09-19-2022 06:38 AM
Team,
I get this error which trying to do a CoA from the Endpoints screen. This CoA is being triggered to a Cisco switch itself.
The switch is a 4510R+E switch with SUP8E.
Do we need any setting on the switch to allow a CoA from the ISE?
The error has been attached in the files section.
Regards,
N!!!
Solved! Go to Solution.
09-19-2022 08:47 AM
@network_geek1979 the CoA is initated from the PSN to the NAD. Turn on coa debugs on the switch, send a CoA and provide the output for review. You can use tcpdump on ISE to confirm the CoA is sent.
09-19-2022 07:07 AM - edited 09-19-2022 07:20 AM
@network_geek1979 yes, the switch does needs "dynamic author" configured for CoA to work (assuming the IOS on your 4510 supports it though).
Example configuration on switch.
aaa server radius dynamic-author
client <ISE IP 1> server-key <RADIUS shared secret>
client <ISE IP 2> server-key <RADIUS shared secret>
09-19-2022 08:23 AM
Hi Rob, yes those commands are in place.
However, not sure why they are not working.
In fact not sure how to approach this t-shooting also.
In an ISE cluster who will initiate the CoA to the switch? Is it the PSN node or the PAN node?
Regards,
N!
09-19-2022 08:47 AM
@network_geek1979 the CoA is initated from the PSN to the NAD. Turn on coa debugs on the switch, send a CoA and provide the output for review. You can use tcpdump on ISE to confirm the CoA is sent.
09-21-2022 02:58 AM
Hi Rob, Thanks for the comments. The CoA issue got resolved by adding the CoA settings in the Device Profile section.
We had a customized Device Profile section and CoA was not added there.
Your comments on the tcpdump helped a ton to understand that the ISE was not triggering any CoA.
Regards,
N!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide