cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4487
Views
0
Helpful
39
Replies

first time CoA

edondurguti
Level 4
Level 4

I have this problem where first time users hit default reject profile because they are not being profiled. They remain unknown until i reconnect. Can this be because of the access point is 1231 converted to lightweight. (it does support change of vlan though). I have CoA set to ReAuth. Still not sure if this is a packet of disconnect issue with that AP. if someone faced this id appreciate the help

Sent from Cisco Technical Support iPhone App

39 Replies 39

Tarik Admani
VIP Alumni
VIP Alumni

If the AP is lightweight then the COA should be processed to the controller. If this is a standalone AP then yes that is the reason why you are facing this issue. For devices that do not support COA (i.e. ASAs and standalone APs) then you consider positioning and inline posture node (ipep) in order to hand the coa services...here is the documentation that covers the basics of the ipep node and how it bridges this limitation:

http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_ipep_deploy.html#wp1198610

Thanks,

Tarik Admani
*Please rate helpful posts*

edondurguti
Level 4
Level 4

Ur a hard working man. I appreciate. No its a lightweight AP. And as I said when they connect first time. They get to be unknown(even with mac only profiling) and they are rejected cuz last default is set to deny. They only need to reconnect and everything is fine. Have u seen this. Ive read about FirstTimeProfile but it doesnt seem to bounce them as it should for some reason. Is there anything that needs to be done?

Sent from Cisco Technical Support iPhone App

I understand now. If you have coa set to reauth there is already a built in condition so that when a endpoint is profiled for the first time (goes from unknown to known) then COA is triggered:

http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_prof_pol.html#wp1555378

What version of ISE are you currently running also what version is your controller? If you are using mac filtering you need to be on WLC version 7.2.110 in order to support coa (radius nac) with mac filtering.

If you dont mind can you post a screenshot of when this occurs, before you reauthenticate and check the endpoint database does it still show as uknown or does it show mapped. In the authentication reports do you see an red entries with dynamic authorization is failing? Does this happen on all SSIDs on this AP?

Thanks,

Tarik Admani
*Please rate helpful posts*

cisco ise 1.1.1, WLC 7.0.220.0

Yes it adds up as a workstation in the identities after failing, cuz when I reconnect I'm all good, but if i dont reconnect I'm just stuck and eventually after 20 minutes it tries again and it succeeds.

here is a screenshot

P.s Radius State on WLC is None but I've tried both same scenario.

P.s.s I did read that link before I posted :}

Hmm,

Do you have the AAA override set on the controller? It seems as if everything is working fine on the controller side but when the coa hits it seems as if the endpoint is matching the Profiled:Workstation endpoint group that is why you hit the deny access policy. Are you profiling these endpoints using the dhcp attribute?

Can you post a screenshot of your authorization policies.

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik,

yes I do have AAA override on the WLC,

here is the screenshot:

if you noticed on my first screenshot the profiled workstation is matched with permit access after I reconnect.

I do use DHCP option for profiling but I've tried even with mac address where I added mac attributes to WORKSTATION profile for example if mac CONTAINS OUI = Intel = Workstation still the same.

Hi,

Do you have the radius probe enabled? Please enable it if you dont,it should speeds things up if ISE can profile the endpoint using the calling station id, instead of waiting for the dhcp traffic to arrive after authentication succeds.

Thanks,

Tarik Admani
*Please rate helpful posts*

I do have it enabled, I am currently at home will go to work tomorrow and try.

how do I differentiate between calling station ID? cuz that's not as a profiling attribute as of right now in the workstation profile. (I'd love to be able to differentiate windows machines through radius)

I see,

It has to be a mac address for calling station ID.

Unforutnately for me i have like 5k and they all start differently, can't match the OUI to it.

I'll see how to figure this out tomorrow at work, thanks for your help.

You shouldnt have to configure any profiling policies, internally the ISE node should know the calling station id is the mac address and should roll up in the MACOUI check.

Thanks,

Tarik Admani
*Please rate helpful posts*

I see what you mean, I do understand how it works.

I will try something tomorrow, I think this is only doing it to the laptops not to iDevices as far as I can recall.

I will post updates tomorrow, I have some ideas that I need to try out.

I highly appreciate your help

Nope it does same thing even for iDevices, maybe a TAC case?

Hi,

Do you have the profiling services still enabled on the deployment page? Before opening a TAC case could you delete the endpoint, enable the profiler component to trace (http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_logging.html#wp1054671), reproduce the issue and then download the profiler.log file (http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_mnt.html#wpxref46056)

attach it here and take another screenshot of the first authentication, the COA request and then when you reattempt the connection and match the profile. (also download the log after you follow all these steps).

Thanks,

Tarik Admani
*Please rate helpful posts*