cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

643
Views
20
Helpful
2
Replies
raulantoniorz91
Beginner

Does CoA pass through MPLS?

Hi,

 

We have a an ISE working with dot1x and mab for user authentications, but it looks its not working with posture process when trying to reach a switch via MPLS, even with firewalls with "permit any any" in both directions for ISE and switch. AnyConnect on Windows scans host and shows as "Compliant". When ISE receive the Posture compliant result but then, when it tries to apply CoA to change DACL, it shows error that NAD doesn't response. Even debugging switch with "debug aaa coa" shows no messages for CoA at the time ISE shows error for NAD.

 

I think CoA is not passing through MPLS, but it looks like RADIUS it's working pretty good.

 

Network map should looks like this:

 

Captura de pantalla 2021-10-06 165607.gif

 

Error in ise is following:

Captura de pantalla 2021-10-06 170605.gif

2 REPLIES 2
old roo
Beginner

in your device profile do you have CoA enabled ?

 

Then the next question is, which RFC is the device compliant on ? Again needs to be configured in your CoA device config.

 

Are you then Sending the correct radius information to the device for CoA, so the device recognizes the CoA, for it to respond back to ISE ?

Take the packet captures on both side of MPLS cloud firewalls to confirm if they are receiving and forwarding RADIUS Change of Authorization (CoA) packet sent on UDP 1700 port by ISE.

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars


Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube