Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
314
Views
3
Helpful
2
Replies

Can we run VPN Posture and CWA flow together?

musultan
Cisco Employee
Cisco Employee

‎04-01-2018 01:18 PM

Hi,

I am working on a case where my customer is trying to use CWA flow for non-complaint VPN users.

it works well for normal dot1x wired or wireless users when posture starts and users get the non-complaint status and then ISE send CoA and got the CWA redirect. Users get authenticate as Guest and CoA happens again and then get final access.

ISE doesn't send 2nd CoA in case of VPN users but sends 2nd CoA for dot1x users. is there any limitation on this flow? We recreated this in lab and confirm the behavior.

See the below Radius Live Logs and packets capture for Dot1x case... see two CoA's (Working)

Radius Live Logs:

ISE-RadiusLiveLogs-VPNUsers.png

Packet Capture:

packet-capture-VPN.png

See the below Radius Live Logs and packets capture for VPN users... see only one CoA. Looks like ISE is not sending CoA 2nd time (Non-Working)

Screen Shot 2018-04-01 at 3.11.21 PM.png

Packet Capture:


Screen Shot 2018-04-01 at 3.15.28 PM.png

2 Replies 2

hslai
Cisco Employee
Cisco Employee

‎04-01-2018 03:12 PM

The current support of CWA chaining is specific to DOT1X.

RA-VPN by ASA has support for multiple authentications via ASA itself so no much need for CWA chaining. If there is a specific   use case needing this support, please route the request via the account team to the PM team.

musultan
Cisco Employee
Cisco Employee
In response to hslai

‎04-01-2018 06:17 PM

Thanks for the reply.

I will check with customer and update this thread again.

0 Helpful
Customers Also Viewed These Support Documents