Solved: Re: CoA not supported for an endpoint

networker4424 · ‎01-07-2019

Hello,

I have integrated a Pica8 switch with latest version of ISE, all seems fine but CoA operation for port bounce is not working.

Its worth mentioning that CoA works fine for reauthenticate and other functions just the CoA port bounce feature is giving this error. And we had this problem from the very start, its not like that it worked previously but stopped later. Any suggestions on how to fix it would be greatly appreciated.

Thanks,

Ali

Mohammed al Baqari · ‎01-07-2019

The first switch is to debug radius on the switch to see if CoA packet is
coming from ISE or not. This will help you to narrow the place to look.

View solution in original post

Francesco Molino · ‎01-08-2019

The attribute subscriber:command=bounce-host-port is something working for Cisco switches. But this attribute to bounce the port is different depending on vendor platform.
You aren't using it in cisco devices which means you should validate with your vendor switches off this is something supported and if yes what the attribute should be.

Some vendors allow you to do port-bounce by using snmp for example and this attribute value would be different.

CoA to reauth is a different attribute and interpretation from the switch is different.

When doing a debug on the switch, what do you see when it comes to port bounce? Does it take this attribute? Does it give you an error in the debug?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Mohammed al Baqari · ‎01-07-2019

The first switch is to debug radius on the switch to see if CoA packet is
coming from ISE or not. This will help you to narrow the place to look.

Francesco Molino · ‎01-07-2019

Hi

As @Mohammed said, first do a debug to see if you're receiving the coa port bounce attribute on your switch.
Then, check which nad profile your using and specially the port bounce attribute. You may contact your switch vendor tac to see if the attribute is the right one otherwise you'll need to adapt it in your nad profile settings.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Sheraz.Salim · ‎01-08-2019

for the CoA to work. you also need a config on the switch. where you have to make ISE client to switch. can you make sure you have a CoA config in switch.

!

aaa new-model

aaa server radius dynamic-author

client x.x.x.x server key cisco

please do not forget to rate.

networker4424 · ‎01-08-2019

Like I said, CoA function works for reauthenticate, it just doesn't work for port bounce. I double checked the nad profile and the configuration there seems to be ok. I checked with vendor and they say the server need to send the subscriber:command=bounce-host-port. Which I have configured on the ISE side.

I also did tcpdump on the switch and noticed the switch was receiving (and obliging) CoA reauthenticate packets but port bounce packets never arrived at switch, which means when the ISE says CoA feature not supported for an endpoint, it means it never sent the port bounce packet.

The issue is, the ISE is not sending the packet but in the nad profile I see the port bounce is checked with the appropriate configuration.

Jason Kunst · ‎01-08-2019

Please open a tac case then if ISE is not doing something it should be

Mohammed al Baqari · ‎01-08-2019

In this case, from operations-diagnostic-debug, you can point a mac address to debug the endpoint, then bounce the port using CoA and see the debug file.

Francesco Molino · ‎01-08-2019

The attribute subscriber:command=bounce-host-port is something working for Cisco switches. But this attribute to bounce the port is different depending on vendor platform.
You aren't using it in cisco devices which means you should validate with your vendor switches off this is something supported and if yes what the attribute should be.

Some vendors allow you to do port-bounce by using snmp for example and this attribute value would be different.

CoA to reauth is a different attribute and interpretation from the switch is different.

When doing a debug on the switch, what do you see when it comes to port bounce? Does it take this attribute? Does it give you an error in the debug?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

networker4424 · ‎01-09-2019

The port bounce feature works fine with other NAC solutions like packetfence so I dont think it is a switch issue and besides, since no CoA packet is sent the issue seems to be on ISE. Can someone please tell how to open a tac for this problem?

BTW, below is what I found in the log file.

2019-01-09 10:50:32,784 ERROR [admin-http-pool1951][] admin.restui.features.visibility.VisibilityUIApi -::::- Unsupported CoA Operation Session termination with port bouncefor an EndPoint 00:02:09:00:01:00
2019-01-09 10:50:32,784 ERROR [admin-http-pool1951][] admin.restui.features.visibility.VisibilityUIApi -::::- Error while invoking the CoA Action coaPortBounceon Endpoint 00:02:09:00:01:00
java.lang.Exception: CoA Operation not supported for an EndPoint 00:02:09:00:01:00
at com.cisco.cpm.admin.restui.features.visibility.VisibilityUIApi.doCOAAction(VisibilityUIApi.java:1189)
at com.cisco.cpm.admin.restui.features.visibility.VisibilityUIApi.doAuthenticationActions(VisibilityUIApi.java:1079)
at sun.reflect.GeneratedMethodAccessor3416.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.cxf.service.invoker.AbstractInvoker.performInvocation(AbstractInvoker.java:173)
at org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:89)
at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:133)
at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:82)
at org.apache.cxf.interceptor.ServiceInvokerInterceptor$1.run(ServiceInvokerInterceptor.java:58)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at org.apache.cxf.workqueue.SynchronousExecutor.execute(SynchronousExecutor.java:37)
at org.apache.cxf.interceptor.ServiceInvokerInterceptor.handleMessage(ServiceInvokerInterceptor.java:106)
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:243)
at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:110)
at org.apache.cxf.transport.servlet.ServletDestination.invoke(ServletDestination.java:98)
at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:423)
at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:139)
at org.apache.cxf.transport.servlet.AbstractCXFServlet.invoke(AbstractCXFServlet.java:142)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:179)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:103)

Thanks,

Jason Kunst · ‎01-09-2019

Tac can be reached by phone @

https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html

networker4424 · ‎01-19-2019

Hello again,

I have managed to make CoA port bounce work with Pica8 switches, perhaps partially. When I delete an endpoint from the Context visibility -> Endpoints menu, a CoA packet is sent and CoA ack is received from the switch but when I try to manually bounce the port from Context visibility -> Endpoints, then select an endpoint and select bounce port from Change of Authorization it says operation not supported.

Can someone shed some light if this is a normal behavior?

Thanks

Francesco Molino · ‎01-19-2019

How did you managed it?
Have you tried Terminate session to see if CoA for this will manually be sent?
If yes, then have you ran a debug on the switch and tcpdump on ISE to see what you’re seeing while executing port-bounce?

To answer your question, this isn’t normal that manual port-bounce doesn’t work.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

networker4424 · ‎01-19-2019

Hello Francesco,

Session terminate and reauthenticate works fine, I had confirmed with tcpdump, just the manual port bounce says operation not supported.

I tried the debug endpoint tool as well, there I type the endpoint mac address and hit start, then I went to context visibility -> endpoints to manual bounce the port but when I check the debug file its empty, infact no debug file is generated for port bounce, I can see debug file being generated and with some useful info in it for reauthenticate or session terminate but there is nothing when it comes to port bounce manually.

Now problem is this, I know for a fact that port bounce command works fine with the switch, as I can see a port bounce packet is sent when an endpoint is deleted and the switch responds with COA-ACK, but the manual port bounce says its not supported, which is conflicting information.

Why is ISE saying that port bounce is not supported for an endpoint? I just need to know the reason, simple as that. If the NAD Profile had issues, it wouldn't send port bounce in case of endpoint deletion right?

Thanks

Ali

Francesco Molino · ‎01-20-2019

Can you run tcpdump on ISE and debug on your switch when deleting the endpoint and when trying to execute a manual port-bounce?
Then please share your debugs and tcpdump.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

networker4424 · ‎01-20-2019

Here is the tcpdump i ran on the switch:

14:38:02.513202 IP (tos 0x0, ttl 63, id 54598, offset 0, flags [DF], proto UDP (17), length 140)
    10.10.53.82.38176 > 10.10.51.224.3799: [udp sum ok] RADIUS, length: 112
        CoA-Request (43), id: 0x0e, Authenticator: cf225bf7dc27b6f74a73aa85e81fc093
          NAS-IP-Address Attribute (4), length: 6, Value: 10.10.51.224
            0x0000:  0a0a 33e0
          Calling-Station-Id Attribute (31), length: 19, Value: 00-00-00-44-44-44
            0x0000:  3030 2d30 302d 3030 2d34 342d 3434 2d34
            0x0010:  34
          Acct-Terminate-Cause Attribute (49), length: 6, Value: Admin Reset
            0x0000:  0000 0006
          Message-Authenticator Attribute (80), length: 18, Value: ....J.K.6R....;.
            0x0000:  cc8d d1aa 4ada 4ba7 3652 97b9 fbb8 3be3
          Vendor-Specific Attribute (26), length: 43, Value: Vendor: Unknown (35098)
            Vendor Attribute: 1, Length: 35, Value: subscriber:command=bounce-host-port
            0x0000:  0000 891a 0125 7375 6273 6372 6962 6572
            0x0010:  3a63 6f6d 6d61 6e64 3d62 6f75 6e63 652d
            0x0020:  686f 7374 2d70 6f72 74
14:38:02.523847 IP (tos 0x0, ttl 64, id 29361, offset 0, flags [DF], proto UDP (17), length 72)
    10.10.51.224.3799 > 10.10.53.82.38176: [udp sum ok] RADIUS, length: 44
        CoA-ACK (44), id: 0x0e, Authenticator: 33a7f081aefd4415c7ae4998520db5d3
          Event-Timestamp Attribute (55), length: 6, Value: Sat Jan 19 14:38:02 2019
            0x0000:  5c42 c5ca
          Message-Authenticator Attribute (80), length: 18, Value: 2.B.`W...|.....K
            0x0000:  32f5 42bc 6057 99c8 e97c 83ab d7e9 de4b

This tcpdump was running the whole time, I first tried to manually bounce the port but it failed, then I checked this dump session, it was empty no packets were captured so then I deleted the node from the context visibility menu and then I noticed the above captured packets.

For the debug endpoint tool, I find some debug info when deleting a node but when I run a fresh debug session on the endpoint and then try to manually bounce the port, the debug file comes up empty. So i'm afraid I can't share any debug info because its not generating any debug info for manual port bounce, all I get is "CoA operation not supported..."