03-20-2019 10:18 AM
Hello All,
ISE v2.3 patch 3
I'm inquiring about the CoA log message that occurs and displays in the RADIUS LiveLogs for VPN access.
When a VPN endpoint connects to VPN you can see after it authenticates and before Posture status is received, you can see the client appear with the VPN_Unknown policy with Posture status = Pending. This line shows all the info for the client, like Identity shows the username, Endpoint ID shows Wi-Fi mac address and so on.
The thing that seems strange, is that after the Posture report gets received by ISE and the CoA occurs to give the client VPN Permit All policy, that line in LiveLogs has a blank Identity column, Endpoint ID shows public IP Address of the client, Endpoint Profile/Authentication Policy/Authorization Policy are all blank, with Authorization Profile showing the VPN_PermitAll.
Is this normal behavior? It makes it difficult to trace a VPN client's session and is a bit confusing, as it appears the VPN clients never gets VPN_PermitAll unless you know to look for the public ip address. See screenshot below...
Thanks in Advance,
Matt
Solved! Go to Solution.
03-28-2019 02:36 AM - edited 03-28-2019 04:49 AM
Hello Matt
This is an expected behavior since after the posture check, CoA is issued to the client without any additional authentication. hence you do not see any logs.
This is documented here - https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/117693-configure-ASA-00.html
Note: This flow model differs from most scenarios that use RADIUS CoA. For wired/wireless 802.1x authentications, RADIUS CoA does not include any attributes. It only triggers the second authentication in which all attributes, such as DACL, are attached. For the ASA VPN posture, there is no second authentication. All of the the attributes are returned in the RADIUS CoA. The VPN session is active and it is not possible to change most of the VPN user settings.
Thanks,
Nidhi
03-22-2019 03:05 AM
Researching !
03-28-2019 02:36 AM - edited 03-28-2019 04:49 AM
Hello Matt
This is an expected behavior since after the posture check, CoA is issued to the client without any additional authentication. hence you do not see any logs.
This is documented here - https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/117693-configure-ASA-00.html
Note: This flow model differs from most scenarios that use RADIUS CoA. For wired/wireless 802.1x authentications, RADIUS CoA does not include any attributes. It only triggers the second authentication in which all attributes, such as DACL, are attached. For the ASA VPN posture, there is no second authentication. All of the the attributes are returned in the RADIUS CoA. The VPN session is active and it is not possible to change most of the VPN user settings.
Thanks,
Nidhi
03-28-2019 09:43 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide