cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1261
Views
4
Helpful
34
Replies
Highlighted
Cisco Employee

ISE Posture with Non-compatible switches like Cisco 2950

Team,

I would like to find out following is possible for ISE posture with non-compatible switch like 2950:

Setup:

  • ISE 2.3
  • Non-compatible switch Cisco 2950

Goal:

  • Achieve posture checking on endpoint

Suggest Solution:

  • Implement AnyConnect on Endpoint for 802.1x and Posture checking
  • Use port denounce to move endpoint to  quarantine VLAN for non-compliance endpoint
  • I am not sure if this is part of SNMP CoA.  If not, is it possible to use SNMP CoA as well to achieve similar goal

Regards,

Leslie

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Advocate

SNMP CoA does not work on most Cisco switches due to CSCvb48180 [ENH ISE SNMP support for cisco switches].  This is being addressed in ISE 2.4

/Craig

View solution in original post

34 REPLIES 34
Highlighted
Advocate

SNMP CoA does not work on most Cisco switches due to CSCvb48180 [ENH ISE SNMP support for cisco switches].  This is being addressed in ISE 2.4

/Craig

View solution in original post

Highlighted

Thanks Craig for the info. I am not familiar with SNMP CoA and as you've mentioned that 2950 does not support SNMP CoA, but is it possible to use SNMP to shut and no shut or to debounce the switch port if connected device does not meet the posture compliance requirement?

Regards,

Leslie

Highlighted

Hi Crag,

Reason for denounce is to change the VLAN due to failure of posture requirements.

Regards,

Leslie

Highlighted

Review bug id.  It is specific to SNMP CoA which is used for purpose of bouncing port (shut/no shut) in absence of RADIUS CoA, or specific SNMP command that is able to perform port bounce or reauth.

Highlighted

Noted and thanks.

Regards,

Leslie

Highlighted

Hi All,

We have tested with ISE 2.4 beta with SNMP COA with 2950G, After posture status get compliant ISE is sending a SNMP COA request to the port.

But the posture flow start from begining after the SNMP shut/no shut happens on the swith port. So it keep happens

May be due to session ID changes? Any clue?

regards

hasitha

Highlighted

Are you on the latest beta build?

Highlighted

Yeah.. We are on the latest build, downloaded one week back.

SNMP COA is happening,but port shut/no shut giving the ISE to think as new request.

Seems the account ID changes with all the request.

So posture checking keep happening.

In the ISE settings posture lease have configured like this.Since the sessions ID change create as new auth request

Perform posture assessment every time a user connects to the network


I changed it using posture assement every day. It stopped that. But that creates a new issue.

Even the non compliant device moves to compliant stage after remidiation,still it's on the old rule.

regards

hasitha

Highlighted

Seems like it would be compliant if you only require 1x a day

I am inquiring when it’s expected

Highlighted

I think Our issue is ISE  SNMP COA shut/No Shut creates  new auth request from the switch with different sessions, may be due to a bug.

So new auth request makes the posture agent to keep running posture check status.So it makes the loop.

yeah ...please

Regards

hasitha

Highlighted

CSCvb48180 is still being worked on. You are correct that the session stitching having some issues.

Highlighted

I believe you will find the solution to be to configure the device as vendor "Other".  You can duplicate existing Cisco profile, but change vendor to non-Cisco.  The reason being is that session stitching logic is specific to 3rd-party NADs.

Please note that this community is not for answering questions on beta builds.  Please use the beta support alias for pre-release code.

Craig

Highlighted

Hi Chyps,

It worked, the posture scan checking as a loop has stopped. Now it only check twice.Any ideas why it check twice?

But still 2950G switches we have seen the NAS port -ID as zero. So it sends SNMP COA for port 0.Not for the correct port.

Regards

Hasitha

Highlighted

That issue is due to selecting vendor type as Cisco.  If set vendor to value Other, then NAS-Port should get set correctly.   Alternatively, you could use the NAS-Port-Id which I also used in testing.  However, you will need Regex to capture the proper interface name.  I was planning on writing a guide later this spring to highlight some of these use cases, but understand you are trying to config now.

I have notified engineering team of the inconsistencies.  Realize that session stitching is typically not required or desirable for most Cisco switches that support RADIUS CoA, and that most/all 3rd-party switches do not support CoA Reauth, which is why current logic does not perform this function when vendor set to "Cisco".