Solved: COA (Session-ReAuth) Required after successful Authentication

InfraISE2020_2 · ‎09-28-2020

Hi All,

Hoping someone can point be in the right direction.

I am in the middle of setting up a ISE POC (ISE 2.6 Patch 3) and I am seeing a issue after a user successfully authenticates at the guest portal. Unless I initiate a manual COA (Session-ReAuth) from ISE the authenticating user is left with no network access.

The device is present in the EIG after the user auths, and after the manual COA is issued access is granted based on the device being present in the EIG and the user it put onto the relevant VLAN.

To provide some further context the policy that attempts 802.1x first, falling back to MAB for Guest/Contractor devices. The manual COA is required for MAB authenticating devices, I do not seem to have the issue for 802.1x devices.

Below are snippets of my switch port config

aaa group server radius ISE
server name "ISE-01"
server name "ISE-02"
load-balance method least-outstanding batch-size 5
!
aaa authentication dot1x default group ISE
aaa authorization network default group ISE
aaa accounting update newinfo periodic 2880
aaa accounting dot1x default start-stop group ISE

interface GigabitEthernet1/0/6
description *Data port for Phones & PC*
switchport access vlan 20
switchport mode access
switchport voice vlan 50
authentication event fail action next-method
authentication event server dead action reinitialize vlan 10
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast edge

Why would I need to do a manual COA from ISE before the device can get network access?

Thanks in advance.

Greg Gibbs · ‎09-29-2020

Actually, the built-in Guest Flow should automatically trigger a CoA after the guest completes the login successfully. I would suggest reviewing the ISE Guest Access Prescriptive Deployment Guide to see if you've missed anything in the ISE or switch config.

If you want to post your AuthZ policy, we can have a look. Otherwise, you might want to open a TAC case to investigate further.

View solution in original post

Greg Gibbs · ‎09-28-2020

The default CoA Type for an ISE deployment is 'No CoA'. Check the Administration > System > Settings > Profiling page and ensure the CoA Type is set to 'Reauth'

Also, be sure you have the CoA configuration on the switch for all the RADIUS servers.

aaa server radius dynamic-author
 client <ip> server-key <key>

InfraISE2020_2 · ‎09-29-2020

Hi Greg,

Thanks for the reply. Unfortunately I do not have Plus licenses so I am unable to change the setting you have highlighted above.

Can the same be achieved using a Auth-Z policy?

Thanks

Greg Gibbs · ‎09-29-2020

Actually, the built-in Guest Flow should automatically trigger a CoA after the guest completes the login successfully. I would suggest reviewing the ISE Guest Access Prescriptive Deployment Guide to see if you've missed anything in the ISE or switch config.

If you want to post your AuthZ policy, we can have a look. Otherwise, you might want to open a TAC case to investigate further.