Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
853
Views
0
Helpful
2
Replies

Cisco ISE posture

Zach_Sec
Level 1
Level 1

‎09-07-2017 01:23 PM - edited ‎02-21-2020 10:33 AM

Hi,

 

i have a problem with a Posture implementation by a customer. It is a distributed deployment, with a f5 load balancer in front of the 2 PSN nodes.

The posture checking and CoA within the wired deployment works great, but in a WiFi scenario, not so well. We got 2 authorization rules, in which the first one checks if the posture status is set to "compliant", and if it is, it gets a specific dACL.

The second rule states that if there is a WiFi connection attempt to a specific SSID, a posture check should happen.

The posture check with the AnyConnect Posture module always wents fine saying the workstation is compliant, but the problem is that in the RADIUS live log it says that the posture result is in state "Pending", and therefore, the first authorization rule is never being hit. Sometimes a error in the live logs pops up saying "1213 No response received from Network Access Device", and i found that that is a CoA problem. I checked that CoA is enabled on the WLC and that SNAT is not being used on f5.

 

Any suggestions? Perhaps some configuration is missing on f5? 

Maybe i should try the first advice from https://communities.cisco.com/docs/DOC-71879 ?

 

Best regards,

Zach

Labels:
0 Helpful
2 Replies 2

Mohamed Abd Elnaser Mohamed Mohamed Ali
Level 1
Level 1

‎09-09-2017 11:41 AM

Hi Zach
If you WLC is configured with F5 VIP as the RADIUS Server for that particular SSID, then SNAT should be configured on F5 for RADIUS CoA traffic initiated by the PSNs and destined to the NADs (WLC) - Since CoA is initiated by the PSN and sent to the NAD to which the authenticated user/device is connected
Please note this is different than SNAT for RADIUS traffic from the NAD towards the PSN where the F5 should not source NAT the NAD IP to itself in the RADIUS AAA traffic
The COA has to be sent from the NAD to the Cisco ISE PSNs IP Addresses (Without SNAT) and the return traffic flow from Cisco ISE back to the NAD should be SNAT or sent directly to the NAD bypassing the Load Balancer (F5) (May be through PBR)
0 Helpful

Zach_Sec
Level 1
Level 1
In response to Mohamed Abd Elnaser Mohamed Mohamed Ali

‎09-15-2017 12:08 AM

Yea, i understand, but the trick that did it for me was to reboot the PSN nodes. Thank you anyway for your tip Mohamed!

 

Best regards,

Zach

0 Helpful
Customers Also Viewed These Support Documents