Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2573
Views
0
Helpful
0
Replies

ISE 2.4 p11 Profiling CoA Issues

zsmithtek
Level 1
Level 1

‎02-25-2020 09:09 AM

Here is a similar post for 2.6 which I just replied to.  But thought i'd make a separate discussion.

https://community.cisco.com/t5/network-access-control/coa-issue-after-profiling-on-ise-2-6-patch-3/m-p/3986567

 

 

I'm running 2.4 patch 11 and i'm having an issue where a device does not re-authenticate via CoA after getting a new profile.  I'm testing with an IP phone.  I made a test profile with a certainty factor of 300.  Currently it is profiled correctly as an IP-phone-9xxx or whatever the model is.  I have an AuthZ rule in my policy set matching on logical profile of 'Approved IP phones' and an SGT of say "phone".

 

My test profile policy matches this devices MAC address w/ a CF of 300.  I apply CoA setting of 'reauth'  (global CoA setting = disabled).  I also have an AuthZ rule matching this test profile getting a different SGT of say "CoA_Test"

 

I go to the context/visibility page and verify my phone does get the correct profile.  At this point I would expect the phone to re-authenticate and because it is profiled in my test profile it should match the associated AuthZ rule but I don't see a reauth in the live logs.  If I 'clear auth sessions' on the switch - then it gets the new AuthZ rule and the SGT is updated.  If I go to the Radius - live sessions and manually issue a CoA reuath - it works fine.  

 

So my question is - am I missing something?  is there a bug for this?  See below...

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvs05437/?rfs=iqvred

 

What i'm wanting to do is apply this to my 'unknown' SGT devices.  As i'm adding 10-20 switches in a weekend I can get several hundred 'unknown' SGTs.  I have a default MAB for permit access and have not pushed any SGT matrix policy yet so it's fine for now.  I'm just going through the logs, making my profiles and the 'Unknown' should get moved to whatever i have created.  When I make a profile, set the CoA to reauth - i would expect the device to then hit the AuthZ rule i made for its profile and get the SGT updated.  What I have to do is create the profiles and go to the switches and issue command 'clear auth session'  Ideally - this would all be automated. 

 

Thoughts?

 

 

I do have a TAC case opened.  I'll report back if anything interesting comes of it.

0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents