cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

842
Views
2
Helpful
6
Replies
dgaikwad
Contributor

CoA not working

Hi All,


Configuring the MAB for IP phone was successful and I can get the IP phones to a right voice VLAN using the authz profile.


Now what happens is that, when I connect a computer behind the IP phone,

Authentication is successful

Goes for compliance check

Comes out of compliant


But,when I check ISE live logs, it still shows :

ConfigVersionId7199
Device CoA typeRFC 5176
Device CoA port3799
NetworkDeviceProfileId26b0501b-9e48-48c7-b8c4-99a0e791bcca
IsThirdPartyDeviceFlowtrue
HP-Port-Bounce-Host12
AcsSessionID58d8f8f8-04f7-451b-bc21-3d36b63adfe2
CoASourceComponentPosture
CoAReasonposture status changed
CoATypeReauthentication
Network Device ProfileHPWired_CoA_Bounce_H3C
Software VersionUnknown
LocationLocation#All Locations
Device TypeDevice Type#All Device Types
Device IP Address10.226.232.23


But the computer shows that its limited connectivity.


If I connect the computer directly to the switch port, computer goes to compliant state and access is granted as per the policy.


I am using the following:


ISE ver 2.3.0.298 patch 3

Switch Hp H3C Comware 7


Port config:

interface GigabitEthernet1/0/5

port link-type hybrid

undo port hybrid vlan 1

port hybrid vlan 230 untagged

port hybrid pvid vlan 230

voice-vlan 260 enable

mac-vlan enable

undo stp enable

stp edged-port

undo lldp enable

port bridge enable

poe enable

undo dot1x handshake

dot1x handshake reply enable

undo dot1x multicast-trigger

dot1x unicast-trigger

dot1x re-authenticate server-unreachable keep-online

mac-authentication re-authenticate server-unreachable keep-online

mac-authentication host-mode multi-vlan

mac-authentication parallel-with-dot1x

port-security port-mode userlogin-secure-or-mac-ext

Is there something that I am missing here?

Any ideas?

Thank you,
Dinesh

6 REPLIES 6
Craig Hyps
Advocate

If bouncing the port as part of 3rd-party CoA, you could be bouncing phone connection which will cause PC to lose link.

In this case, the phone stays connected.

It the computer that stays in the limited connectivity, it is as if like switch recieved the bounce or re-auth for the, but since there are two domains, it does not whom to send the re-auth to?

Is that something observed before?

You cannot truly bounce the port and have the phone stay connected without a reconnect.

Is there something missing from the configuration then?

Since I can see that, the computer gets compliant, but then stays in limited connectivity.

Also, I can see that ISE shows it as compliant, but nothing happens at the computer's end...

But, if I connect the same machine directly to the switch port, all works fine, the computer gets compliant and gets full access as per the authz

hi,

it seems there is not session stitching post CoA.

Can you please attach the live logs page ( including the steps section)?

It turned out that, the issue was the policy was itself.

Since NAM is being used to perform EAP chaining, the user and machine authentication was happening, but the policy was disabled during some troubleshooting session.

Causing all the endpoints to go the MAB and failed as they were not IP phones (as configured on the authorization policy).

 Rectified the issue and since then were able to run authentication and posture just fine on the HP switch.

Thanks for all the pointers, I think they can be very well used while troubleshooting posture issues.

We have requested another switch of the same model, so that we are sure about the testing that we conducted earlier.

 

This case is deemed closed now!

 

Content for Community-Ad