Solved: Error: CoA Operation not supported for an EndPoint "11:11:11:11:11:11"

network_geek1979 · ‎09-19-2022

Team,
I get this error which trying to do a CoA from the Endpoints screen. This CoA is being triggered to a Cisco switch itself.
The switch is a 4510R+E switch with SUP8E.

Do we need any setting on the switch to allow a CoA from the ISE?

The error has been attached in the files section.

Regards,
N!!!

Rob Ingram · ‎09-19-2022

@network_geek1979 the CoA is initated from the PSN to the NAD. Turn on coa debugs on the switch, send a CoA and provide the output for review. You can use tcpdump on ISE to confirm the CoA is sent.

View solution in original post

Rob Ingram · ‎09-19-2022

@network_geek1979 yes, the switch does needs "dynamic author" configured for CoA to work (assuming the IOS on your 4510 supports it though).

Example configuration on switch.

aaa server radius dynamic-author
client <ISE IP 1> server-key <RADIUS shared secret>
client <ISE IP 2> server-key <RADIUS shared secret>

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_aaa/configuration/15-sy/sec-usr-aaa-15-sy-book/sec-rad-coa.html

network_geek1979 · ‎09-19-2022

Hi Rob, yes those commands are in place.
However, not sure why they are not working.

In fact not sure how to approach this t-shooting also.
In an ISE cluster who will initiate the CoA to the switch? Is it the PSN node or the PAN node?

Regards,

N!

Rob Ingram · ‎09-19-2022

@network_geek1979 the CoA is initated from the PSN to the NAD. Turn on coa debugs on the switch, send a CoA and provide the output for review. You can use tcpdump on ISE to confirm the CoA is sent.

network_geek1979 · ‎09-21-2022

Hi Rob, Thanks for the comments. The CoA issue got resolved by adding the CoA settings in the Device Profile section.
We had a customized Device Profile section and CoA was not added there.

Your comments on the tcpdump helped a ton to understand that the ISE was not triggering any CoA.

Regards,

N!