Thanks,

I don't think that is unique to ISE, its well documented in IEEE 802 related RFC's that the first 24 bits from the 48 bits MAC address is the OUI. 

ricoh <<- this make me think that OUI is wrong are you sure mac address start with this ? 

Also MAB for printer dont use CoA' CoA mainly use when you have guest.

MAB is straight process' send call-back ISE use wired-mab policy and then send access-accept with vlan/dacl authz.

Why you have CoA for what ? 

MHM

@Arne Bier ,

Hi Arne, thanks for replying. 

I expected issues with CoA indeed so I already made sure that all the settings were correct. I checked again, and my NAD configuration seems OK. 

I currently am reproducing the situation in the following manner: 

1. I delete the endpoint from the endpoint store, this should trigger a CoA 

2. supplicant on switchport is deauthenticated 

3. Supplicant is appearing again in endpoint store now, hitting on my default deny authorization policy

4. After waiting quite some time (~15 minutes), the supplicant is granted access to the network and the Meraki switch event logs show "event type; RADIUS dynamic VLAN assignment"

The take a closer look i've made a pcap and I have let it run until the client got authenticated again (hiding first 2 octets for privacy):

It seems that it does send the CoA that's triggered by the default 'Endpoint Delete' profiler exception action.  As you can see it gets acknowledged as well. After that I see a bunch of new CoA requests, all containing VSA: t=Cisco-AVPair(1) l=35 val=subscriber:command=reauthenticate, but the switch never sends an ACK on those.   Even though it doesn't acknowledge the last, the supplicant still gains access after waiting for ~15 minutes. Manually triggering CoA's from the end point store also seems to work (getting ack's on those) . 

Any idea?