Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
592
Views
1
Helpful
3
Replies

CoA : Cisco ISE and Ubiquiti/UniFi Access Points

thedarkstalker
Level 1
Level 1

‎01-31-2025 03:15 AM

Dear Experts,


I've been tasked to complete the task of performing 802.1X wireless authentication from our Ubiquiti APs using Cisco ISE. I am able to complete the authentication and authorization part itself without any issues. The problem happens when you try to do ISE Posture Check (via Secure Client/Anyconnect). From what I found on the internet, you can't use DACLs with Ubiquiti devices, the only way to do it is via an "interim VLAN", I can put the users into this "interim VLAN" until they are in "Posture Unknown" status and then move them to a "Compliant VLAN" or "Non-Compliant VLAN" based on Posture result.

The issue I'm observing is that once the user has been put into "interim VLAN" and received an IP from there, it's not changing it's IP when the user is being moved to "Compliant VLAN".

I believe Ubiquiti access points work with port 3799 for CoA but I'm not seeing any replies coming from them whenever I try to do a "re-auth" for a user from "Live Sessions" table.

If anyone has faced similar kind of issue, kindly share the steps your performed to fix this issue. Thanks!

3 Replies 3

MHM Cisco World
VIP
VIP

‎01-31-2025 03:19 AM

did you change ISE CoA port number ?

if yes I think you need some command in Ubiquiti to accept CoA from ISE 

MHM

0 Helpful

thedarkstalker
Level 1
Level 1

‎01-31-2025 03:34 AM

Hello! @MHM Cisco World - Thank you for quick response.

Yes, on the NAD configuration for my Ubiquiti access points, I changed the CoA port from 1700 to 3799.

In the packet captures also I can see ISE sending CoA-Request packets to Ubiquiti on UDP port 3799 but there's no response. On Ubiquiti side, I've already enabled CoA :

thedarkstalker_0-1738323238264.png

 

0 Helpful

thedarkstalker
Level 1
Level 1

‎01-31-2025 03:36 AM

One clue could be that I don't see all the fields mentioned in this guide in Cisco ISE's CoA-Request : https://help.ui.com/hc/en-us/articles/360015268353-UniFi-Gateway-Configuring-a-RADIUS-Server#h_01HE5MZ7X6VHGXBWRNR526CH3E

 

  • Required RADIUS attributes:
    • Account (User-Name, Framed-IP-Address, Calling-Station-ID, etc)
    • Acct-Session-id
    • NAS-IP-Address
    • NAS-Identifier

thedarkstalker_1-1738323351522.png

 

0 Helpful
Customers Also Viewed These Support Documents