Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
744
Views
0
Helpful
2
Replies

Help needed : Change of vlan using CoA

Go to solution
s_muthukannan
Level 1
Level 1

‎05-08-2019 05:50 AM

Hi All,

Planning to change the vlan of the user through CoA.Not able to find option to push the vlan via CoA can you please help

lab-setup ( this is used for demo to customer not the  production deployment)

 

ciscoISE-----ISAM-7360------ONT----STC
Cisco ISE version: 2.3.0.298
ISAM-7360 : Nokia OLT ( Optical Line Terminal, formerly Alcatel-lucent OLT)
ONT : optical network termination
STC (Spirent test centre for simulating 802.1x supplicant or enddevice)

 

user/endpoint is authenticated and allocated dynamic vlan. I proceed to Radius live session and trying to perform CoA action.
I could see only session termination but not change of vlan option. Using the VSA attribute A-ESAM-PoL-Fwd-ID to change the vlan.

Attached screen shot
1) CoA action only listing termination action for the live session
2) network device profile configured to push the CoA. (806 is the vlan to be pushed )

Note with the freeradius server able to do change of vlan (radius code 43)

 

Thanks,
S.Muthukannan.

cisco-coa.zip
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
howon
Cisco Employee
Cisco Employee

‎05-08-2019 07:56 AM

ISE CoA actions in general are not something that can be manipulated to contain authorization attributes such as VLAN ID. What you are describing is CoA push and is mainly supported for VPN access. In general ISE sends CoA disconnect (In case of 3rd party devices) and separate authorization policy rule will have to provide different VLAN ID when network device sends new ACCESS request.

 

Reach out to me directly howon@cisco.com and I can try to help you with the policy if you have a setup that we can test with.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
howon
Cisco Employee
Cisco Employee

‎05-08-2019 07:56 AM

ISE CoA actions in general are not something that can be manipulated to contain authorization attributes such as VLAN ID. What you are describing is CoA push and is mainly supported for VPN access. In general ISE sends CoA disconnect (In case of 3rd party devices) and separate authorization policy rule will have to provide different VLAN ID when network device sends new ACCESS request.

 

Reach out to me directly howon@cisco.com and I can try to help you with the policy if you have a setup that we can test with.

0 Helpful

Go to solution
s_muthukannan
Level 1
Level 1
In response to howon

‎05-08-2019 08:17 AM

Thanks for the reply. I have mailed you separately on this.

 

regards,

S.Muthukannan

0 Helpful
Customers Also Viewed These Support Documents