Solved: CoA ISE

SupportAC · ‎12-12-2018

Hi,

We are having an issue in user sessions behaviour since we enabled COA in WLC. If we enable "Support for CoA" in the WLC and the ISE sends" 'CoA-Disconnect-Request' the WLC disconnect the authenticated user".

So is there any paramether to configure in ISE in order to not happen this disconnections?

Jason Kunst · ‎12-13-2018

You might be getting profiled and doing a COA because the profile is changing. Have you touched your global profile COA option?
https://community.cisco.com/t5/security-documents/ise-guest-access-prescriptive-deployment-guide/ta-p/3640475

https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/admin_guide/b_ise_admin_guide_22/b_ise_admin_guide_22_chapter_010101.html#reference_A4FCC7A3F7FE49BFB06B01CF2FCBC45C

Needless to say this doesn’t seem to be the default behavior. Would recommend following above guides for more details and if still a problem contact the TAC

Please share your findings

View solution in original post

paul · ‎12-12-2018

What version of ISE and why are the CoAs happening? Is this a guest portal process or because of profiling changes?

Surendra · ‎12-12-2018

The real question is why is ISE sending a CoA disconnect request? Are you using Posture over VPN or Hotspot portal?

What is your main intention to enable CoA on the WLC ?

SupportAC · ‎12-12-2018

For Security audit requirements, RFC 3576 is enabled in WLC. With a version 8.0.152. So far no problems were detected in the captive portal that gives access to Guests, authenticated correctly and the sessions were maintained at least enough to not identify a problem.

Also for security requirements the WLC is updated to the current version 8.3.143; and as a consequence, the functionality associated with (RFC 3576 already obsolete and replaced by RFC5176, CoA) is applied to replace the previous one. And the problems of Access to the Guest network begin, which uses a captive Portal of the WLC. It does not affect other Wi-Fi services that use dot1x, for example.

The Cause is that: "If we enable" Support for CoA "in the WLC and the ISE sends" 'CoA-Disconnect-Request' "the controller declined to the connected user."

But briefly, authentication occurs, but in a very short space, a disconnection is sent that the controller (CoA active) applies to the session. As a consequence there is no availability of the service.

As the functionality that CoA offers us the option to disconnect active sessions, is recommended by Security (It is necessary to have control not only in the start of the access) and we need to enable CoA in the WLC. What options do we have to prevent this from happening "periodically and almost immediately" after a correct session start that allows access? Is this parameterizable in ISE?

Jason Kunst · ‎12-13-2018

You might be getting profiled and doing a COA because the profile is changing. Have you touched your global profile COA option?
https://community.cisco.com/t5/security-documents/ise-guest-access-prescriptive-deployment-guide/ta-p/3640475

https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/admin_guide/b_ise_admin_guide_22/b_ise_admin_guide_22_chapter_010101.html#reference_A4FCC7A3F7FE49BFB06B01CF2FCBC45C

Needless to say this doesn’t seem to be the default behavior. Would recommend following above guides for more details and if still a problem contact the TAC

Please share your findings

SupportAC · ‎12-13-2018

This is what we see about the connection:

SESSION IS ESTABLISHED:

Its updated correctly:

But it fails several seconds later:

Is there any way to control the timers? or periodicity? we would like to solve it :)

thanks

howon · ‎12-14-2018

If you scroll down more on the CoA event there should be CoASourceComponent, CoAReason, and CoAType entry under 'Other Attributes. What do those entries say for both events? Also, you masked the session ID on the screenshot, but is the session ID identical or different between the two CoA events?

SupportAC · ‎12-17-2018

Yes, session ID is the same for 3 screenshots.

hslai · ‎12-17-2018

If I understood it correctly, the issue only surfaced after an upgrade of your WLC from 8.0.152 to 8.3.143. If that is true, you really need involve Cisco TAC to troubleshoot it, as Jason Kunst recommended. ISE and WLC have been working together with CoA support since ISE 1.0 and WLC 7.0.252.0, although CWA and BYOD hardened later with ISE 1.2 and WLC 7.3.113.100.

I hope your ISE is running ISE 2.3 or above, which provides "CoASourceComponent, CoAReason, and CoAType entry under 'Other Attributes", asked by howon.

Below showed an ISE deployment with CoA Type "Port Bounce" for ISE profiler.

As a result, the endpoint got profiled, CoA-disconnect, and re-authenticated with a new session ID, before proceeding with guest auth. After guest completing the portal login, Co-A re-auth and then authorize-only with the same session ID.

As the deployment is running ISE 2.5 beta, we got the CoASourceComponenent, CoAReason, and CoAType.

The first one has:

CoASourceComponent	Profiler
CoAReason	Change in endpoint identity group/policy/logical profile which are used in authorization policies
CoAType	Disconnect

The 2nd one has:

CoASourceComponent	GUEST
CoAReason	Guest authenticated for network access
CoAType	Reauthentication - last