Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1191
Views
0
Helpful
1
Replies

ISE incorrect user-name attribute within CoA disconnect message?

j.tikovsky
Level 1
Level 1

‎10-20-2021 03:27 AM

Hi all,

we are testing ISE with our non-switches and everything is going smoothly except CoA. We are doing EAP-TLS machine auth with AD and using anyconnect.

Machine is authenticated with username "XYZ" (confirmed by packet capture), the switch is getting access-accept message from ISE with username "XYZ" as confirmation but when we use CoA (doesn't matter if it is just disconnect or port bounce) the CoA message contains username in this format "host\XYZ".

Because the switch needs to receive same username in access accept as is in CoA to process CoA properly it is not working and we are getting CoA NAKs.

Is anybody aware how to go around this? we tried identity rewrite, CoA attributes substitution but nothing helped. Is it bug or feature?

0 Helpful
1 Reply 1

Greg Gibbs
Cisco Employee
Cisco Employee

‎10-20-2021 02:21 PM

The 'host\' prefix is normal for a computer identity as that is how Windows differentiates a computer account from a user account. The identifier ISE uses to send a CoA to the network device is the RADIUS SessionID, not the user/computer name.

The term 'non-switch' is vague so you should ensure the network device in question supports RADIUS CoA (RFC 5176) and that it is configured to accept it from the ISE PSNs.

0 Helpful
Customers Also Viewed These Support Documents