cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

574
Views
3
Helpful
7
Replies
Highlighted
Cisco Employee

Looking for IOD of SF500 to use "reautheticate" method of SNMP CoA at ISE 2.4

Hi,

We are doing the Posture assessment with PC <-> SF500 <-> ISE 2.4.

We wants to use the SNMP COA Reauthenticate for posture assessment.

on PC, we have AnyConnect running to check the posture.

I would like to ask for the OID of SF500 for SNMP CoA reauthenticate provided by ISE 2.4?

Many thanks for advice,

Minh

tminh@cisco.com

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

After 802.1x authentication and posture assessment, ISE caches the posture status  (e.g Compliant) and sends CoA  to device (SF). The SF sends MAB authentication and 802.1x due to CoA  and the posture status changes to  "NotApplicable "  and that causes for loop.

View solution in original post

7 REPLIES 7
Highlighted
Cisco Employee

Hi Minh,

Currently there is not SNMP OID for re-authenticate option as far as  i know.

Please use 'Port Bounce' option for posture assessment flow  to get re-authenticate behavior with below values:

Highlighted

Hi Salomon,

Thank you for your advice.

could you please advise in more details about "use 'Port Bounce' option for posture assessment flow  to get re-authenticate"?

When I use this port bounce with shut/noshut , I am facing to the loop. It means PC conects again, redo the posture assessment then port shut -> port noshut -> reauthen -> re posture assessment...

I do not know how to break this loop?

rgds,

Minh

Highlighted

Answered offline (via WebEx).

Highlighted

Could only say you are great and thank you very much!

Highlighted

Please share

Highlighted
Cisco Employee

Hi Jason and Salomon,

Salomon has changed the Configuration SF500 as following:

- in the interface where PC is connected in, change "dot1x authentication 802.1x MAC" to "dot1x authentication 802.1x" , i.e remove the option MAB authentication, keep just 802.1x.

After this change when posture assessment by Anyconnect is "Compliant" => ISE does the SNMP CoA with "port bounce" action and PC stays in "compliant" status without looping as in previous situation.

when we change the condition of posture assessment and the assessment gives "nonCompliant" status, ISE orders switch to change the interface to an another VLAN correctly.

So in summary, the loop is not occured anymore and SNMP CoA to SF500 solved.

@Salomon,

could you please explian why when we have just "802.1x" instead of "802.1 x MAC", the loop is not happen?

I am not yet understand this phenomena.

Thanks and rgds,

Minh

Highlighted

After 802.1x authentication and posture assessment, ISE caches the posture status  (e.g Compliant) and sends CoA  to device (SF). The SF sends MAB authentication and 802.1x due to CoA  and the posture status changes to  "NotApplicable "  and that causes for loop.

View solution in original post

Content for Community-Ad