cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

782
Views
11
Helpful
10
Replies
rmueller@cisco.com
Cisco Employee

ISE CoA for ASA VPN connections via API

Hi all,

searching for a posibillity to send a COA via ISE to an ASA to terminate a VPN connection. The examples that I found require a MAC address with the API call, but VPNs don't have a MAC address.

Is there a way to do that?

Thanks in advance.

Roland

1 ACCEPTED SOLUTION

Accepted Solutions
hslai
Cisco Employee

See CSCuz18895. It does not seem supported today.

It sounds like a feature request.

For break fix issues please reach out to the TAC. For feature requests please reach out to our Product managers for cisco employees at http://cs.co/ise-pm or public at http://cs.co/ise-feedback 

View solution in original post

10 REPLIES 10
kthiruve
Cisco Employee

CoA is Change of Authorization that happens when a certain change of state happens for eg: if you run Anyconnect posture from non-compliant to compliant.

I am not sure what is the use case here, but here is a documentation I found that may be of use that will explain in detail on integrating ASA and ISE for CoA

https://communities.cisco.com/docs/DOC-68158

https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/117693-configure-ASA-00.html

-Krishnan

hslai
Cisco Employee

See CSCuz18895. It does not seem supported today.

It sounds like a feature request.

For break fix issues please reach out to the TAC. For feature requests please reach out to our Product managers for cisco employees at http://cs.co/ise-pm or public at http://cs.co/ise-feedback 

View solution in original post

Hey Hsing, do you know if that defect applies to all VPN sessions or just IPSec? The public notes only mention IPSec so I’m just wondering.

Thanks!

I believe it unique to ASA but no difference between IPSec or SSL VPN. The main issue is that ASA requiring Acct-Session-ID and Audit-Session-ID in CoA requests and the CoA by the REST API is not sending them.

We could probably try EPS disconnects instead of M&T CoA.

I tested it and confirmed M&T REST API for CoA not working with SSL VPN as well so I updated the bug. EPS Quarantine and UnQuarantine By IP do terminate the VPN sessions.

Hello,

I'm having the same problem, using ISE 2.4 patch 8 with ASA 9.2.4.

Is Cisco planning to fix this bug?

 

Regards

Silla Rizzoli

 

It sounds like a feature request.

For break fix issues please reach out to the TAC. For feature requests please reach out to our Product managers for cisco employees at http://cs.co/ise-pm or public at http://cs.co/ise-feedback 

Hello,

it's not really a feature request, because if I invoke CoA from the Active Sessions ISE GUI, it works just fine.

I'll reach out to TAC to try to get it fixed.

 

Regards

Silla Rizzoli

 

 

Fully agree with you, this is a bug since from guy it is working.

 

Did you move forward with TAC ?

It looks like it's finally solved in ISE 2.4 patch 11; check out the bug -> https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuz18895

 

Haven't tried it yet, however.

 

Best regards

Silla

Content for Community-Ad