03-26-2020 10:46 PM
Hello
I have a concern that when the Cisco WLC has RADIUS Profiling (Device Sensor) enabled on its WLAN profile, then it could cause the ISE server to send a CoA reauth to the session when it senses an endpoint profiling update (e.g. client connects for the first time and then ISE subsequently learns that it's a Windows device).
Since the global CoA reauth is enabled, am I correct in thinking that a wireless session would be re-authorized when ISE profiles a newly connected wireless client?
I am relying on CoA reauth because of the Wired 802.1X/MAB configuration - here it's working as expected and it's required. But I don't want any re-auth to happen on my wireless network, because I don't want/need profiling there.
Am I worried about nothing? Or is this a potential issue for the stability of wireless clients ?
Solved! Go to Solution.
03-27-2020 03:26 AM
03-27-2020 03:47 PM
I was thinking the same thing about the CoA once upon initial connection etc. but I had not considered the Mac randomisation.
as for disabling CoA in WLC. I use the same ISE for Guest. Hence I need CoA enabled. Unless I define each ISE server twice on the WLC and call them different names to distinguish them with or without CoA enabled. I’ll give it a try. Thanks
03-27-2020 01:04 AM
Hi,
Technically speaking, yes, with RADIUS profiling enabled on the WLC and ISE, and with CoA set to "re-auth", some or more clients could experience a disconnect/reconnect. At the same time, the frequency of this process depends on several aspects.
1. If you rely on DHCP and/or HTTP probes it means that for profiling to actually achieve something, clients need to get addresses via DHCP (most probably for WiFi environments) and/or clients get authenticated through a portal (is it the case or not); assuming one of these are true, minimum, most clients may get a disconnect/reconnect only the first time they actually get on the network, so i'm not sure how much of an impact is that, but worth being considered. Within these lines though, it seems that more and more devices and OS'es use MAC randomisation for WiFi environments (see this great post here, which means that depending on the configuration of that feature, a WiFi client device may end up with a new MAC address each day, so ISE would consider it a new device each day, thus go through the whole process again, with profiling and CoA.
2. At the same time, the question is, in your WiFi implementation do you actually make use of CoA (maybe you just have corporate WiFi with 802.1x) and there is no need for CoA, thus you could disable CoA on the WLC.
3. At the same time, in case you don't make use of the profiling functionality in your ISE policies for WiFi clients, you could disable RADIUS profiling on the WLC
What i'm trying to say is that you would have to choose, decide what's most important and make a call.
Regards,
Cristian Matei.
03-27-2020 03:47 PM
I was thinking the same thing about the CoA once upon initial connection etc. but I had not considered the Mac randomisation.
as for disabling CoA in WLC. I use the same ISE for Guest. Hence I need CoA enabled. Unless I define each ISE server twice on the WLC and call them different names to distinguish them with or without CoA enabled. I’ll give it a try. Thanks
03-28-2020 05:01 AM
03-27-2020 03:26 AM
03-27-2020 03:49 PM
When I get a chance I will see if I can add the same RADIUS IP address twice into a WLC. I will define the first ISE without CoA enabled and the other with CoA. I need CoA only on the guest WLAN.
thanks
03-30-2020 06:31 AM
Arne,
In my opinion you should have CoA ready to use on any SSID. Yes as you said you need it for the guest wireless process, but these days most customers also want ANC policies setup to be able to quarantine devices either on-demand or in an automated fashion. When you apply an ANC policy you need CoA to work to get it enforced. ISE finds the MAC address associated with the IP in the live session database and then sends a CoA to the network device the MAC is attached to.
In 100+ installs I have never had an issue with CoA being enabled on reprofile for wireless devices.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: