Can ISE proxy CoA from 3rd Party Radius

etzhou · ‎03-01-2018

Can ISE proxy CoA from 3rd Party Radius?

We just had a test using the ISE and 3rd party Radius. ISE proxy user access request to 3rd party Radius. The authentication is successful. But if 3rd party Radius sent CoA, ISE would drop it while ISE direct CoA is Okay.

The End point ID and the Session ID are the same.

How can ISE proxy CoA from 3rd party radius to the wireless clients?

These were live logs from ISE:

CoA from 3rd party Radius failed:

Policy Server ise23

Event 5405 RADIUS Request dropped

Failure Reason 11007 Could not locate Network Device or AAA Client

Resolution Verify whether the Network Device or AAA client is configured in: Administration >

Network Resources > Network Devices

Root cause Could not find the network device or the AAA Client while accessing NAS by IP

during authentication.

Endpoint Id 20:AB:37:38:2D:9D

Audit Session Id 0602010a0000013ce992975a

NAS IPv4 Address 10.1.2.15

CoA from ISE was successful.

Policy Server ise23

Event 5205 Dynamic Authorization succeeded

Endpoint Id 20:AB:37:38:2D:9D

Calling Station Id 20ab37382d9d

Audit Session Id 0602010a0000013ce992975a

Network Device SDAWLC8540

Device Type All Device Types

Location All Locations

NAS IPv4 Address 10.1.2.6

Response Time 14 milliseconds

Other Attributes

ConfigVersionId 913

AcctTerminateCause

Admin Reset

EventTimestamp

1519883683

Device CoA type Cisco CoA

Device CoA

etzhou · ‎03-01-2018

How to make 3rd party NAD being recognized by ISE? It sends the endpoint ID and session id. If the CoA is sent to WLC, it would be successful.

The reason why use 3rd party Radius is customer has already a Radius server which has the user infomation. But it does not support SGT. So ISE is needed to add SGT info.

But now the original Radius server can not use CoA to change the user's status.

Craig Hyps · ‎03-01-2018

I suspect the issue is similar to ISE scenario with Source NAT for load balancers. Currently ISE does not rely on NAS IP address for sending CoA and will send it based on source IP. When sent direct to LB, it is dropped. Similarly, if remote RADIUS Server sees ISE as the originator of RADIUS client request, it may try to send CoA directly to ISE and suspect ISE is dropping like a LB would. I

t is possible for remote server to trigger CoA if sent to originating NAD, or else have ISE process the authorization locally upon Access Accept from remote AAA so that it can trigger CoA based on auth flow.

You can also trigger CoA via API.

To add intelligence for ISE to proxy CoA this will likely require enhancement request submitted via your Cisco account team.

etzhou · ‎03-01-2018

Yes, the remote ISE sends the CoA back to ISE and ISE dropped.

ISE shows the reason is "Could not find the network device or the AAA Client while accessing NAS by IP". But actually the client is in the live session of ISE. If CoA is performed in the live session menu, it is Okay.

So the question is actually how can ISE recognize the CoA of its remote Radius server?

hslai · ‎03-01-2018

If 10.1.2.15 is the 3rd party RADIUS server, try adding it as a NAD.

If it easily reproducible in your lab, I would suggest to go ahead and log a bug.

etzhou · ‎03-01-2018

yes, 10.1.2.15 is 3rd party Radius server.

We add it as a NAD and the CoA was still dropped. But the reason is different. We are using 2.3 patch1.

Authentication Details

Source Timestamp	2018-03-02 09:18:39.158
Received Timestamp	2018-03-02 09:18:39.158
Policy Server	ise-2-3
Event	5405 RADIUS Request dropped
Failure Reason	11029 Unsupported RADIUS packet type
Resolution	Contact TAC to check whether a more recent version of ISE supports this RADIUS packet type
Root cause	The RADIUS packet type is not supported by ISE
Endpoint Id	20:AB:37:38:2D:9D
Audit Session Id	0602010a0000015125a6985a
Network Device	NingtunRadius
Device Type	All Device Types
Location	All Locations
NAS IPv4 Address	10.1.2.15

danielsai · ‎03-01-2018

Hi Yuxun,

I think you have to play with custom "Cisco-AVPair" string to achieve that.

For the most easy way I configured is treat 3rd party ISE as Radius Token and issue COA from actual PSN to NAD.

etzhou · ‎03-01-2018

Yes, We have also considered the Radius Token option. But if the method is MAB, ISE will not proxy the access request out to the 3rd party radius server.

hslai · ‎03-01-2018

if the method is MAB, ISE will not proxy the access request out to the 3rd party radius server.

Do you mean you are unable to select a token server as the auth ID source? Or, do you mean you are not seeing the requests sending out?

Please also elaborate more on the particulars how/when you need CoA sends by the 3rd party RADIUS.

etzhou · ‎03-01-2018

Yes, the ISE does not sending access request of MAB out.

For the CoA sent by 3rd party radius, there would be two scenarios:

The first scenario is that he customer has the radius server already and would not change in the near future but would like to deploy DNA.

The second scenario is that the radius server can integrate the special social login method which ISE can not support currently.

hslai · ‎03-01-2018

Are you getting errors in ISE live logs when sending MAB to a RADIUS token server?

DNA has options to work with other RADIUS servers than ISE. Are you using SGT so needing ISE anyway?

Still not very clear why such integration needs CoA? Is it that it can trigger CoA on the 3rd party RADIUS only but not ISE?

etzhou · ‎03-01-2018

Yes, SGT is needed. CoA is trigged on the 3rd party Radius server.

hslai · ‎03-01-2018

I will check with our teams and get back on this next week.

hslai · ‎03-04-2018

This is not currently supported as it a known issue -- CSCty45721

Please discuss your requirements further with our PM team.