C1300 and ISE Change of Authorization

JonatanSitter · ‎03-24-2025

Hi community,

we are having troubles with C1300 and Change of Authorization through Cisco ISE.
The behaviour is as follows:
When an endpoint gets profiled and gets a new identity group, ISE automatically sends out a CoA with port bounce.
This gets rejected by the C1300 because of "%RADIUS-I-CoAREJECT: CoA Request from 192.168.9.219 rejected. Reason: Unsupported Attribute".

When the CoA is triggered manually from Context Visibility - Endpoints - Change Authorization - CoA Port Bounce, the port is bounced without issueds.

What we are seeing in the packed capture is that the attribute "Calling-Station-ID" is written with ":" delimiter when the CoA is sent automatically and with "-" delimiter when it's sent manually.

AVP: t=Calling-Station-Id(31) l=19 val=00:xx:xx:xx:xx:xx -> gets rejected.

AVP: t=Calling-Station-Id(31) l=19 val=00-xx-xx-xx-xx-xx -> is successful.

When testing the same with a Catalyst 9300L, both CoA are successful even though the delimiter is also different.

Seems like the C1300 can't handle the CoA packet when the calling station ID has ":" as a delimiter.

Should this be raised to TAC?

Thanks in advance.

BR

Jonatan

marce1000 · ‎03-24-2025

- @JonatanSitter Should this be raised to TAC?
Probably but also look at the current firmware being used and compare the issue
against the latest available (if not yet done)

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

JonatanSitter · ‎03-25-2025

@marce1000 unfortunately we are already on the newest firmware Release 4.1.6.54 and seeing the issues there.

I'll open a TAC case.

marce1000 · ‎03-25-2025

- @JonatanSitter Ok , keep us posted on developments ,

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

advuni-af1 · ‎05-22-2025

I have this problem too.

Is there probably a possibility to modify the CoA message which is send from ISE aspect?
There are so much possible settings in ISE, maybe this could be a solution/workaround?

Best regards, Alex...

advuni-af1 · ‎05-22-2025

@JonatanSitter : Do you have opened a TAC case? Maybe you can share your Case ID and I can also open a TAC case and reference.

Or is there a BUG ID?

JonatanSitter · ‎05-22-2025

I opened a TAC case and analyzed the issue with them. A feature request with ID CSCwo81510 has been opened to the switch team to fix this behaviour.

Jens Albrecht · ‎05-22-2025

...Is there probably a possibility to modify the CoA message which is send from ISE aspect?

No, Cisco ISE does not provide an option to change the default delimiter of these attributes.
Instead you need to do this modification on the network access devices like switches or WLCs if required.

On Cisco IOS and IOS-XE devices you can use the command 'radius-server attribute 31 mac format ietf upper-case' to achieve this.
However, I doubt that this command is supported on the Catalyst 1300 series switches as it is not listed in the CLI Guide.
I do not have such device at hand so you may check this on your side and let us know the result.

Nevertheless, CoA via ISE is an officially supported feature for the Catalyst 1300 series that has been added in firmware version 4.1.3.36. Cisco also published 2 TechNotes recently that describe how to configure this feature via CLI and WebGUI:

Configure Change of Authorization in Catalyst 1300 Using Web User Interface

Configuration of Change of Authorization in Catalyst 1300 Switch using CLI

So if this feature is not working as described, then it is time to get TAC involved to make it work.

HTH!