Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
416
Views
1
Helpful
2
Replies

EasyConnect reauth session merge

Go to solution
scruse
Level 1
Level 1

‎11-30-2023 07:55 AM

After upgrading ISE to 3.2 patch 3 from 2.7, we are seeing a lot of CoA's due to "EasyConnect reauth session merge".  Could someone explain what this is and if there is anyway to reduce the occurrences?  The situation we are running into is sometimes these reauths will fail due to delays in the WAN and the end user gets kicked off the network.  We have passive ID enabled because we are currently only doing machine auth via 802.1x EAP/TLS and use passive ID to get the user info.  Any help would be greatly appreciated.    

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
lohan
Cisco Employee
Cisco Employee

‎12-12-2023 07:02 PM

Hi scruse,

"EasyConnect reauth session merge" is related to the way Cisco ISE manages sessions when it receives authentication requests from the same endpoint but from different network access devices.

When a user establishes a new session from a different network access device while an old session is still active, ISE merges the two sessions to keep track of the user's posture status. This process is known as session merging. After the session is merged, ISE initiates a Change of Authorization (CoA) to re-authenticate the user and reassess the endpoint's posture.

The issue you're experiencing could be due to several reasons:

  1. Network Delays: As you've suspected, WAN delays could be causing the reauthentication to fail. It might be worth investigating the network performance between your endpoints, network access devices, and ISE.

  2. Session Timeout Settings: The session timeout settings on your network access devices might be causing frequent re-authentication. Check these settings to see if increasing the timeout might help.

  3. ISE Configuration: It's possible that some settings in ISE could be causing the frequent CoAs. For example, if you have "Session Reauthentication" enabled under Administration > Identity Management > External Identity Sources > Active Directory > Advanced Settings, it could be triggering unnecessary re-auths.

As the issue seems to be quite complex, you might want to consider reaching out to Cisco TAC Support for more specialized assistance. They could provide more specific advice tailored to your network's configuration and help you diagnose and resolve the problem.

-----------------------------------------
If you find my reply solved your question or issue, kindly click the 'Accept as Solution' button and vote it as helpful.

You can also learn more about Secure Network Analytics (formerly known as Stealthwatch) through our live Ask the Experts (ATXs) session. Check out Cisco Network Security ATXs Resources [https://community.cisco.com/t5/security-knowledge-base/cisco-network-security-ask-the-experts-resources/ta-p/4416493] to view the latest schedule for upcoming sessions, as well as the useful references, e.g. online guides, FAQs.
-----------------------------------------

Best Regards,
Henry

 

View solution in original post

2 Replies 2

Go to solution
lohan
Cisco Employee
Cisco Employee

‎12-12-2023 07:02 PM

Hi scruse,

"EasyConnect reauth session merge" is related to the way Cisco ISE manages sessions when it receives authentication requests from the same endpoint but from different network access devices.

When a user establishes a new session from a different network access device while an old session is still active, ISE merges the two sessions to keep track of the user's posture status. This process is known as session merging. After the session is merged, ISE initiates a Change of Authorization (CoA) to re-authenticate the user and reassess the endpoint's posture.

The issue you're experiencing could be due to several reasons:

  1. Network Delays: As you've suspected, WAN delays could be causing the reauthentication to fail. It might be worth investigating the network performance between your endpoints, network access devices, and ISE.

  2. Session Timeout Settings: The session timeout settings on your network access devices might be causing frequent re-authentication. Check these settings to see if increasing the timeout might help.

  3. ISE Configuration: It's possible that some settings in ISE could be causing the frequent CoAs. For example, if you have "Session Reauthentication" enabled under Administration > Identity Management > External Identity Sources > Active Directory > Advanced Settings, it could be triggering unnecessary re-auths.

As the issue seems to be quite complex, you might want to consider reaching out to Cisco TAC Support for more specialized assistance. They could provide more specific advice tailored to your network's configuration and help you diagnose and resolve the problem.

-----------------------------------------
If you find my reply solved your question or issue, kindly click the 'Accept as Solution' button and vote it as helpful.

You can also learn more about Secure Network Analytics (formerly known as Stealthwatch) through our live Ask the Experts (ATXs) session. Check out Cisco Network Security ATXs Resources [https://community.cisco.com/t5/security-knowledge-base/cisco-network-security-ask-the-experts-resources/ta-p/4416493] to view the latest schedule for upcoming sessions, as well as the useful references, e.g. online guides, FAQs.
-----------------------------------------

Best Regards,
Henry

 

Go to solution
scruse
Level 1
Level 1

‎12-18-2023 09:21 AM

Henry,

Thank you for the information, this helps a lot.

 

0 Helpful
Customers Also Viewed These Support Documents