Solved: Re: CSCvg88945 CoA on Reprofile Still Not Fixed - Page 3

paul · ‎08-09-2018

This bug has gone on for so long and it is key concept that has to work in ISE. If there is a profile change and I have CoA set globally to Reauth or specifically set on the profile to Reauth ISE has to send out a CoA.

I am testing this with 2.4 and it still doesn't work. If things go from unknown to anything that works, but when there is a profile change say from Cisco-Device to Cisco-IP-Phone it doesn't work.

In particular, I have IND integrated with ISE setting custom endpoint attribute tags that allow be to switch SGT tags based on these attributes. Profiling with these attributes is working perfectly. As soon as I change the security tag in IND the profile changes in ISE, but no CoA is sent. If I manually CoA life it good.

You might say well what about the silly exception action work around. That does work for the first flip, but then the profile is statically set and no more profiling can occur for that MAC. So when I switch it back in IND it doesn't reprofile.

Can I get an accurate status of this bug or get it reclassified as not fixed? If the devs need someone to truly test out a fix for them I am willing to do that.

</vent mode>

Parag Mahajan · ‎03-03-2019

It is fixed in 2.4 patch6. It is getting tracked by CSCvm66696.

misinsuan2229 · ‎10-18-2019

What is the patch for resolution?

Justin Walker · ‎03-12-2019

So, patch 6. Sweet. I did some testing and it seems better... but something is still a bit off.

I created a test profile based on the MAC address of my testing client. As soon as I enable the profile, the endpoint re-profiles and the CoA happens successfully.

However, if I disable my custom profile policy... the endpoint re-profiles back to the default 'Windows 10 Workstation " but no CoA is executed.

Anyone else try in production or testing yet?

paul · ‎03-13-2019

Do you have CoA Reauth set globally? Or did you just it on the profile you created?

SHABEEB KUNHIPOCKER · ‎05-18-2019

Hi,

Anyone got this fixed?. I have ISE 2.4 with patch 8. Whenever an access point changes from Cisco-Device to Cisco-2700-x-x it I could not see the CoA being sent. I have the global profiler CoA to reauth. Kindly help

Thanks

misinsuan2229 · ‎10-18-2019

Is this fix already? We have ISE 2.3 patch 7 and planning to upgrade to ISE 2.4 and install to latest patch, on our current version and patch we are not seeing CoA being done once a new connected IP-Phone is profiled it stays to the default Authz policy.

Jason Kunst · ‎10-21-2019

please work through TAC

agrissimanis · ‎11-21-2019

I can only share my experiences and frustration around this issue. I clearly saw the profiling related CoA issue on ISE 2.4 P10. Removed all patches (back to ISE 2.4 base) and CoA started working. Then installed patch 9 and it was still working. So for us patch 10 was the problem, but then again this has been reported across several 2.4 patch versions and even different ISE releases.