Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
371
Views
0
Helpful
5
Replies

Cisco ISE and Switch

wayne loh
Level 1
Level 1

‎10-05-2024 03:46 AM

Hi All,

I have weird issue recently on Cisco ISE and need to seek for some advise. I have deployed the Cisco ISE and switches to adapt the dot1x and mab authentication. however I notice each authorization policy changes will not immediately take effect, even after some period of time and i need to shut the port/interface and no shut again in order for it to work. 

Anyone facing such issue or did I miss any configuration?

Thanks

0 Helpful
5 Replies 5

Flavio Miranda
VIP
VIP

‎10-05-2024 05:51 AM

@wayne loh 

 This is configuration related. Look for COA port bounce. I am sharing this link for reference but pretty for there will be plenty.

https://www.cisco.com/en/US/docs/ios-xml/ios/san/configuration/15-e/san-coa-supp.html#GUID-02AC45FF-2D37-4315-BD85-A88035DDC288

 

0 Helpful

MHM Cisco World
VIP
VIP

‎10-05-2024 06:09 AM

Show authentication session interface x/x

Show authentication session interface x/x detail 

Share this please 

Show aaa server 

Share these please 

MHM

0 Helpful

thomas
Cisco Employee
Cisco Employee

‎10-05-2024 06:14 AM

ISE is a RADIUS protocol server. RADIUS is a request/response protocol upon session initiation or timeout. Policy is not updated in realtime across network devices everytime you make a little change. That would cause a massive spike in your RADIUS traffic everytime you made a change.

Reauthentication should occur when each existing session times out. Are you setting a reauthentication timer or session-timeout in your authorization profile?

0 Helpful

wayne loh
Level 1
Level 1
In response to thomas

‎10-05-2024 07:39 AM

Hi Thomas,

Understand that, i dont expect it to be in realtime but the fact is it should update in certain intervals like what you said reauthentication (switch setting or Authz profile), but isnt it the CoA also will be doing this as well to initial the changes to NAD (push) if there is authorization profile changes?

Thanks.

0 Helpful

Arne Bier
VIP
VIP
In response to wayne loh

‎10-05-2024 01:27 PM

As Flavio hinted, the issue is most likely the CoA is not configured correctly. Check that the dynamic-authorization on the switch is configured with the IP address of the ISE PSN, and using the same shared secret. Plus, also specify the source interface and a VRF (if used) for RADIUS traffic. Test the CoA via ISE Context Visibility.

0 Helpful
Customers Also Viewed These Support Documents