Thanks,

I don't think that is unique to ISE, its well documented in IEEE 802 related RFC's that the first 24 bits from the 48 bits MAC address is the OUI. 

ricoh <<- this make me think that OUI is wrong are you sure mac address start with this ? 

Also MAB for printer dont use CoA' CoA mainly use when you have guest.

MAB is straight process' send call-back ISE use wired-mab policy and then send access-accept with vlan/dacl authz.

Why you have CoA for what ? 

MHM

@MHM Cisco World you're way off target again in your responses. CoA has many use cases, not only "mainly used when you have guest". Profiling relies heavily on CoA and that's what we're discussing here. When ISE performs a MAB auth it might require multiple iterations of the ISE Policy Set to achieve the desired outcome - and CoA is the mechanism to reauthorize the endpoint until it matches the desired Authorization Rule 

I think I understand what you mean with the OUI part. 

ISE has multiple default profiler conditions like this;

So the profiler condition looks at the 1th 24 bits of the MAC, looks it up in some kind of database to resolve the organization of this OUI number, and then compares the return value with this attribute value that is listed in the Profiler Condition.  So no, the MAC itself doesn't start with ricoh but the result of the OUI lookup does contain this.

Why CoA ? 

I can't clearly verify what I am thinking yet...  But i think the 1th attempt my printer tries to authenticate fails because ISE didn't profile it yet.  After being correctly profiled, the authorization changed and a reauthentication CoA request is being used for that (?).  I'm not completely sure about this, so please correct me if I'm wrong :). 

Thanks for reply' check my comment below for using CoA with profiling 

MHM

@Arne Bier ,

Hi Arne, thanks for replying. 

I expected issues with CoA indeed so I already made sure that all the settings were correct. I checked again, and my NAD configuration seems OK. 

I currently am reproducing the situation in the following manner: 

1. I delete the endpoint from the endpoint store, this should trigger a CoA 

2. supplicant on switchport is deauthenticated 

3. Supplicant is appearing again in endpoint store now, hitting on my default deny authorization policy

4. After waiting quite some time (~15 minutes), the supplicant is granted access to the network and the Meraki switch event logs show "event type; RADIUS dynamic VLAN assignment"

The take a closer look i've made a pcap and I have let it run until the client got authenticated again (hiding first 2 octets for privacy):

It seems that it does send the CoA that's triggered by the default 'Endpoint Delete' profiler exception action.  As you can see it gets acknowledged as well. After that I see a bunch of new CoA requests, all containing VSA: t=Cisco-AVPair(1) l=35 val=subscriber:command=reauthenticate, but the switch never sends an ACK on those.   Even though it doesn't acknowledge the last, the supplicant still gains access after waiting for ~15 minutes. Manually triggering CoA's from the end point store also seems to work (getting ack's on those) . 

Any idea?

The Wireshark decode is quite revealing. I have had many issues with Meraki and its RADIUS implementation (esp the MS390 - what an awful product) - they often lack features that Cisco switches have had for over 10 years, and then still contain many bugs. I'd open a ticket with Meraki. Not responding to a CoA is a bug. If the NAD believes the CoA was sent in error, it must respond with a CoA NAK. I see those sent by Catalyst switches. I assume you've checked the Meraki release notes or tried to update the switch as well?

Do you know why you have so many duplicate packets shown in your Wireshark? 

Hi Arne, Thanks for replying again. 

I've did some more research today and it seems that Meraki expects the following for a CoA reauth request:

- Calling-Station-ID

- Cisco AV Pair: 

• subscriber:command=reauthenticate
• audit-session-id

After I delete the supplicant from the endpoint store, it is issueing a CoA which contains both the subscriber command and the audit session ID. Shortly after this, ISE is sending CoA reauthentication requests again, but they do not contain the audit-session-id.  So I think the switch doesn't know for which client the CoA is destined for, according to the RFC the Meraki switch should reply with a NAK, bit Meraki seems to just ignore it...  According to the Meraki documentation, the Session ID is learned from the original Radius access accept message, the thing is that my device gets a rejected the 1th time (Acces-Reject), so that might be the reason it doesn't supply the CoA with a audit-session-id (?). 

How I reproduce it:

1. Delete supplicant from endpoint store, this is triggering a CoA reauthentication request, which is getting acknowledged by the Meraki switch. Switchport reauthentication is triggered and the supplicant is performing an Access-request again.

2. Endpoint shows up again in endpoint store, gets rejected by the default deny authorization policy. In the PCAP an access-request and access-reject is seen

3. After that the supplicant stays unauthenticated for quite some time. CoA requests are seen at this point, they do not contain a audit-session-ID. These packets do arrive at the Meraki switch but an ACK/NAK is never given.

4. After manually cycling the port, or waiting for the supplicant to reauthenticate on its own again, a new access-request is being made, responded with Access-Accept, which contains the correct profile. The client works now. 

I'm still looking into the duplicated packets, not sure what is causing that. 

Do you think it is correct to assume that the supplicant didn't get profiled yet on the 1th try, causing an access-reject. After ISE profiles it, ISE sends a CoA to trigger the client to perform a reauthentication request again? 

Hi Arne,

Yes sir, that is it !

After thinking this through it makes sense. The Meraki switch learns the CoA session ID from the access-accept messages but putting a default deny in it prevents CoA to work properly.  I've created a catchall policy with limited access, which will provide the unprofiled client an access-accept with a session ID, now the Session ID can be learned and is present in the CoA after ISE profiles the client. Result; works perfect, yay!

Thanks a lot for your help, I've accepted your response as the solution. 

Hi,

Port bounce is a type of CoA. There is a valid need for CoA since the authorization changes after the supplicant gets profiled by ISE. If I wouldn't use CoA, then I will have to wait until the device itself decides to do a reauthentication request or I would have to cycle the switchport, which is not desired behavior.