cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

955
Views
10
Helpful
4
Replies
Nadav
Rising star

ISE 3.0: Posture PRA - setting up CoA

Hi everyone,

 

I'm interested in configuring PRA to reassess every X hours, to my understanding the enforcement is performed via a CoA action towards the NAD. I've configured the NAD (9300 switch) as a dynamic-author with client server and password, but I can't perform a manual CoA action on the Live Session.

 

I keep getting a "Dynamic-Authorization failed" message on the ISE and wireshark doesn't show that a CoA action on port UDP 1700 is being sent from the PSN.

 

1) My PSNs don't run the profiler service since I'm using them for 802.1x and Posturing, any chance I need to enable Profiling Service in order to enable CoA on an ISE PSN? I ask because the Profile Settings have a global CoA configuration.

 

2) If no Profiling Service is required for PRA, what else could be the matter? 

 

Thanks.

1 ACCEPTED SOLUTION

Accepted Solutions

Hi,

 

aaa accounting identity default start-stop group RADIUS-GROUP

Is the new-style for "aaa accounting dot1x default start-stop" which is already configured.  

 

I got manual CoA working by unblocking a port between PAN and PSN (UDP 3799). Now I can perform CoA manually via Live Sessions.

 

This hasn't fixed my underlying problem of reassessments not working against updated Posture policies even after several PRAs, but I think I'll open a separate thread for that.

 

Thanks for the help

View solution in original post

4 REPLIES 4