Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1403
Views
0
Helpful
3
Replies

Question about CoA and Plus licenses

Go to solution
morabusa
Level 1
Level 1

‎11-08-2021 09:38 AM - edited ‎11-08-2021 12:01 PM

Hi, I am wondering if I need to have Plus licenses in order to make work CoA for a Wireless Guest enviroment using a static identity group. I think not, but the thing is that we are detecting that the ISE is not seinding CoA to the WLC after successfully guest users login.

 

If I go to Administration > System > Profiling, I can see CoA Type: No CoA. i have the feeling it is just something related to CoA when using profiling (we are using static assignment and not dynamic identity group assignment), but I am wondering if it could be bringing the issue. I cannot enable CoA for in this menu because I only have basic licenses. Thanks for the help.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP

‎11-08-2021 01:42 PM

You need Plus (or DNA Advantage in ISE 3.x) to enable Profiling. That CoA you mention, is the mechanism that ISE will use when ISE has profiled an endpoint and then sends a CoA (or not, depending on that setting).

 

You don't need Plus licenses for ISE to send a CoA - e.g. Guest Portals will still work and use CoA - and you can send a CoA in the Context Visibility.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Arne Bier
VIP
VIP

‎11-08-2021 01:42 PM

You need Plus (or DNA Advantage in ISE 3.x) to enable Profiling. That CoA you mention, is the mechanism that ISE will use when ISE has profiled an endpoint and then sends a CoA (or not, depending on that setting).

 

You don't need Plus licenses for ISE to send a CoA - e.g. Guest Portals will still work and use CoA - and you can send a CoA in the Context Visibility.

0 Helpful

Go to solution
morabusa
Level 1
Level 1
In response to Arne Bier

‎11-08-2021 11:19 PM - edited ‎11-08-2021 11:20 PM

Thank you for the information. Just one extra question:

 

Do you know if there is something which could change the ISE behavior related to CoA and Guest Portals? So, it does not send CoA after guest users successfuly authenticating using their username and password in a Self-registration with Sponsor approval portal? Maybe something related to being mandatory to use/have something specific or who knows. Thanks.

0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to morabusa

‎11-09-2021 01:15 PM

The Guest Portal login behaviour is built-in to send a CoA to the NAS after a successful login. The mechanism works as follows:

NAS sends a MAB request to a PSN - a session is created. 

That same PSN must sends the URL redirection to the NAS which the client will use

Client logs in

PSN (same as above) sends the CoA to the NAS

 

Things can go wrong when the URL redirection is not done right - e.g. if you have more than one PSN, and your NAS sends the MAB to PSN1, but due to misconfiguration in ISE, the URL for PSN2 is returned to the NAS. That might explain your issue. You can always confirm that theory by doing a tcpdump on the PSN which you EXPECT to be handling the MAB and URL redirection. Filter the tcpdump on UDP/1812 and UDP/1700 (if it's Cisco) to see the RADIUS MAB and CoA. 

0 Helpful
Customers Also Viewed These Support Documents