Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
921
Views
0
Helpful
4
Replies

ISE 2.3 - Apative Network Control problem

RichardAtkin
Level 3
Level 3

‎10-23-2017 10:44 AM - edited ‎02-21-2020 10:36 AM

RADIUS Attributes in Config VS Packet TraceRADIUS Attributes in Config VS Packet TraceSwitch is added to TEST Device ProfileSwitch is added to TEST Device ProfileError logs from ISEError logs from ISE

Evening..

 

I have a problem with ISE.  I'm using ISE 2.3 (not patch 1 yet) and we're running Adaptive Network Control against some HP switches.  I've been around the mill with the attributes it needs and I'm sure I've got that cracked now, but it still doesn't work.  I ended up doing a packet trace and it looks like ISE isn't sending the attributes that are configured for it.

 

Above screenshots show what I've configured VS what ISE is actually transmitting...

 

I assume its either a bug or I've done something daft somewhere... any tips please!?

 

Cheers.

Labels:
0 Helpful
4 Replies 4

Arne Bier
VIP
VIP

‎10-23-2017 03:40 PM

When dealing with custom device profiles (like your 'test' derivative of an HP Profile) I have come across some funnies too.  But not CoA related.  In my case I had forgotten to attribute the custom profile to my Authorization Profile (default=Cisco).  Once I did that, the thing worked.

 

In your case it looks a bit suspect (like a bug) - but how do you trigger the CoA?  Via the PAN Context GUI?  I can see Cisco AVPairs in that CoA and that should not be the case. 

0 Helpful

RichardAtkin
Level 3
Level 3
In response to Arne Bier

‎10-23-2017 11:10 PM

I've been triggering the CoA by going to the Adaptive Network Control settings on the Primary Admin node and then (trying to!) quarantine the Client that way by entering the Client's MAC Address.  In the real world it will come from FirePower via pxGrid, but that way doesn't work either at the moment (same error messages coming back from the switch).

0 Helpful

RichardAtkin
Level 3
Level 3
In response to RichardAtkin

‎10-24-2017 01:37 AM

I've been looking closer at the Cisco AV Pairs that ISE is sending and they match with the default 'Cisco' device profile.  So, I think ANC instructions sent from ISE are just using their default Cisco Device Profile settings instead of using the custom device profile attributes that I've associated with the switch.

 

I've rebooted ISE - no change.  Deleted and re-created the switch as a NAD - no change.

 

Next step is to try 2.3 patch 1, but the release notes don't say anything about it.

 

After that? TAC...

0 Helpful

Arne Bier
VIP
VIP
In response to RichardAtkin

‎10-25-2017 05:03 PM

I think you've done more than your homework already!  Yes, TAC case is next step.  Maybe you have found a new bug.

I have created over 20 TAC cases since July of this year and half of them resulted in new bug ID's.  The product is riddled with bugs.  It's not really fit for "off the shelf" usage without a lot of hand holding from the TAC. 

 

0 Helpful
Customers Also Viewed These Support Documents