAA Client while accessing NAS by IP
during authentication.
Endpoint Id 20:AB:37:38:2D:9D
Audit Session Id 0602010a0000013ce992975a
NAS IPv4 Address 10.1.2.15
CoA from ISE was successful.
Policy Server ise23
Event 5205 Dynamic Authorization succeeded
Endpoint Id 20:AB:37:38:2D:9D
Calling Station Id 20ab37382d9d
Audit Session Id 0602010a0000013ce992975a
Network Device SDAWLC8540
Device Type All Device Types
Location All Locations
NAS IPv4 Address 10.1.2.6
Response Time 14 milliseconds
Other Attributes
ConfigVersionId 913
AcctTerminateCause
Admin Reset
EventTimestamp
1519883683
Device CoA type Cisco CoA
Device CoA
03-01-2018 02:11 AM
How to make 3rd party NAD being recognized by ISE? It sends the endpoint ID and session id. If the CoA is sent to WLC, it would be successful.
The reason why use 3rd party Radius is customer has already a Radius server which has the user infomation. But it does not support SGT. So ISE is needed to add SGT info.
But now the original Radius server can not use CoA to change the user's status.
03-01-2018 03:28 AM
I suspect the issue is similar to ISE scenario with Source NAT for load balancers. Currently ISE does not rely on NAS IP address for sending CoA and will send it based on source IP. When sent direct to LB, it is dropped. Similarly, if remote RADIUS Server sees ISE as the originator of RADIUS client request, it may try to send CoA directly to ISE and suspect ISE is dropping like a LB would. I
t is possible for remote server to trigger CoA if sent to originating NAD, or else have ISE process the authorization locally upon Access Accept from remote AAA so that it can trigger CoA based on auth flow.
You can also trigger CoA via API.
To add intelligence for ISE to proxy CoA this will likely require enhancement request submitted via your Cisco account team.
03-01-2018 04:01 AM
Yes, the remote ISE sends the CoA back to ISE and ISE dropped.
ISE shows the reason is "Could not find the network device or the AAA Client while accessing NAS by IP". But actually the client is in the live session of ISE. If CoA is performed in the live session menu, it is Okay.
So the question is actually how can ISE recognize the CoA of its remote Radius server?
03-01-2018 04:55 PM
If 10.1.2.15 is the 3rd party RADIUS server, try adding it as a NAD.
If it easily reproducible in your lab, I would suggest to go ahead and log a bug.
03-01-2018 07:10 PM
yes, 10.1.2.15 is 3rd party Radius server.
We add it as a NAD and the CoA was still dropped. But the reason is different. We are using 2.3 patch1.
Source Timestamp | 2018-03-02 09:18:39.158 |
Received Timestamp | 2018-03-02 09:18:39.158 |
Policy Server | ise-2-3 |
Event | 5405 RADIUS Request dropped |
Failure Reason | 11029 Unsupported RADIUS packet type |
Resolution | Contact TAC to check whether a more recent version of ISE supports this RADIUS packet type |
Root cause | The RADIUS packet type is not supported by ISE |
Endpoint Id | 20:AB:37:38:2D:9D |
Audit Session Id | 0602010a0000015125a6985a |
Network Device | NingtunRadius |
Device Type | All Device Types |
Location | All Locations |
NAS IPv4 Address | 10.1.2.15 |
03-01-2018 07:47 PM
Hi Yuxun,
I think you have to play with custom "Cisco-AVPair" string to achieve that.
For the most easy way I configured is treat 3rd party ISE as Radius Token and issue COA from actual PSN to NAD.
03-01-2018 08:08 PM
Yes, We have also considered the Radius Token option. But if the method is MAB, ISE will not proxy the access request out to the 3rd party radius server.
03-01-2018 08:20 PM
if the method is MAB, ISE will not proxy the access request out to the 3rd party radius server.
Do you mean you are unable to select a token server as the auth ID source? Or, do you mean you are not seeing the requests sending out?
Please also elaborate more on the particulars how/when you need CoA sends by the 3rd party RADIUS.
03-01-2018 09:42 PM
Yes, the ISE does not sending access request of MAB out.
For the CoA sent by 3rd party radius, there would be two scenarios:
The first scenario is that he customer has the radius server already and would not change in the near future but would like to deploy DNA.
The second scenario is that the radius server can integrate the special social login method which ISE can not support currently.
03-01-2018 10:01 PM
Are you getting errors in ISE live logs when sending MAB to a RADIUS token server?
DNA has options to work with other RADIUS servers than ISE. Are you using SGT so needing ISE anyway?
Still not very clear why such integration needs CoA? Is it that it can trigger CoA on the 3rd party RADIUS only but not ISE?
03-01-2018 10:03 PM
Yes, SGT is needed. CoA is trigged on the 3rd party Radius server.
03-01-2018 10:38 PM
I will check with our teams and get back on this next week.
03-04-2018 04:27 PM
This is not currently supported as it a known issue -- CSCty45721
Please discuss your requirements further with our PM team.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide