11-08-2021 09:38 AM - edited 11-08-2021 12:01 PM
Hi, I am wondering if I need to have Plus licenses in order to make work CoA for a Wireless Guest enviroment using a static identity group. I think not, but the thing is that we are detecting that the ISE is not seinding CoA to the WLC after successfully guest users login.
If I go to Administration > System > Profiling, I can see CoA Type: No CoA. i have the feeling it is just something related to CoA when using profiling (we are using static assignment and not dynamic identity group assignment), but I am wondering if it could be bringing the issue. I cannot enable CoA for in this menu because I only have basic licenses. Thanks for the help.
Solved! Go to Solution.
11-08-2021 01:42 PM
You need Plus (or DNA Advantage in ISE 3.x) to enable Profiling. That CoA you mention, is the mechanism that ISE will use when ISE has profiled an endpoint and then sends a CoA (or not, depending on that setting).
You don't need Plus licenses for ISE to send a CoA - e.g. Guest Portals will still work and use CoA - and you can send a CoA in the Context Visibility.
11-08-2021 01:42 PM
You need Plus (or DNA Advantage in ISE 3.x) to enable Profiling. That CoA you mention, is the mechanism that ISE will use when ISE has profiled an endpoint and then sends a CoA (or not, depending on that setting).
You don't need Plus licenses for ISE to send a CoA - e.g. Guest Portals will still work and use CoA - and you can send a CoA in the Context Visibility.
11-08-2021 11:19 PM - edited 11-08-2021 11:20 PM
Thank you for the information. Just one extra question:
Do you know if there is something which could change the ISE behavior related to CoA and Guest Portals? So, it does not send CoA after guest users successfuly authenticating using their username and password in a Self-registration with Sponsor approval portal? Maybe something related to being mandatory to use/have something specific or who knows. Thanks.
11-09-2021 01:15 PM
The Guest Portal login behaviour is built-in to send a CoA to the NAS after a successful login. The mechanism works as follows:
NAS sends a MAB request to a PSN - a session is created.
That same PSN must sends the URL redirection to the NAS which the client will use
Client logs in
PSN (same as above) sends the CoA to the NAS
Things can go wrong when the URL redirection is not done right - e.g. if you have more than one PSN, and your NAS sends the MAB to PSN1, but due to misconfiguration in ISE, the URL for PSN2 is returned to the NAS. That might explain your issue. You can always confirm that theory by doing a tcpdump on the PSN which you EXPECT to be handling the MAB and URL redirection. Filter the tcpdump on UDP/1812 and UDP/1700 (if it's Cisco) to see the RADIUS MAB and CoA.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide