cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

353
Views
15
Helpful
6
Replies
Highlighted
VIP Advisor

Should RADIUS Profiling be used on Wireless SSIDs when global CoA reauth is also enabled?

Hello

 

I have a concern that when the Cisco WLC has RADIUS Profiling (Device Sensor) enabled on its WLAN profile, then it could cause the ISE server to send a CoA reauth to the session when it senses an endpoint profiling update (e.g. client connects for the first time and then ISE subsequently learns that it's a Windows device).

 

Since the global CoA reauth is enabled, am I correct in thinking that a wireless session would be re-authorized when ISE profiles a newly connected wireless client?

 

CoA reauth.PNG

 

I am relying on CoA reauth because of the Wired 802.1X/MAB configuration - here it's working as expected and it's required. But I don't want any re-auth to happen on my wireless network, because I don't want/need profiling there.

 

Am I worried about nothing? Or is this a potential issue for the stability of wireless clients ?

 

Everyone's tags (2)
2 ACCEPTED SOLUTIONS

Accepted Solutions
Highlighted
VIP Advisor

Re: Should RADIUS Profiling be used on Wireless SSIDs when global CoA reauth is also enabled?

It depends on why you don't want to reauth. Generally speaking you ensure
consistent policy enforcement with CoA to avoid security breaches.

If you want to disable CoA for WiFi, you disable that on the WLC without
touching ISE. This way WLC won't send a CoA message and ISE won't react.

***** please remember to rate useful posts

View solution in original post

Highlighted
VIP Advisor

Re: Should RADIUS Profiling be used on Wireless SSIDs when global CoA reauth is also enabled?

I was thinking the same thing about the CoA once upon initial connection etc. but I had not considered the Mac randomisation. 
as for disabling CoA in WLC. I use the same ISE for Guest. Hence I need CoA enabled. Unless I define each ISE server twice on the WLC and call them different names to distinguish them with or without CoA enabled.  I’ll give it a try. Thanks

View solution in original post

6 REPLIES 6
Highlighted
Collaborator

Re: Should RADIUS Profiling be used on Wireless SSIDs when global CoA reauth is also enabled?

Hi,

 

    Technically speaking, yes, with RADIUS profiling enabled on the WLC and ISE, and with CoA set to "re-auth", some or more clients could experience a disconnect/reconnect. At the same time, the frequency of this process depends on several aspects.

      1. If you rely on DHCP and/or HTTP probes it means that for profiling to actually achieve something, clients need to get addresses via DHCP (most probably for WiFi environments) and/or clients get authenticated through a portal (is it the case or not); assuming one of these are true, minimum, most clients may get a disconnect/reconnect only the first time they actually get on the network, so i'm not sure how much of an impact is that, but worth being considered. Within these lines though, it seems that more and more devices and OS'es use MAC randomisation for WiFi environments (see this great post here, which means that depending on the configuration of that feature, a WiFi client device may end up with a new MAC address each day, so ISE would consider it a new device each day, thus go through the whole process again, with profiling and CoA.

     2. At the same time, the question is, in your WiFi implementation do you actually make use of CoA (maybe you just have corporate WiFi with 802.1x) and there is no need for CoA, thus you could disable CoA on the WLC. 

     3. At the same time, in case you don't make use of the profiling functionality in your ISE policies for WiFi clients, you could disable RADIUS profiling on the WLC

 

 

What i'm trying to say is that you would have to choose, decide what's most important and make a call.

 

Regards,

Cristian Matei.

    

         

Highlighted
VIP Advisor

Re: Should RADIUS Profiling be used on Wireless SSIDs when global CoA reauth is also enabled?

I was thinking the same thing about the CoA once upon initial connection etc. but I had not considered the Mac randomisation. 
as for disabling CoA in WLC. I use the same ISE for Guest. Hence I need CoA enabled. Unless I define each ISE server twice on the WLC and call them different names to distinguish them with or without CoA enabled.  I’ll give it a try. Thanks

View solution in original post

Highlighted
VIP Advisor

Re: Should RADIUS Profiling be used on Wireless SSIDs when global CoA reauth is also enabled?

You can do one thing. Define two IPs on two ISE interfaces. Configure both
IPs as radius servers in WLC but use one with COA for Guest SSID and one
without COA for the other SSID.

**** please remember to rate useful posts
Highlighted
VIP Advisor

Re: Should RADIUS Profiling be used on Wireless SSIDs when global CoA reauth is also enabled?

It depends on why you don't want to reauth. Generally speaking you ensure
consistent policy enforcement with CoA to avoid security breaches.

If you want to disable CoA for WiFi, you disable that on the WLC without
touching ISE. This way WLC won't send a CoA message and ISE won't react.

***** please remember to rate useful posts

View solution in original post

Highlighted
VIP Advisor

Re: Should RADIUS Profiling be used on Wireless SSIDs when global CoA reauth is also enabled?

When I get a chance I will see if I can add the same RADIUS IP address twice into a WLC. I will define the first ISE without CoA enabled and the other with CoA. I need CoA only on the guest WLAN. 
thanks

Highlighted
VIP Advocate

Re: Should RADIUS Profiling be used on Wireless SSIDs when global CoA reauth is also enabled?

Arne,

 

In my opinion you should have CoA ready to use on any SSID.  Yes as you said you need it for the guest wireless process, but these days most customers also want ANC policies setup to be able to quarantine devices either on-demand or in an automated fashion.  When you apply an ANC policy you need CoA to work to get it enforced.  ISE finds the MAC address associated with the IP in the live session database and then sends a CoA to the network device the MAC is attached to.

 

In 100+ installs I have never had an issue with CoA being enabled on reprofile for wireless devices.