cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

206
Views
0
Helpful
0
Replies
Beginner

ISE 2.4 p11 Profiling CoA Issues

Here is a similar post for 2.6 which I just replied to.  But thought i'd make a separate discussion.

https://community.cisco.com/t5/network-access-control/coa-issue-after-profiling-on-ise-2-6-patch-3/m-p/3986567

 

 

I'm running 2.4 patch 11 and i'm having an issue where a device does not re-authenticate via CoA after getting a new profile.  I'm testing with an IP phone.  I made a test profile with a certainty factor of 300.  Currently it is profiled correctly as an IP-phone-9xxx or whatever the model is.  I have an AuthZ rule in my policy set matching on logical profile of 'Approved IP phones' and an SGT of say "phone".

 

My test profile policy matches this devices MAC address w/ a CF of 300.  I apply CoA setting of 'reauth'  (global CoA setting = disabled).  I also have an AuthZ rule matching this test profile getting a different SGT of say "CoA_Test"

 

I go to the context/visibility page and verify my phone does get the correct profile.  At this point I would expect the phone to re-authenticate and because it is profiled in my test profile it should match the associated AuthZ rule but I don't see a reauth in the live logs.  If I 'clear auth sessions' on the switch - then it gets the new AuthZ rule and the SGT is updated.  If I go to the Radius - live sessions and manually issue a CoA reuath - it works fine.  

 

So my question is - am I missing something?  is there a bug for this?  See below...

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvs05437/?rfs=iqvred

 

What i'm wanting to do is apply this to my 'unknown' SGT devices.  As i'm adding 10-20 switches in a weekend I can get several hundred 'unknown' SGTs.  I have a default MAB for permit access and have not pushed any SGT matrix policy yet so it's fine for now.  I'm just going through the logs, making my profiles and the 'Unknown' should get moved to whatever i have created.  When I make a profile, set the CoA to reauth - i would expect the device to then hit the AuthZ rule i made for its profile and get the SGT updated.  What I have to do is create the profiles and go to the switches and issue command 'clear auth session'  Ideally - this would all be automated. 

 

Thoughts?

 

 

I do have a TAC case opened.  I'll report back if anything interesting comes of it.