Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1687
Views
15
Helpful
6
Replies

Should RADIUS Profiling be used on Wireless SSIDs when global CoA reauth is also enabled?

Go to solution
Arne Bier
VIP
VIP

‎03-26-2020 10:46 PM

Hello

 

I have a concern that when the Cisco WLC has RADIUS Profiling (Device Sensor) enabled on its WLAN profile, then it could cause the ISE server to send a CoA reauth to the session when it senses an endpoint profiling update (e.g. client connects for the first time and then ISE subsequently learns that it's a Windows device).

 

Since the global CoA reauth is enabled, am I correct in thinking that a wireless session would be re-authorized when ISE profiles a newly connected wireless client?

 

CoA reauth.PNG

 

I am relying on CoA reauth because of the Wired 802.1X/MAB configuration - here it's working as expected and it's required. But I don't want any re-auth to happen on my wireless network, because I don't want/need profiling there.

 

Am I worried about nothing? Or is this a potential issue for the stability of wireless clients ?

 

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎03-27-2020 03:26 AM

It depends on why you don't want to reauth. Generally speaking you ensure
consistent policy enforcement with CoA to avoid security breaches.

If you want to disable CoA for WiFi, you disable that on the WLC without
touching ISE. This way WLC won't send a CoA message and ISE won't react.

***** please remember to rate useful posts

View solution in original post

Go to solution
Arne Bier
VIP
VIP
In response to Cristian Matei

‎03-27-2020 03:47 PM

I was thinking the same thing about the CoA once upon initial connection etc. but I had not considered the Mac randomisation. 
as for disabling CoA in WLC. I use the same ISE for Guest. Hence I need CoA enabled. Unless I define each ISE server twice on the WLC and call them different names to distinguish them with or without CoA enabled.  I’ll give it a try. Thanks

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Cristian Matei
VIP Alumni
VIP Alumni

‎03-27-2020 01:04 AM

Hi,

 

    Technically speaking, yes, with RADIUS profiling enabled on the WLC and ISE, and with CoA set to "re-auth", some or more clients could experience a disconnect/reconnect. At the same time, the frequency of this process depends on several aspects.

      1. If you rely on DHCP and/or HTTP probes it means that for profiling to actually achieve something, clients need to get addresses via DHCP (most probably for WiFi environments) and/or clients get authenticated through a portal (is it the case or not); assuming one of these are true, minimum, most clients may get a disconnect/reconnect only the first time they actually get on the network, so i'm not sure how much of an impact is that, but worth being considered. Within these lines though, it seems that more and more devices and OS'es use MAC randomisation for WiFi environments (see this great post here, which means that depending on the configuration of that feature, a WiFi client device may end up with a new MAC address each day, so ISE would consider it a new device each day, thus go through the whole process again, with profiling and CoA.

     2. At the same time, the question is, in your WiFi implementation do you actually make use of CoA (maybe you just have corporate WiFi with 802.1x) and there is no need for CoA, thus you could disable CoA on the WLC. 

     3. At the same time, in case you don't make use of the profiling functionality in your ISE policies for WiFi clients, you could disable RADIUS profiling on the WLC

 

 

What i'm trying to say is that you would have to choose, decide what's most important and make a call.

 

Regards,

Cristian Matei.

    

         

Go to solution
Arne Bier
VIP
VIP
In response to Cristian Matei

‎03-27-2020 03:47 PM

I was thinking the same thing about the CoA once upon initial connection etc. but I had not considered the Mac randomisation. 
as for disabling CoA in WLC. I use the same ISE for Guest. Hence I need CoA enabled. Unless I define each ISE server twice on the WLC and call them different names to distinguish them with or without CoA enabled.  I’ll give it a try. Thanks

0 Helpful

Go to solution
Mohammed al Baqari
Level 11
Level 11
In response to Arne Bier

‎03-28-2020 05:01 AM

You can do one thing. Define two IPs on two ISE interfaces. Configure both
IPs as radius servers in WLC but use one with COA for Guest SSID and one
without COA for the other SSID.

**** please remember to rate useful posts
0 Helpful

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎03-27-2020 03:26 AM

It depends on why you don't want to reauth. Generally speaking you ensure
consistent policy enforcement with CoA to avoid security breaches.

If you want to disable CoA for WiFi, you disable that on the WLC without
touching ISE. This way WLC won't send a CoA message and ISE won't react.

***** please remember to rate useful posts

Go to solution
Arne Bier
VIP
VIP
In response to Mohammed al Baqari

‎03-27-2020 03:49 PM

When I get a chance I will see if I can add the same RADIUS IP address twice into a WLC. I will define the first ISE without CoA enabled and the other with CoA. I need CoA only on the guest WLAN. 
thanks

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to Arne Bier

‎03-30-2020 06:31 AM

Arne,

 

In my opinion you should have CoA ready to use on any SSID.  Yes as you said you need it for the guest wireless process, but these days most customers also want ANC policies setup to be able to quarantine devices either on-demand or in an automated fashion.  When you apply an ANC policy you need CoA to work to get it enforced.  ISE finds the MAC address associated with the IP in the live session database and then sends a CoA to the network device the MAC is attached to.

 

In 100+ installs I have never had an issue with CoA being enabled on reprofile for wireless devices.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents