Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
823
Views
0
Helpful
3
Replies

ISE 1.2 Patch 8 - Wired CoA Bug

Stephen McBride
Level 1
Level 1

‎06-02-2014 06:27 PM - edited ‎03-10-2019 09:45 PM

Hi all,

 

Just wondering if anyone else is having CoA issues using patch 8 on wired infrastructure? I was troubleshooting CoA this morning in a 5 node deployment (1 x Admin, 1 x Monitoring, 1 x secondary admin/monitoring and 2 x PSN) and found that CoA was not working. I did a debug aaa pod and it said that POD message was dropped due to an unconfigured client and listed off the IP address of the primary admin node that I had initiated the CoA from (in the gui).

I thought this was strange in that I have always believed the CoA comes from the PSNs. I stopped the primary admin and did the same test using the secondary admin and the same error presented this time with the ip address of the secondary admin. I then proceeded to add the admin nodes as dynamic author clients and CoA started to work properly.

So in summary I am wondering whether this is a bug, a misunderstanding on my part or a change to the way that ISE CoA now works?

Labels:
0 Helpful
3 Replies 3

Saurav Lodh
Level 7
Level 7

‎06-06-2014 01:36 AM

Cisco ISE does not issue a CoA for the following reasons:

  • An Endpoint disconnected from the network—When an endpoint disconnected from your network is discovered.
  • Authenticated wired (Extensible Authentication Protocol) EAP-capable endpoint—When an authenticated wired EAP-capable endpoint is discovered.
  • Multiple active sessions per port—When you have multiple active sessions on a single port, the profiling service issues a CoA with the Reauth option even though you have configured CoA with the Port Bounce option.
  • Packet-of-Disconnect CoA (Terminate Session) when a wireless endpoint is detected—If an endpoint is discovered as wireless, then a Packet-of-Disconnect CoA (Terminate-Session) is issued instead of the Port Bounce CoA. The benefit of this change is to support the Wireless LAN Controller (WLC) CoA.
  • An Endpoint Created through Guest Device Registration flow—When endpoints are created through device registration for the guests. Even though CoA is enabled globally in Cisco ISE, the profiling service does not issue a CoA so that the device registration flow is not affected. In particular, the PortBounce CoA global configuration breaks the flow of the connecting endpoint.
  • Global No CoA Setting overrides Policy CoA—Global No CoA overrides all configuration settings in endpoint profiling policies as there is no CoA issued in Cisco ISE irrespective of CoA configured per endpoint profiling policy.
0 Helpful

Stephen McBride
Level 1
Level 1
In response to Saurav Lodh

‎06-09-2014 08:25 PM

I have just upgraded the deployment from 1.2 patch 8 up to 1.2.1 and the issue still persists. Thanks kindly for the information but I am well aware of the above mentioned scenarios.

To put it simply the issue presents when I issue a CoA from the administration GUI. What then happens is the switch gives the following error (where x.x.x.x is the IP of the admin node):

Jun 10 12:28:11: POD: x.x.x.x client not configured. Dropping POD packet.

Basically the admin node is purely an admin node no policy no monitoring. If I repeat the test from the secondary admin the same error occurs albeit with the secondary IP in the error. I can resolve this issue by adding the admin nodes as dynamic authors on the switch.

Just to clarify - I am correct in my assumption that all CoA should be from the PSNs?

 

0 Helpful

Venkatesh Attuluri
Cisco Employee
Cisco Employee

‎06-06-2014 02:30 AM

CoA Not Initiating on Client Machine
Symptoms or
Issue
Cisco ISE is not able to identify the specified Network Access Device (NAD).
Conditions Click the magnifying glass icon in Authentications to display the steps in the
Authentication Report. The logs display the following error message:
• 11007 Could not locate Network Device or AAA Client Resolution
Possible Causes • The administrator did not correctly configure the Network Access Device
(NAD) type in Cisco ISE.
• Could not find the network device or the AAA Client while accessing NAS by
IP during authentication.
Resolution • Add the NAD in Cisco ISE again, verifying the NAD type and settings.
• Verify whether the Network Device or AAA client is correctly configured in
Administration > Network Resources > Network Devices
Symptoms or
Issue
Users logging into the Cisco ISE network are not experiencing the required Change
of Authorization (CoA).
Conditions Cisco ISE uses port 1700 by default for communicating RADIUS CoA requests from
supported network devices.
Possible Causes Cisco ISE network enforcement points (switches) may be missing key configuration
commands, may be assigning the wrong port (for example, a port other than 1700),
or have an incorrect or incorrectly entered key.
Resolution Ensure the following commands are present in the switch configuration file (required
on switch to activate CoA and configure the switch):
aaa server radius dynamic-author
client <Monitoring_node_IP_address> server-key <radius_key>

0 Helpful
Customers Also Viewed These Support Documents