×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

first time CoA

Unanswered Question
Aug 15th, 2012
User Badges:

I have this problem where first time users hit default reject profile because they are not being profiled. They remain unknown until i reconnect. Can this be because of the access point is 1231 converted to lightweight. (it does support change of vlan though). I have CoA set to ReAuth. Still not sure if this is a packet of disconnect issue with that AP. if someone faced this id appreciate the help


Sent from Cisco Technical Support iPhone App

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Tarik Admani Wed, 08/15/2012 - 20:12
User Badges:
  • Green, 3000 points or more

If the AP is lightweight then the COA should be processed to the controller. If this is a standalone AP then yes that is the reason why you are facing this issue. For devices that do not support COA (i.e. ASAs and standalone APs) then you consider positioning and inline posture node (ipep) in order to hand the coa services...here is the documentation that covers the basics of the ipep node and how it bridges this limitation:


http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_ipep_deploy.html#wp1198610


Thanks,

Tarik Admani
*Please rate helpful posts*

edondurguti Wed, 08/15/2012 - 20:17
User Badges:

Ur a hard working man. I appreciate. No its a lightweight AP. And as I said when they connect first time. They get to be unknown(even with mac only profiling) and they are rejected cuz last default is set to deny. They only need to reconnect and everything is fine. Have u seen this. Ive read about FirstTimeProfile but it doesnt seem to bounce them as it should for some reason. Is there anything that needs to be done?


Sent from Cisco Technical Support iPhone App

Tarik Admani Wed, 08/15/2012 - 20:25
User Badges:
  • Green, 3000 points or more

I understand now. If you have coa set to reauth there is already a built in condition so that when a endpoint is profiled for the first time (goes from unknown to known) then COA is triggered:


http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_prof_pol.html#wp1555378


What version of ISE are you currently running also what version is your controller? If you are using mac filtering you need to be on WLC version 7.2.110 in order to support coa (radius nac) with mac filtering.


If you dont mind can you post a screenshot of when this occurs, before you reauthenticate and check the endpoint database does it still show as uknown or does it show mapped. In the authentication reports do you see an red entries with dynamic authorization is failing? Does this happen on all SSIDs on this AP?


Thanks,

Tarik Admani
*Please rate helpful posts*

edondurguti Wed, 08/15/2012 - 20:43
User Badges:

cisco ise 1.1.1, WLC 7.0.220.0


Yes it adds up as a workstation in the identities after failing, cuz when I reconnect I'm all good, but if i dont reconnect I'm just stuck and eventually after 20 minutes it tries again and it succeeds.


here is a screenshot



P.s Radius State on WLC is None but I've tried both same scenario.

P.s.s I did read that link before I posted :}

Tarik Admani Wed, 08/15/2012 - 21:16
User Badges:
  • Green, 3000 points or more

Hmm,


Do you have the AAA override set on the controller? It seems as if everything is working fine on the controller side but when the coa hits it seems as if the endpoint is matching the Profiled:Workstation endpoint group that is why you hit the deny access policy. Are you profiling these endpoints using the dhcp attribute?


Can you post a screenshot of your authorization policies.


Thanks,


Tarik Admani
*Please rate helpful posts*

edondurguti Wed, 08/15/2012 - 21:25
User Badges:

Tarik,

yes I do have AAA override on the WLC,

here is the screenshot:


edondurguti Wed, 08/15/2012 - 21:30
User Badges:

if you noticed on my first screenshot the profiled workstation is matched with permit access after I reconnect.

I do use DHCP option for profiling but I've tried even with mac address where I added mac attributes to WORKSTATION profile for example if mac CONTAINS OUI = Intel = Workstation still the same.

Tarik Admani Wed, 08/15/2012 - 21:36
User Badges:
  • Green, 3000 points or more

Hi,


Do you have the radius probe enabled? Please enable it if you dont,it should speeds things up if ISE can profile the endpoint using the calling station id, instead of waiting for the dhcp traffic to arrive after authentication succeds.


