Solved: ISE 3.0: Posture PRA - setting up CoA

Nadav · ‎02-16-2022

Hi everyone,

I'm interested in configuring PRA to reassess every X hours, to my understanding the enforcement is performed via a CoA action towards the NAD. I've configured the NAD (9300 switch) as a dynamic-author with client server and password, but I can't perform a manual CoA action on the Live Session.

I keep getting a "Dynamic-Authorization failed" message on the ISE and wireshark doesn't show that a CoA action on port UDP 1700 is being sent from the PSN.

1) My PSNs don't run the profiler service since I'm using them for 802.1x and Posturing, any chance I need to enable Profiling Service in order to enable CoA on an ISE PSN? I ask because the Profile Settings have a global CoA configuration.

2) If no Profiling Service is required for PRA, what else could be the matter?

Thanks.

Nadav · ‎02-23-2022

Hi,

aaa accounting identity default start-stop group RADIUS-GROUP

Is the new-style for "aaa accounting dot1x default start-stop" which is already configured.

I got manual CoA working by unblocking a port between PAN and PSN (UDP 3799). Now I can perform CoA manually via Live Sessions.

This hasn't fixed my underlying problem of reassessments not working against updated Posture policies even after several PRAs, but I think I'll open a separate thread for that.

Thanks for the help

View solution in original post

Arne Bier · ‎02-17-2022

The wireshark check is very useful - and I assume you made sure that you ran the tcpdump on the correct PSN (if there is more than one PSN).

I find that if I am unable to perform a manual CoA via the Live Sessions screen, then there might be an issue with the Session creation. In other words, the Session is not considered "Active". Is the NAD sending RADIUS Accounting to ISE? With the Interim Update set to 2880 minutes?

Nadav · ‎02-18-2022

Hi,

I confirmed that the session-id on the switfch is correctly reported to ISE. I also manually bounced the port via CLI to see a new session-id was created for both endpoint and ISE.

"aaa accounting update newinfo periodic 2880" is configured. I'm running ISE 3.0 P4.

Arne Bier · ‎02-20-2022

And the other accounting command (2nd one shown below)? Just checking ... without that I would expect this behaviour

aaa accounting update newinfo periodic 2880
aaa accounting identity default start-stop group RADIUS-GROUP

Nadav · ‎02-23-2022

Hi,

aaa accounting identity default start-stop group RADIUS-GROUP

Is the new-style for "aaa accounting dot1x default start-stop" which is already configured.

I got manual CoA working by unblocking a port between PAN and PSN (UDP 3799). Now I can perform CoA manually via Live Sessions.

This hasn't fixed my underlying problem of reassessments not working against updated Posture policies even after several PRAs, but I think I'll open a separate thread for that.

Thanks for the help

InfraTeamCY4 · ‎06-07-2023

Hi Nadav,

How did you unblock UDP port 3799 between the PAN and the PSN? Is it done via CLI or via the GUI?

Also, tried to confirm whether port 1700 is enabled under the radius configuration of my switch to make sure the CoA send/listen/reply is unobstructed, but cannot find it explicitly configured on the switch and not sure how to configure it via CLI.

Thanks!