Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1511
Views
3
Helpful
7
Replies

Looking for IOD of SF500 to use "reautheticate" method of SNMP CoA at ISE 2.4

Go to solution
tminh
Cisco Employee
Cisco Employee

‎05-28-2018 11:45 PM

Hi,

We are doing the Posture assessment with PC <-> SF500 <-> ISE 2.4.

We wants to use the SNMP COA Reauthenticate for posture assessment.

on PC, we have AnyConnect running to check the posture.

I would like to ask for the OID of SF500 for SNMP CoA reauthenticate provided by ISE 2.4?

Many thanks for advice,

Minh

tminh@cisco.com

1 Accepted Solution

Accepted Solutions

Go to solution
smashash
Cisco Employee
Cisco Employee
In response to tminh

‎05-30-2018 12:36 AM

After 802.1x authentication and posture assessment, ISE caches the posture status  (e.g Compliant) and sends CoA  to device (SF). The SF sends MAB authentication and 802.1x due to CoA  and the posture status changes to  "NotApplicable "  and that causes for loop.

View solution in original post

0 Helpful
7 Replies 7

Go to solution
smashash
Cisco Employee
Cisco Employee

‎05-29-2018 12:29 AM

Hi Minh,

Currently there is not SNMP OID for re-authenticate option as far as  i know.

Please use 'Port Bounce' option for posture assessment flow  to get re-authenticate behavior with below values:

Go to solution
tminh
Cisco Employee
Cisco Employee
In response to smashash

‎05-29-2018 04:46 AM

Hi Salomon,

Thank you for your advice.

could you please advise in more details about "use 'Port Bounce' option for posture assessment flow  to get re-authenticate"?

When I use this port bounce with shut/noshut , I am facing to the loop. It means PC conects again, redo the posture assessment then port shut -> port noshut -> reauthen -> re posture assessment...

I do not know how to break this loop?

rgds,

Minh

0 Helpful

Go to solution
smashash
Cisco Employee
Cisco Employee
In response to tminh

‎05-29-2018 05:55 AM

Answered offline (via WebEx).

0 Helpful

Go to solution
tminh
Cisco Employee
Cisco Employee
In response to smashash

‎05-29-2018 06:05 AM

Could only say you are great and thank you very much!

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to tminh

‎05-29-2018 06:19 AM

Please share

0 Helpful

Go to solution
tminh
Cisco Employee
Cisco Employee

‎05-29-2018 08:52 AM

Hi Jason and Salomon,

Salomon has changed the Configuration SF500 as following:

- in the interface where PC is connected in, change "dot1x authentication 802.1x MAC" to "dot1x authentication 802.1x" , i.e remove the option MAB authentication, keep just 802.1x.

After this change when posture assessment by Anyconnect is "Compliant" => ISE does the SNMP CoA with "port bounce" action and PC stays in "compliant" status without looping as in previous situation.

when we change the condition of posture assessment and the assessment gives "nonCompliant" status, ISE orders switch to change the interface to an another VLAN correctly.

So in summary, the loop is not occured anymore and SNMP CoA to SF500 solved.

@Salomon,

could you please explian why when we have just "802.1x" instead of "802.1 x MAC", the loop is not happen?

I am not yet understand this phenomena.

Thanks and rgds,

Minh

Go to solution
smashash
Cisco Employee
Cisco Employee
In response to tminh

‎05-30-2018 12:36 AM

After 802.1x authentication and posture assessment, ISE caches the posture status  (e.g Compliant) and sends CoA  to device (SF). The SF sends MAB authentication and 802.1x due to CoA  and the posture status changes to  "NotApplicable "  and that causes for loop.

0 Helpful
Customers Also Viewed These Support Documents