cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
766
Views
0
Helpful
10
Replies

How ISE Bunce or reauthenticate a port

Hevin27
Level 1
Level 1

Hi all,

Does anyone know how to set up the authorization profile to bounce ports or re-authenticate sessions? I see that ISE has this feature in Live Session, but I want to use this feature in the authorization policy.

Hevin27_1-1721894107059.png

 

1 Accepted Solution

Accepted Solutions

Hevin27
Level 1
Level 1

i found the root case. i need to change this.

Hevin27_1-1723795223171.png

 

View solution in original post

10 Replies 10

the ISE send CoA to NAD and NAD re-auth or bounce port 
this use only for Guest Client 

MHM

Hi MHM,

Yes, I would like to use this feature for the Guest client. When the guest completes self-registration, the guest's device is automatically registered to the identity group, ISE will send a CoA to the NAD to bounce the port, and ISE will assign a new VLAN on this group. I set Cisco:Avpair="subscriber:command=bounce-host-port" as per some documentation, but it doesn't work.

Hevin27_1-1721958149716.png

I also tried macros but it didn't work either.

Hevin27_2-1721958259670.pngHevin27_3-1721958282948.png

 

 

NAD is SW or WLC?

MHM

hi MHM,

it is sw, catalyst 9300

https://bst.cisco.com/quickview/bug/CSCvq94660

It bug check cisco for solution.

MHM

ccieexpert
Spotlight
Spotlight

it can be done, please read this and caveats:

https://community.cisco.com/t5/network-access-control/coa-type/td-p/4437873

What is your exact use case ?

 

** please rate as helpful if this is useful**

hi expert,

Thanks for the reply, I also saw this page, unfortunately, it doesn't work.

PradeepSingh
Level 1
Level 1

Hi @Hevin27 , Did you check Radius live logs if COA event is happening in logs ? If yes have you configured dynamic author in NAD (Switch) ? Also make sure UDP 1700 is allowed between ISE and switch. 

hi @PradeepSingh, Yes, we checked all of them. in the radius live logs, we can see the Cisco:AV-Pair is successfully applied,  and other attributes such as changing the VLAN or granting the DACL can be successfully executed in the same authorization profile, only this av-pair not run.

Hevin27
Level 1
Level 1

i found the root case. i need to change this.

Hevin27_1-1723795223171.png