cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
920
Views
0
Helpful
4
Replies

ISE 2.3 - Apative Network Control problem

RichardAtkin
Level 3
Level 3

RADIUS Attributes in Config VS Packet TraceRADIUS Attributes in Config VS Packet TraceSwitch is added to TEST Device ProfileSwitch is added to TEST Device ProfileError logs from ISEError logs from ISE

Evening..

 

I have a problem with ISE.  I'm using ISE 2.3 (not patch 1 yet) and we're running Adaptive Network Control against some HP switches.  I've been around the mill with the attributes it needs and I'm sure I've got that cracked now, but it still doesn't work.  I ended up doing a packet trace and it looks like ISE isn't sending the attributes that are configured for it.

 

Above screenshots show what I've configured VS what ISE is actually transmitting...

 

I assume its either a bug or I've done something daft somewhere... any tips please!?

 

Cheers.

4 Replies 4

Arne Bier
VIP
VIP

When dealing with custom device profiles (like your 'test' derivative of an HP Profile) I have come across some funnies too.  But not CoA related.  In my case I had forgotten to attribute the custom profile to my Authorization Profile (default=Cisco).  Once I did that, the thing worked.

 

In your case it looks a bit suspect (like a bug) - but how do you trigger the CoA?  Via the PAN Context GUI?  I can see Cisco AVPairs in that CoA and that should not be the case. 

I've been triggering the CoA by going to the Adaptive Network Control settings on the Primary Admin node and then (trying to!) quarantine the Client that way by entering the Client's MAC Address.  In the real world it will come from FirePower via pxGrid, but that way doesn't work either at the moment (same error messages coming back from the switch).

I've been looking closer at the Cisco AV Pairs that ISE is sending and they match with the default 'Cisco' device profile.  So, I think ANC instructions sent from ISE are just using their default Cisco Device Profile settings instead of using the custom device profile attributes that I've associated with the switch.

 

I've rebooted ISE - no change.  Deleted and re-created the switch as a NAD - no change.

 

Next step is to try 2.3 patch 1, but the release notes don't say anything about it.

 

After that? TAC...

I think you've done more than your homework already!  Yes, TAC case is next step.  Maybe you have found a new bug.

I have created over 20 TAC cases since July of this year and half of them resulted in new bug ID's.  The product is riddled with bugs.  It's not really fit for "off the shelf" usage without a lot of hand holding from the TAC.