09-28-2020 10:08 AM
Hi All,
Hoping someone can point be in the right direction.
I am in the middle of setting up a ISE POC (ISE 2.6 Patch 3) and I am seeing a issue after a user successfully authenticates at the guest portal. Unless I initiate a manual COA (Session-ReAuth) from ISE the authenticating user is left with no network access.
The device is present in the EIG after the user auths, and after the manual COA is issued access is granted based on the device being present in the EIG and the user it put onto the relevant VLAN.
To provide some further context the policy that attempts 802.1x first, falling back to MAB for Guest/Contractor devices. The manual COA is required for MAB authenticating devices, I do not seem to have the issue for 802.1x devices.
Below are snippets of my switch port config
Why would I need to do a manual COA from ISE before the device can get network access?
Thanks in advance.
Solved! Go to Solution.
09-29-2020 04:14 PM
Actually, the built-in Guest Flow should automatically trigger a CoA after the guest completes the login successfully. I would suggest reviewing the ISE Guest Access Prescriptive Deployment Guide to see if you've missed anything in the ISE or switch config.
If you want to post your AuthZ policy, we can have a look. Otherwise, you might want to open a TAC case to investigate further.
09-28-2020 08:17 PM
The default CoA Type for an ISE deployment is 'No CoA'. Check the Administration > System > Settings > Profiling page and ensure the CoA Type is set to 'Reauth'
Also, be sure you have the CoA configuration on the switch for all the RADIUS servers.
aaa server radius dynamic-author client <ip> server-key <key>
09-29-2020 04:22 AM
Hi Greg,
Thanks for the reply. Unfortunately I do not have Plus licenses so I am unable to change the setting you have highlighted above.
Can the same be achieved using a Auth-Z policy?
Thanks
09-29-2020 04:14 PM
Actually, the built-in Guest Flow should automatically trigger a CoA after the guest completes the login successfully. I would suggest reviewing the ISE Guest Access Prescriptive Deployment Guide to see if you've missed anything in the ISE or switch config.
If you want to post your AuthZ policy, we can have a look. Otherwise, you might want to open a TAC case to investigate further.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide