I would like to find out following is possible for ISE posture with non-compatible switch like 2950:
Solved! Go to Solution.
We have tested with ISE 2.4 beta with SNMP COA with 2950G, After posture status get compliant ISE is sending a SNMP COA request to the port.
But the posture flow start from begining after the SNMP shut/no shut happens on the swith port. So it keep happens
May be due to session ID changes? Any clue?
Yeah.. We are on the latest build, downloaded one week back.
SNMP COA is happening,but port shut/no shut giving the ISE to think as new request.
Seems the account ID changes with all the request.
So posture checking keep happening.
In the ISE settings posture lease have configured like this.Since the sessions ID change create as new auth request
|Perform posture assessment every time a user connects to the network|
I changed it using posture assement every day. It stopped that. But that creates a new issue.
Even the non compliant device moves to compliant stage after remidiation,still it's on the old rule.
I believe you will find the solution to be to configure the device as vendor "Other". You can duplicate existing Cisco profile, but change vendor to non-Cisco. The reason being is that session stitching logic is specific to 3rd-party NADs.
Please note that this community is not for answering questions on beta builds. Please use the beta support alias for pre-release code.
That issue is due to selecting vendor type as Cisco. If set vendor to value Other, then NAS-Port should get set correctly. Alternatively, you could use the NAS-Port-Id which I also used in testing. However, you will need Regex to capture the proper interface name. I was planning on writing a guide later this spring to highlight some of these use cases, but understand you are trying to config now.
I have notified engineering team of the inconsistencies. Realize that session stitching is typically not required or desirable for most Cisco switches that support RADIUS CoA, and that most/all 3rd-party switches do not support CoA Reauth, which is why current logic does not perform this function when vendor set to "Cisco".