04-03-2020 01:12 AM
Hi Gents.
i need something strange @1st glance: scheduled CoA for the sessions of devices belonging to specific id-group. i have a group of e/ps getting into special MAB fallback authorization policy if the e/p fails to AAA with dot1x. Unfortunately quite enough number of e/ps fails dot1x if they sleep (let's say) => they fallback to MAB & became affected. Only remote centralized mean to make them renegotiate AAA in sequence configured on port is to trigger CoA-port/bounce. well... i'm looking for scalable way to code it on ISE.
any ideas pls?
04-03-2020 05:26 PM
Have you considered configuring a reauthentication timer in your specific authz profiles? You could build out your separate dot1x and mab global policies and push authz however you wish based on whatever conditions. Then in each authz profile you could check the box for reauth timer with a time that you think is feasible. I know in DoD environments STIGs say to reauth hosts every 60 minutes. In this scenario the reauth timer will get pushed down to each endpoint session and you can view the details with #show auth sess interface <>x/x/x detail. HTH!
04-04-2020 04:26 AM - edited 04-04-2020 09:58 AM
Hi Mike,
reauthen timers r being used actually in both dot1x & mab-fallback profiles for the target group (3 & 11 H correspondingly). When the e/p from i-group is being authenticated & authorized by dot1x policies it gets 3H timer & then being unattended for some time it gets sleeping & when 3 H expires port tries to reauthenticate e/p again but this time e/p doesnt respond dot1x & falls to mab-profile. It dosnt look that port was being bounced during reauthen because we've also checked that with just reauthen-CoA which resulted to the same. Only CoA w/ port-bounce makes what we need.
04-04-2020 06:32 AM
04-04-2020 09:48 AM
we have authen control-dir in configured
may approach to fail because of below as we use host-mode multi-auth?
WoL is supported only on ports configured in 802.1X single-host, multihost and multidomain modes.
whilst our standard host-mode is multi-auth
anyway our goal is to abstract from e/p's NIC's settings etc. we want to manage the case of scheduled CoA for the specific id-group from ISE.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: