ISE: How to send radius framed ip address of a client in COA-Request?

thorsten.steffen · ‎09-09-2024

Hi,
I read the article concerning network device profiles:
https://community.cisco.com/t5/security-knowledge-base/how-to-create-ise-network-access-device-profiles/ta-p/3631103

Could anybody help out with the question how ISE (3.10 patch 9) can be told to send the radius framed ip address of a client in a COA-Request to a 3rd party switch?
We tried with different approaches but no one worked (= ISE didn't send a COA a request or COA request did not have framed ip address attribute):
- set to Framed-IP-Address
- set to Radius: Framed-IP-Address
- set to 0

Is there maybe a piece of documentation concerning this?

Best Regards
Thorsten

MHM Cisco World · ‎09-09-2024

Why you want to send IP in CoA' after CoA the endpoint will re-auth or port will bounce and hence IP will loss.

You need to send IP in second authz after CoA

MHM

Arne Bier · ‎09-09-2024

@thorsten.steffen what is your source for the framed ip address? Is it contained in the original RADIUS Access-Request?

If you already tried referencing the Radius:Framed-IP-Address and it didn't work, then I'd say ISE doesn't support this. I even tried referencing the Internal User's custom attribute of an IP address and it doesn't allow it (ISE 3.3)

Might have to open a TAC case. I haven't tried testing this in the lab with static values - however, a static value won't help you much either.

In your use case, what is the trigger mechanism that should cause ISE to send the CoA?

thorsten.steffen · ‎09-10-2024

@Arne Bier Source is the framed ip address contained in the Access-Request or the Interims-Update. If I set it to a static value (e.g. 1.2.3.4) it works but this doesn't help. With RADIUS User-Name it works fine: You have to set it to any string (e.g. "test") and ISE will send the real RADIUS User-Name in the COA-Request.

Trigger will be manual at the moment, and we are just testing the COA feature.