Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
923
Views
35
Helpful
4
Replies

recurrent scheduling CoA in ISE for specific id-group

andy!doesnt!like!uucp
Spotlight
Spotlight

‎04-03-2020 01:12 AM

Hi Gents.

i need something strange @1st glance: scheduled CoA for the sessions of devices belonging to specific id-group. i have a group of e/ps getting into special MAB fallback authorization policy if the e/p fails to AAA with dot1x. Unfortunately quite enough number of e/ps fails dot1x if they sleep (let's say) => they fallback to MAB & became affected. Only remote centralized mean to make them renegotiate AAA in sequence configured on port is to trigger CoA-port/bounce. well... i'm looking for scalable way to code it on ISE.

any ideas pls?

1 person had this problem
Labels:
4 Replies 4

Mike.Cifelli
VIP Alumni
VIP Alumni

‎04-03-2020 05:26 PM

Have you considered configuring a reauthentication timer in your specific authz profiles? You could build out your separate dot1x and mab global policies and push authz however you wish based on whatever conditions.  Then in each authz profile you could check the box for reauth timer with a time that you think is feasible.  I know in DoD environments STIGs say to reauth hosts every 60 minutes.  In this scenario the reauth timer will get pushed down to each endpoint session and you can view the details with #show auth sess interface <>x/x/x detail.  HTH!

andy!doesnt!like!uucp
Spotlight
Spotlight
In response to Mike.Cifelli

‎04-04-2020 04:26 AM - edited ‎04-04-2020 09:58 AM

Hi Mike,

reauthen timers r being used actually in both dot1x & mab-fallback profiles for the target group (3 & 11 H correspondingly). When the e/p from i-group is being authenticated & authorized by dot1x policies it gets 3H timer & then being unattended for some time it gets sleeping & when 3 H  expires port tries to reauthenticate e/p again but this time e/p doesnt respond dot1x & falls to mab-profile. It dosnt look that port was being bounced during reauthen because we've also checked that with just reauthen-CoA which resulted to the same. Only CoA w/ port-bounce makes what we need.

Mike.Cifelli
VIP Alumni
VIP Alumni
In response to andy!doesnt!like!uucp

‎04-04-2020 06:32 AM

Have you looked into wake-on-lan(WoL)? I would also check power management settings under NIC properties. Some info on WoL:
When WoL is enabled, the connected host is in the sleeping mode or power-down state, and the host does not exchange traffic with other devices in the network. However, it is capable of receiving magic packets & EAPOL packets. See here for more detail:
https://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_8021x/configuration/15-2mt/sec-ieee-wake-lan-supp.html
0 Helpful

andy!doesnt!like!uucp
Spotlight
Spotlight
In response to Mike.Cifelli

‎04-04-2020 09:48 AM

we have authen control-dir in configured

may approach to fail because of below as we use host-mode multi-auth?

Restrictions for IEEE 802.1X Wake on LAN Support

WoL is supported only on ports configured in 802.1X single-host, multihost and multidomain modes.

whilst our standard host-mode is multi-auth

 

anyway our goal is to abstract from e/p's NIC's settings etc. we want to manage the case of scheduled CoA for the specific id-group from ISE.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents