08-15-2012 07:10 PM - edited 03-10-2019 07:25 PM
I have this problem where first time users hit default reject profile because they are not being profiled. They remain unknown until i reconnect. Can this be because of the access point is 1231 converted to lightweight. (it does support change of vlan though). I have CoA set to ReAuth. Still not sure if this is a packet of disconnect issue with that AP. if someone faced this id appreciate the help
Sent from Cisco Technical Support iPhone App
08-15-2012 08:12 PM
If the AP is lightweight then the COA should be processed to the controller. If this is a standalone AP then yes that is the reason why you are facing this issue. For devices that do not support COA (i.e. ASAs and standalone APs) then you consider positioning and inline posture node (ipep) in order to hand the coa services...here is the documentation that covers the basics of the ipep node and how it bridges this limitation:
http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_ipep_deploy.html#wp1198610
Thanks,
Tarik Admani
*Please rate helpful posts*
08-15-2012 08:17 PM
Ur a hard working man. I appreciate. No its a lightweight AP. And as I said when they connect first time. They get to be unknown(even with mac only profiling) and they are rejected cuz last default is set to deny. They only need to reconnect and everything is fine. Have u seen this. Ive read about FirstTimeProfile but it doesnt seem to bounce them as it should for some reason. Is there anything that needs to be done?
Sent from Cisco Technical Support iPhone App
08-15-2012 08:25 PM
I understand now. If you have coa set to reauth there is already a built in condition so that when a endpoint is profiled for the first time (goes from unknown to known) then COA is triggered:
http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_prof_pol.html#wp1555378
What version of ISE are you currently running also what version is your controller? If you are using mac filtering you need to be on WLC version 7.2.110 in order to support coa (radius nac) with mac filtering.
If you dont mind can you post a screenshot of when this occurs, before you reauthenticate and check the endpoint database does it still show as uknown or does it show mapped. In the authentication reports do you see an red entries with dynamic authorization is failing? Does this happen on all SSIDs on this AP?
Thanks,
Tarik Admani
*Please rate helpful posts*
08-15-2012 08:43 PM
cisco ise 1.1.1, WLC 7.0.220.0
Yes it adds up as a workstation in the identities after failing, cuz when I reconnect I'm all good, but if i dont reconnect I'm just stuck and eventually after 20 minutes it tries again and it succeeds.
here is a screenshot
P.s Radius State on WLC is None but I've tried both same scenario.
P.s.s I did read that link before I posted :}
08-15-2012 09:16 PM
Hmm,
Do you have the AAA override set on the controller? It seems as if everything is working fine on the controller side but when the coa hits it seems as if the endpoint is matching the Profiled:Workstation endpoint group that is why you hit the deny access policy. Are you profiling these endpoints using the dhcp attribute?
Can you post a screenshot of your authorization policies.
Thanks,
Tarik Admani
*Please rate helpful posts*
08-15-2012 09:25 PM
Tarik,
yes I do have AAA override on the WLC,
here is the screenshot:
08-15-2012 09:30 PM
if you noticed on my first screenshot the profiled workstation is matched with permit access after I reconnect.
I do use DHCP option for profiling but I've tried even with mac address where I added mac attributes to WORKSTATION profile for example if mac CONTAINS OUI = Intel = Workstation still the same.
08-15-2012 09:36 PM
Hi,
Do you have the radius probe enabled? Please enable it if you dont,it should speeds things up if ISE can profile the endpoint using the calling station id, instead of waiting for the dhcp traffic to arrive after authentication succeds.
Thanks,
Tarik Admani
*Please rate helpful posts*
08-15-2012 09:41 PM
I do have it enabled, I am currently at home will go to work tomorrow and try.
how do I differentiate between calling station ID? cuz that's not as a profiling attribute as of right now in the workstation profile. (I'd love to be able to differentiate windows machines through radius)
08-15-2012 09:47 PM
I see,
It has to be a mac address for calling station ID.
Unforutnately for me i have like 5k and they all start differently, can't match the OUI to it.
I'll see how to figure this out tomorrow at work, thanks for your help.
08-15-2012 09:50 PM
You shouldnt have to configure any profiling policies, internally the ISE node should know the calling station id is the mac address and should roll up in the MACOUI check.
Thanks,
Tarik Admani
*Please rate helpful posts*
08-15-2012 09:52 PM
I see what you mean, I do understand how it works.
I will try something tomorrow, I think this is only doing it to the laptops not to iDevices as far as I can recall.
I will post updates tomorrow, I have some ideas that I need to try out.
I highly appreciate your help
08-16-2012 06:18 AM
Nope it does same thing even for iDevices, maybe a TAC case?
08-16-2012 08:16 AM
Hi,
Do you have the profiling services still enabled on the deployment page? Before opening a TAC case could you delete the endpoint, enable the profiler component to trace (http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_logging.html#wp1054671), reproduce the issue and then download the profiler.log file (http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_mnt.html#wpxref46056)
attach it here and take another screenshot of the first authentication, the COA request and then when you reattempt the connection and match the profile. (also download the log after you follow all these steps).
Thanks,
Tarik Admani
*Please rate helpful posts*
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide