cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1361
Views
0
Helpful
3
Replies

Question about CoA and Plus licenses

morabusa
Beginner
Beginner

Hi, I am wondering if I need to have Plus licenses in order to make work CoA for a Wireless Guest enviroment using a static identity group. I think not, but the thing is that we are detecting that the ISE is not seinding CoA to the WLC after successfully guest users login.

 

If I go to Administration > System > Profiling, I can see CoA Type: No CoA. i have the feeling it is just something related to CoA when using profiling (we are using static assignment and not dynamic identity group assignment), but I am wondering if it could be bringing the issue. I cannot enable CoA for in this menu because I only have basic licenses. Thanks for the help.

1 Accepted Solution

Accepted Solutions

Arne Bier
VIP
VIP

You need Plus (or DNA Advantage in ISE 3.x) to enable Profiling. That CoA you mention, is the mechanism that ISE will use when ISE has profiled an endpoint and then sends a CoA (or not, depending on that setting).

 

You don't need Plus licenses for ISE to send a CoA - e.g. Guest Portals will still work and use CoA - and you can send a CoA in the Context Visibility.

View solution in original post

3 Replies 3

Arne Bier
VIP
VIP

You need Plus (or DNA Advantage in ISE 3.x) to enable Profiling. That CoA you mention, is the mechanism that ISE will use when ISE has profiled an endpoint and then sends a CoA (or not, depending on that setting).

 

You don't need Plus licenses for ISE to send a CoA - e.g. Guest Portals will still work and use CoA - and you can send a CoA in the Context Visibility.

Thank you for the information. Just one extra question:

 

Do you know if there is something which could change the ISE behavior related to CoA and Guest Portals? So, it does not send CoA after guest users successfuly authenticating using their username and password in a Self-registration with Sponsor approval portal? Maybe something related to being mandatory to use/have something specific or who knows. Thanks.

The Guest Portal login behaviour is built-in to send a CoA to the NAS after a successful login. The mechanism works as follows:

NAS sends a MAB request to a PSN - a session is created. 

That same PSN must sends the URL redirection to the NAS which the client will use

Client logs in

PSN (same as above) sends the CoA to the NAS

 

Things can go wrong when the URL redirection is not done right - e.g. if you have more than one PSN, and your NAS sends the MAB to PSN1, but due to misconfiguration in ISE, the URL for PSN2 is returned to the NAS. That might explain your issue. You can always confirm that theory by doing a tcpdump on the PSN which you EXPECT to be handling the MAB and URL redirection. Filter the tcpdump on UDP/1812 and UDP/1700 (if it's Cisco) to see the RADIUS MAB and CoA. 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: