Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1532
Views
5
Helpful
3
Replies

ISE 2.0, COA and profiling access points on switch

Go to solution
trondaker
Level 1
Level 1

‎09-04-2017 02:38 AM - edited ‎02-21-2020 10:33 AM

Hi,

 

We want to dynamically profile access-points on 2960-switches when they are plugged in to a standard port. Were using 1832i and 2702i. The profiling seems to work fine, they access-point is profiled with the correct endpoint profile, and gets put into the right identity group. The problem is however that MAB happens first, so the access-point goes into a quaratine VLAN. I have attached a COA Port bounce to this profile, but it doesnt seem to happen. If i cant bounce the port, i cant get the access point into the vlan tied to the identity group.

 

Anyone have a clue as to why i cant bounce the port? The device sensor and ISE seems to be doing everything right as to classification - the question is, is it possible to get ISE to assign vlan as it profiles the device? Because here it seems MAB happens before ISE is done profiling, and then its too late, at least if the port wont bounce.

 

Port config:

 

switchport mode access
authentication event fail action authorize vlan 666
authentication event no-response action authorize vlan 666
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication violation protect
mab
dot1x pae authenticator
spanning-tree portfast

 

Global:

 

aaa authentication dot1x default group ISE
aaa authorization network default group ISE
aaa accounting dot1x default start-stop group ISE

 

device-sensor accounting
device-sensor notify all-changes

 

dot1x system-auth-control

 

radius-server vsa send accounting

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎09-04-2017 06:10 AM

You don't see to have CoA on your 2960 switch. Depending on your switch IOS, it might not support CoA.

 

Sample config:

 

aaa server radius dynamic-author
client 10.10.10.10 server-key *******
server-key *******

 

Check cisco feature navigator to see if your IOS version on 2960 supports CoA

View solution in original post

3 Replies 3

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎09-04-2017 06:10 AM

You don't see to have CoA on your 2960 switch. Depending on your switch IOS, it might not support CoA.

 

Sample config:

 

aaa server radius dynamic-author
client 10.10.10.10 server-key *******
server-key *******

 

Check cisco feature navigator to see if your IOS version on 2960 supports CoA

Go to solution
trondaker
Level 1
Level 1
In response to Mohammed al Baqari

‎09-04-2017 10:52 AM

Thanks for your reply! That is indeed missing, adding it now and testing tomorrow. This is a 2960X, but also need it on a 2960+, seems to have the command in our current IOS at least.

But is this way of doing it correct? Or is it possible to do this without bouncing the port?
0 Helpful

Go to solution
Mohammed al Baqari
Level 11
Level 11
In response to trondaker

‎09-04-2017 11:30 AM

Ideally once you connect the AP it will profiled as cisco device since its 1st time seen. ISE will then trigger nmap scan along with other checks. once all the checks completed and ap is detected  (e.g. aironet 2600) ise will trigger coa for the switch to reauthenticate the device and assign the corresponding policy.

 

So port bouce not required generally.  now i have seen cases where this automation doesn't take place and port bouce needed. So use it as fallback.

 

Please remember to rate useful posts

0 Helpful
Customers Also Viewed These Support Documents