cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

543
Views
10
Helpful
1
Replies
Highlighted
Cisco Employee

Juniper EX Network Device Profile with CoA

I recently worked with a customer that is deploying Juniper EX switches with their existing ISE 2.6 cluster for NAC. We found that the currently available Network Device Profile for Juniper EX switches did not provide the ability to perform CoA actions against an active session.
After working with the customer and their Juniper resources, we confirmed that the Juniper switches being deployed do support the Cisco AV-Pair for 'subscriber:command=reauthenticate' to provide for basic CoA Reauth. Based on the customer testing, I have updated the XML file and attached it here for others to use. Please note that the Juniper switches do not support the additional Cisco AVP attributes for 'rerun' and 'last' so all three Re-authenticate attributes (Base, Rerun, Last) use only the single AV-Pair. As such, all three CoA actions have the same result.

The Juniper resource also confirmed that the Juniper switches being deployed support CoA Port-Bounce based on this document. ISE does not have a default Dictionary for this AVP, so it requires manually adding the attribute and updating the Network Device Profile to use it (I could not include this in the attached XML as the import fails with a 'validation error' without the Dictionary being added first).

Add the Dictionary:

Screen Shot 2020-08-05 at 12.35.59 pm.png

Update the Juniper Network Device Profile:

Screen Shot 2020-08-05 at 12.53.05 pm.png

 

This was validated by the customer using the following components:

ISE 2.6 patch 6

Hardware EX4300-48P

Junos:18.4R2-S2

 

The NAC-related configuration provided by the Juniper resources was:

set access radius-server <ip> dynamic-request-port 3799
set access radius-server <ip> secret <secret>
set access profile 8021x-auth accounting-order radius
set access profile 8021x-auth authentication-order radius
set access profile 8021x-auth radius authentication-server <ip>
set access profile 8021x-auth radius accounting-server <ip>
set access profile 8021x-auth radius options nas-port-type ethernet ethernet
set access profile 8021x-auth radius-server <ip> port 1812
set access profile 8021x-auth radius-server <ip> dynamic-request-port 3799
set access profile 8021x-auth radius-server <ip> secret <secret>
set access profile 8021x-auth radius-server <ip> source-address <src-ip>
set access profile 8021x-auth accounting order radius
set access profile 8021x-auth accounting accounting-stop-on-failure
set access profile 8021x-auth accounting accounting-stop-on-access-deny
set access profile 8021x-auth accounting coa-immediate-update
set access profile 8021x-auth accounting update-interval 30
!
set firewall family inet filter v4_PROTECT_RE_FILTER term PERMIT_RADIUS_CoA from source-prefix-list MGMT_PREFIX
set firewall family inet filter v4_PROTECT_RE_FILTER term PERMIT_RADIUS_CoA from source-prefix-list NSM_PREFIX
set firewall family inet filter v4_PROTECT_RE_FILTER term PERMIT_RADIUS_CoA from protocol udp
set firewall family inet filter v4_PROTECT_RE_FILTER term PERMIT_RADIUS_CoA from destination-port 3799
set firewall family inet filter v4_PROTECT_RE_FILTER term PERMIT_RADIUS_CoA then policer radius-policer
set firewall family inet filter v4_PROTECT_RE_FILTER term PERMIT_RADIUS_CoA then count radius_coa
set firewall family inet filter v4_PROTECT_RE_FILTER term PERMIT_RADIUS_CoA then accept

I hope this helps others looking at a similar deployment.

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Thank you Greg! This is a great contribution!

View solution in original post

1 REPLY 1
Highlighted
Cisco Employee

Thank you Greg! This is a great contribution!

View solution in original post

This widget could not be displayed.