Re: Does CoA pass through MPLS?

raulantoniorz91 · ‎10-06-2021

Hi,

We have a an ISE working with dot1x and mab for user authentications, but it looks its not working with posture process when trying to reach a switch via MPLS, even with firewalls with "permit any any" in both directions for ISE and switch. AnyConnect on Windows scans host and shows as "Compliant". When ISE receive the Posture compliant result but then, when it tries to apply CoA to change DACL, it shows error that NAD doesn't response. Even debugging switch with "debug aaa coa" shows no messages for CoA at the time ISE shows error for NAD.

I think CoA is not passing through MPLS, but it looks like RADIUS it's working pretty good.

Network map should looks like this:

Error in ise is following:

old roo · ‎10-08-2021

in your device profile do you have CoA enabled ?

Then the next question is, which RFC is the device compliant on ? Again needs to be configured in your CoA device config.

Are you then Sending the correct radius information to the device for CoA, so the device recognizes the CoA, for it to respond back to ISE ?

poongarg · ‎10-09-2021

Take the packet captures on both side of MPLS cloud firewalls to confirm if they are receiving and forwarding RADIUS Change of Authorization (CoA) packet sent on UDP 1700 port by ISE.