Solved: ISE CoA for ASA VPN connections via API

rmueller@cisco.com · ‎05-22-2018

Hi all,

searching for a posibillity to send a COA via ISE to an ASA to terminate a VPN connection. The examples that I found require a MAC address with the API call, but VPNs don't have a MAC address.

Is there a way to do that?

Thanks in advance.

Roland

hslai · ‎05-22-2018

See CSCuz18895. It does not seem supported today.

It sounds like a feature request.

For break fix issues please reach out to the TAC. For feature requests please reach out to our Product managers for cisco employees at http://cs.co/ise-pm or public at http://cs.co/ise-feedback

View solution in original post

kthiruve · ‎05-22-2018

CoA is Change of Authorization that happens when a certain change of state happens for eg: if you run Anyconnect posture from non-compliant to compliant.

I am not sure what is the use case here, but here is a documentation I found that may be of use that will explain in detail on integrating ASA and ISE for CoA

https://communities.cisco.com/docs/DOC-68158

https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/117693-configure-ASA-00.html

-Krishnan

hslai · ‎05-22-2018

See CSCuz18895. It does not seem supported today.

It sounds like a feature request.

For break fix issues please reach out to the TAC. For feature requests please reach out to our Product managers for cisco employees at http://cs.co/ise-pm or public at http://cs.co/ise-feedback

gbekmezi-DD · ‎05-22-2018

Hey Hsing, do you know if that defect applies to all VPN sessions or just IPSec? The public notes only mention IPSec so I’m just wondering.

Thanks!

hslai · ‎05-22-2018

I believe it unique to ASA but no difference between IPSec or SSL VPN. The main issue is that ASA requiring Acct-Session-ID and Audit-Session-ID in CoA requests and the CoA by the REST API is not sending them.

We could probably try EPS disconnects instead of M&T CoA.

hslai · ‎05-22-2018

I tested it and confirmed M&T REST API for CoA not working with SSL VPN as well so I updated the bug. EPS Quarantine and UnQuarantine By IP do terminate the VPN sessions.

silla · ‎05-29-2019

Hello,

I'm having the same problem, using ISE 2.4 patch 8 with ASA 9.2.4.

Is Cisco planning to fix this bug?

Regards

Silla Rizzoli

Jason Kunst · ‎05-29-2019

It sounds like a feature request.

For break fix issues please reach out to the TAC. For feature requests please reach out to our Product managers for cisco employees at http://cs.co/ise-pm or public at http://cs.co/ise-feedback

silla · ‎05-29-2019

Hello,

it's not really a feature request, because if I invoke CoA from the Active Sessions ISE GUI, it works just fine.

I'll reach out to TAC to try to get it fixed.

Regards

Silla Rizzoli

access.cs1 · ‎11-26-2019

Fully agree with you, this is a bug since from guy it is working.

Did you move forward with TAC ?

silla · ‎01-29-2020

It looks like it's finally solved in ISE 2.4 patch 11; check out the bug -> https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuz18895

Haven't tried it yet, however.

Best regards

Silla