cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8903
Views
20
Helpful
4
Replies

Juniper EX Network Device Profile with CoA

Greg Gibbs
Cisco Employee
Cisco Employee

I recently worked with a customer that is deploying Juniper EX switches with their existing ISE 2.6 cluster for NAC. We found that the currently available Network Device Profile for Juniper EX switches did not provide the ability to perform CoA actions against an active session.
After working with the customer and their Juniper resources, we confirmed that the Juniper switches being deployed do support the Cisco AV-Pair for 'subscriber:command=reauthenticate' to provide for basic CoA Reauth. Based on the customer testing, I have updated the XML file and attached it here for others to use. Please note that the Juniper switches do not support the additional Cisco AVP attributes for 'rerun' and 'last' so all three Re-authenticate attributes (Base, Rerun, Last) use only the single AV-Pair. As such, all three CoA actions have the same result.

The Juniper resource also confirmed that the Juniper switches being deployed support CoA Port-Bounce based on this document. ISE does not have a default Dictionary for this AVP, so it requires manually adding the attribute and updating the Network Device Profile to use it (I could not include this in the attached XML as the import fails with a 'validation error' without the Dictionary being added first).

Add the Dictionary:

Screen Shot 2020-08-05 at 12.35.59 pm.png

Update the Juniper Network Device Profile:

Screen Shot 2020-08-05 at 12.53.05 pm.png

 

This was validated by the customer using the following components:

ISE 2.6 patch 6

Hardware EX4300-48P

Junos:18.4R2-S2

 

The NAC-related configuration provided by the Juniper resources was:

set access radius-server <ip> dynamic-request-port 3799
set access radius-server <ip> secret <secret>
set access profile 8021x-auth accounting-order radius
set access profile 8021x-auth authentication-order radius
set access profile 8021x-auth radius authentication-server <ip>
set access profile 8021x-auth radius accounting-server <ip>
set access profile 8021x-auth radius options nas-port-type ethernet ethernet
set access profile 8021x-auth radius-server <ip> port 1812
set access profile 8021x-auth radius-server <ip> dynamic-request-port 3799
set access profile 8021x-auth radius-server <ip> secret <secret>
set access profile 8021x-auth radius-server <ip> source-address <src-ip>
set access profile 8021x-auth accounting order radius
set access profile 8021x-auth accounting accounting-stop-on-failure
set access profile 8021x-auth accounting accounting-stop-on-access-deny
set access profile 8021x-auth accounting coa-immediate-update
set access profile 8021x-auth accounting update-interval 30
!
set firewall family inet filter v4_PROTECT_RE_FILTER term PERMIT_RADIUS_CoA from source-prefix-list MGMT_PREFIX
set firewall family inet filter v4_PROTECT_RE_FILTER term PERMIT_RADIUS_CoA from source-prefix-list NSM_PREFIX
set firewall family inet filter v4_PROTECT_RE_FILTER term PERMIT_RADIUS_CoA from protocol udp
set firewall family inet filter v4_PROTECT_RE_FILTER term PERMIT_RADIUS_CoA from destination-port 3799
set firewall family inet filter v4_PROTECT_RE_FILTER term PERMIT_RADIUS_CoA then policer radius-policer
set firewall family inet filter v4_PROTECT_RE_FILTER term PERMIT_RADIUS_CoA then count radius_coa
set firewall family inet filter v4_PROTECT_RE_FILTER term PERMIT_RADIUS_CoA then accept

I hope this helps others looking at a similar deployment.

1 Accepted Solution

Accepted Solutions

thomas
Cisco Employee
Cisco Employee
Thank you Greg! This is a great contribution!

View solution in original post

4 Replies 4

thomas
Cisco Employee
Cisco Employee
Thank you Greg! This is a great contribution!

JPavonM
VIP
VIP

Thank you Greg

szafar
Level 1
Level 1

Using Cisco AAA (Cisco prime Access registrar 9.2) and Juniper BNG, PoD is working find. With CoA 99% of times getting the error code 503: Session context not found. I have similar NAC configurations as yours. What could be wrong? Appreciate your response.

jozefklacko
Level 1
Level 1

Hi,

I believe, that attribute name of item 52 is "Juniper-AV-Pair". Value Port-Bounce seems to be OK.  https://www.juniper.net/documentation/us/en/software/junos/user-access/topics/topic-map/802-1x-authentication-switching-devices.html

Jozef