Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
626
Views
0
Helpful
3
Replies

VPN CoA in LiveLogs Question

Go to solution
Matthew Martin
Level 5
Level 5

‎03-20-2019 10:18 AM

Hello All,

 

ISE v2.3 patch 3

 

I'm inquiring about the CoA log message that occurs and displays in the RADIUS LiveLogs for VPN access.

 

When a VPN endpoint connects to VPN you can see after it authenticates and before Posture status is received, you can see the client appear with the VPN_Unknown policy with Posture status = Pending. This line shows all the info for the client, like Identity shows the username, Endpoint ID shows Wi-Fi mac address and so on.

 

The thing that seems strange, is that after the Posture report gets received by ISE and the CoA occurs to give the client VPN Permit All policy, that line in LiveLogs has a blank Identity column, Endpoint ID shows public IP Address of the client, Endpoint Profile/Authentication Policy/Authorization Policy are all blank, with Authorization Profile showing the VPN_PermitAll.

 

Is this normal behavior? It makes it difficult to trace a VPN client's session and is a bit confusing, as it appears the VPN clients never gets VPN_PermitAll unless you know to look for the public ip address. See screenshot below...

 

LiveLogs.png

 

Thanks in Advance,

Matt

1 person had this problem
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Nidhi
Cisco Employee
Cisco Employee

‎03-28-2019 02:36 AM - edited ‎03-28-2019 04:49 AM

Hello Matt

This is an expected behavior since after the posture check, CoA is issued to the client without any additional authentication. hence you do not see any logs. 

This is documented here - https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/117693-configure-ASA-00.html

Note: This flow model differs from most scenarios that use RADIUS CoA. For wired/wireless 802.1x authentications, RADIUS CoA does not include any attributes. It only triggers the second authentication in which all attributes, such as DACL, are attached. For the ASA VPN posture, there is no second authentication. All of the the attributes are returned in the RADIUS CoA. The VPN session is active and it is not possible to change most of the VPN user settings.

 

Thanks,

Nidhi 

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Nidhi
Cisco Employee
Cisco Employee

‎03-22-2019 03:05 AM

Researching !

0 Helpful

Go to solution
Nidhi
Cisco Employee
Cisco Employee

‎03-28-2019 02:36 AM - edited ‎03-28-2019 04:49 AM

Hello Matt

This is an expected behavior since after the posture check, CoA is issued to the client without any additional authentication. hence you do not see any logs. 

This is documented here - https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/117693-configure-ASA-00.html

Note: This flow model differs from most scenarios that use RADIUS CoA. For wired/wireless 802.1x authentications, RADIUS CoA does not include any attributes. It only triggers the second authentication in which all attributes, such as DACL, are attached. For the ASA VPN posture, there is no second authentication. All of the the attributes are returned in the RADIUS CoA. The VPN session is active and it is not possible to change most of the VPN user settings.

 

Thanks,

Nidhi 

0 Helpful

Go to solution
Matthew Martin
Level 5
Level 5
In response to Nidhi

‎03-28-2019 09:43 AM

Hey Nidhi, thanks for the info and the reply. Much appreciated.

-Matt
0 Helpful
Customers Also Viewed These Support Documents