Solved: CoA not working

emgalanme · ‎03-06-2013

Hello guys,

I am runninng ISE 1.1 with a 3560-E switch and using profiling.

When I connect my cisco AP to the switch port ISE recognizes/profiles it as a Cisco-Device, hence applies a limited authorization profile which i have configured... after around 20-30 secs then the profiles recognizes it as a Cisco-Access-Point but its not applying the access point authorization profile.

If i bounce the port then the AP authenticates and authorizes correctly as an access point... but i had to do a manual bounce.

What am i missing?

Switch version:

Switch(config)#do sh ver

Cisco IOS Software, C3560E Software (C3560E-UNIVERSALK9-M), Version 12.2(52)SE, RELEASE SOFTWARE (fc3)

Compiled Fri 25-Sep-09 07:53 by sasyamal

Image text-base: 0x00003000, data-base: 0x02400000

aaa authentication login default group radius

aaa authentication login CONSOLE none

aaa authentication login VTY none

aaa authentication dot1x default group radius

aaa authorization network default group radius

aaa accounting dot1x default start-stop group radius

!

aaa server radius dynamic-author

client 10.0.0.60 server-key cisco123

!

radius-server attribute 6 on-for-login-auth

radius-server attribute 8 include-in-access-req

radius-server attribute 25 access-request include

radius-server dead-criteria time 5 tries 3

radius-server host 10.0.0.60 auth-port 1812 acct-port 1813 key cisco123

radius-server vsa send accounting

radius-server vsa send authentication

the switch port where the AP is connected ( by the way the AP is using 802.1x username/password to authenticate):

interface GigabitEthernet0/20

description Access_Point

switchport access vlan 200

switchport mode access

ip access-group ACL_ALLOW in

authentication host-mode multi-auth

authentication open

authentication order dot1x mab

authentication priority dot1x mab

authentication port-control auto

authentication periodic

authentication timer reauthenticate server

mab

snmp trap mac-notification change added

snmp trap mac-notification change removed

dot1x pae authenticator

spanning-tree portfast

end

ISE:

Tarik Admani · ‎04-22-2013

Hi,

You may have to add an exception action when the device is profiled as a to trigger CoA, also your best bet is to remove the hierarchy configuration for the cisco-access-point and make it it's own rule so that when the client is profiled as an access point it can get profiled correctly.

Thanks,
Sent from Cisco Technical Support iPad App

View solution in original post

emgalanme · ‎03-06-2013

Oh and by the way... there is no firewall in between.

askhuran · ‎04-22-2013

From the switch configuration you have provided, the following command has been missing:

! Globally enable Dot1x authentication on the switch

dot1x system-auth-control

Tarik Admani · ‎04-22-2013

Hi,

You may have to add an exception action when the device is profiled as a to trigger CoA, also your best bet is to remove the hierarchy configuration for the cisco-access-point and make it it's own rule so that when the client is profiled as an access point it can get profiled correctly.

Thanks,
Sent from Cisco Technical Support iPad App

emgalanme · ‎04-22-2013

Hello Tarik,

Yes, i removed the hierarchy dependance, and it works. But I asume its not the correct way ISE works isnt it? I mean , CoA is automatically triggered from "unknown" to "Cisco-Device", so isnt it triggered when the change goes from "Cisco-Device" to "Cisco-Access-Points" ? Its almost the same right?

Thanks!

Emilio