03-24-2025 09:02 AM
Hi community,
we are having troubles with C1300 and Change of Authorization through Cisco ISE.
The behaviour is as follows:
When an endpoint gets profiled and gets a new identity group, ISE automatically sends out a CoA with port bounce.
This gets rejected by the C1300 because of "%RADIUS-I-CoAREJECT: CoA Request from 192.168.9.219 rejected. Reason: Unsupported Attribute".
When the CoA is triggered manually from Context Visibility - Endpoints - Change Authorization - CoA Port Bounce, the port is bounced without issueds.
What we are seeing in the packed capture is that the attribute "Calling-Station-ID" is written with ":" delimiter when the CoA is sent automatically and with "-" delimiter when it's sent manually.
AVP: t=Calling-Station-Id(31) l=19 val=00:xx:xx:xx:xx:xx -> gets rejected.
AVP: t=Calling-Station-Id(31) l=19 val=00-xx-xx-xx-xx-xx -> is successful.
When testing the same with a Catalyst 9300L, both CoA are successful even though the delimiter is also different.
Seems like the C1300 can't handle the CoA packet when the calling station ID has ":" as a delimiter.
Should this be raised to TAC?
Thanks in advance.
BR
Jonatan
03-24-2025 09:45 AM
- @JonatanSitter Should this be raised to TAC?
Probably but also look at the current firmware being used and compare the issue
against the latest available (if not yet done)
M.
03-25-2025 01:10 AM
@marce1000 unfortunately we are already on the newest firmware Release 4.1.6.54 and seeing the issues there.
I'll open a TAC case.
03-25-2025 03:39 AM
- @JonatanSitter Ok , keep us posted on developments ,
M.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide