Problems whit CoA Request

amunoz1 · ‎03-18-2022

Hello,
I am currently presenting a problem in the posture process, where the CoA Request sent by the ISE is sometimes sent from the secondary ISE and this fails, leaving the authorization change without effect and therefore without access to the network, since that the user never changes his authorization profile.

This happens both in VPN and wired network.

For now we are focused on the VPN solution. The FW (FTD) has ISE01 as its primary server.

I attach images where you can see that when the CoA Request is sent from ISE01, the posture process is completed successfully.

I also attach an image where the CoA error can be seen when the request is sent from the ISE02

I have heard that this problem can occur when there are load balancers on the PSN, but in this case there are no load balancers in the network.
It is important to mention that the Dynamic authorization configuration is correctly applied in the FTDs.

Thanks for your help.

Arne Bier · ‎03-20-2022

Hello @amunoz1

While I don't have much experience with the ISE Posture process, I would argue that the CoA should always be sent by the PSN which is currently handling the endpoint session. In other words, if the FTD selected ISE 1 for the VPN auth/authz then ISE should create a session, and then if the endpoint Posture has been processed, ISE 1 should send the CoA.

In the ISE LiveLogs/Reports, can you see whether or not ISE 2 is used by the FTD during VPN auth? If so, why is this happening?

But if you are 100% sure that FTD uses only ISE 1, and then the subsequent CoA comes from ISE 2, then I would open a TAC case.

ISE 'Node Groups' can be defined to allow one PSN to take over from another PSN if the primary PSN fails - this is typically useful is Guest Flow. But it also involves a CoA being sent from the backup PSN to the NAS, forcing the endpoint to login again, thus creating a new session on the new PSN. So in theory it could be possible that a different PSN sends the CoA. Are you using Node groups?