Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2530
Views
10
Helpful
5
Replies

ISE 3.0: Posture PRA - setting up CoA

Go to solution
Nadav
Level 7
Level 7

‎02-16-2022 03:23 AM

Hi everyone,

 

I'm interested in configuring PRA to reassess every X hours, to my understanding the enforcement is performed via a CoA action towards the NAD. I've configured the NAD (9300 switch) as a dynamic-author with client server and password, but I can't perform a manual CoA action on the Live Session.

 

I keep getting a "Dynamic-Authorization failed" message on the ISE and wireshark doesn't show that a CoA action on port UDP 1700 is being sent from the PSN.

 

1) My PSNs don't run the profiler service since I'm using them for 802.1x and Posturing, any chance I need to enable Profiling Service in order to enable CoA on an ISE PSN? I ask because the Profile Settings have a global CoA configuration.

 

2) If no Profiling Service is required for PRA, what else could be the matter? 

 

Thanks.

1 Accepted Solution

Accepted Solutions

Go to solution
Nadav
Level 7
Level 7
In response to Arne Bier

‎02-23-2022 01:52 AM

Hi,

 

aaa accounting identity default start-stop group RADIUS-GROUP

Is the new-style for "aaa accounting dot1x default start-stop" which is already configured.  

 

I got manual CoA working by unblocking a port between PAN and PSN (UDP 3799). Now I can perform CoA manually via Live Sessions.

 

This hasn't fixed my underlying problem of reassessments not working against updated Posture policies even after several PRAs, but I think I'll open a separate thread for that.

 

Thanks for the help

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Arne Bier
VIP
VIP

‎02-17-2022 12:37 PM

The wireshark check is very useful - and I assume you made sure that you ran the tcpdump on the correct PSN (if there is more than one PSN).

I find that if I am unable to perform a manual CoA via the Live Sessions screen, then there might be an issue with the Session creation. In other words, the Session is not considered "Active". Is the NAD sending RADIUS Accounting to ISE? With the Interim Update set to 2880 minutes?

 

 

Go to solution
Nadav
Level 7
Level 7
In response to Arne Bier

‎02-18-2022 10:02 AM

Hi,

 

I confirmed that the session-id on the switfch is correctly reported to ISE. I also manually bounced the port via CLI to see a new session-id was created for both endpoint and ISE. 

 

"aaa accounting update newinfo periodic 2880" is configured. I'm running ISE 3.0 P4.

0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to Nadav

‎02-20-2022 12:30 PM

And the other accounting command (2nd one shown below)? Just checking ... without that I would expect this behaviour

 

aaa accounting update newinfo periodic 2880
aaa accounting identity default start-stop group RADIUS-GROUP
0 Helpful

Go to solution
Nadav
Level 7
Level 7
In response to Arne Bier

‎02-23-2022 01:52 AM

Hi,

 

aaa accounting identity default start-stop group RADIUS-GROUP

Is the new-style for "aaa accounting dot1x default start-stop" which is already configured.  

 

I got manual CoA working by unblocking a port between PAN and PSN (UDP 3799). Now I can perform CoA manually via Live Sessions.

 

This hasn't fixed my underlying problem of reassessments not working against updated Posture policies even after several PRAs, but I think I'll open a separate thread for that.

 

Thanks for the help

0 Helpful

Go to solution
InfraTeamCY4
Level 1
Level 1
In response to Nadav

‎06-07-2023 12:23 AM

Hi Nadav,

How did you unblock UDP port 3799 between the PAN and the PSN? Is it done via CLI or via the GUI?

Also, tried to confirm whether port 1700 is enabled under the radius configuration of my switch to make sure the CoA send/listen/reply is unobstructed, but cannot find it explicitly configured on the switch and not sure how to configure it via CLI.

Thanks!

0 Helpful
Customers Also Viewed These Support Documents