Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1401
Views
0
Helpful
1
Replies

ISE sending CoA Disconnect if VPN user not present in AD groups referenced in authorization rules

umahar
Cisco Employee
Cisco Employee

‎01-30-2019 07:17 AM

I have defined a policy set with below flow

-VPN user initially hits the posture Unknown rule and redirection URL is pushed 

-Endpoint gets complaint and ISE issues CoA

-If the endpoint belongs to an AD group referenced in the authorization profile then it should get access otherwise the endpoint should hit the default Deny rule.

 

The behaviour I am seeing is when an endpoint does not belong to an AD group ISE directly sends a CoA Disconnect. If user belongs to an AD group then CoA Reauth is sent.

Shouldn't I expect ISE to send a CoA Reauth after endpoint gets complaint whether user belongs to a group or not ? If user does not belong to an AD group it should the Default Deny rule after a Reauth. 

image001.png

2.png

 

0 Helpful
1 Reply 1

Peter Koltl
Level 7
Level 7

‎01-30-2019 01:56 PM

Events:

  • ISE receives posture report
  • second evaluation of authZ policy starts on ISE (top-down first match)
  • first hit rule assigns a new authZ profile
  • CoA is sent (reauth if some kind of permit result, disconnect if DenyAccess)
  • If CoA-reauth: NAD sends new Access-Request
  • ISE replies with Access-Accept containing new authZ profile
0 Helpful
Customers Also Viewed These Support Documents