Thanks,


Tarik Admani
*Please rate helpful posts*

edondurguti Wed, 08/15/2012 - 21:41
User Badges:

I do have it enabled, I am currently at home will go to work tomorrow and try.

how do I differentiate between calling station ID? cuz that's not as a profiling attribute as of right now in the workstation profile. (I'd love to be able to differentiate windows machines through radius)

edondurguti Wed, 08/15/2012 - 21:47
User Badges:

I see,

It has to be a mac address for calling station ID.

Unforutnately for me i have like 5k and they all start differently, can't match the OUI to it.

I'll see how to figure this out tomorrow at work, thanks for your help.

Tarik Admani Wed, 08/15/2012 - 21:50
User Badges:
  • Green, 3000 points or more

You shouldnt have to configure any profiling policies, internally the ISE node should know the calling station id is the mac address and should roll up in the MACOUI check.


Thanks,


Tarik Admani
*Please rate helpful posts*

edondurguti Wed, 08/15/2012 - 21:52
User Badges:

I see what you mean, I do understand how it works.

I will try something tomorrow, I think this is only doing it to the laptops not to iDevices as far as I can recall.

I will post updates tomorrow, I have some ideas that I need to try out.


I highly appreciate your help

edondurguti Thu, 08/16/2012 - 06:18
User Badges:

Nope it does same thing even for iDevices, maybe a TAC case?

Tarik Admani Thu, 08/16/2012 - 08:16
User Badges:
  • Green, 3000 points or more

Hi,


Do you have the profiling services still enabled on the deployment page? Before opening a TAC case could you delete the endpoint, enable the profiler component to trace (http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_logging.html#wp1054671), reproduce the issue and then download the profiler.log file (http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_mnt.html#wpxref46056)


attach it here and take another screenshot of the first authentication, the COA request and then when you reattempt the connection and match the profile. (also download the log after you follow all these steps).


Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani Thu, 08/16/2012 - 08:49
User Badges:
  • Green, 3000 points or more

Hi,


We are taking the logs from the node itself, the monitoring node is for the authentications.


Thanks,



Tarik Admani
*Please rate helpful posts*

edondurguti Thu, 08/16/2012 - 08:50
User Badges:

done,

got it from the primary are you able to download the files?

Tarik Admani Thu, 08/16/2012 - 08:56
User Badges:
  • Green, 3000 points or more

I downloaded them, do you have a screenshot of the timeframe on when you reproduced the issue?


I would like get the timestamps and mac on when you attempted it.


disregard, i just opened the zip file.


Thanks,


Tarik Admani
*Please rate helpful posts*

edondurguti Thu, 08/16/2012 - 08:57
User Badges:

they are on the sides for authorization, it's all withing 3 minutes

Tarik Admani Thu, 08/16/2012 - 08:58
User Badges:
  • Green, 3000 points or more

You sent me the prrt.log files I need the profiler.log file.


Thanks,



Tarik Admani
*Please rate helpful posts*

edondurguti Thu, 08/16/2012 - 09:00
User Badges:

oh my bad cuz it's above it kinda messed up rows, give me a sec

edondurguti Thu, 08/16/2012 - 11:50
User Badges:

I also get emails as alarms saying

Dynamic Authorization Failed for Device:WLC-PRIMARY

Tarik Admani Thu, 08/16/2012 - 12:58
User Badges:
  • Green, 3000 points or more

Hi,


Your best bet is to open a tac case, after looking through the logs I dont see the profiler log capturing radius even that occured at 11:09, it seems as if the endpoint was created well before the debugs were turned on because there is an endpoint id assigned.


If I were you, i would open a tac case and reproduce the issue with a packet capture from the WLC (you can go to monitor > tools > tcpdump) you can filter using ip host (wlcipadd). Provide this information to tac along with the screenshots that you provided and you should get a quick turnaround.


If you want to debug this yourself you can, the endpoint id is (d18c8261-e7bc-11e1-95b6-5cf3fc25cfa8) and when you see the entries in the profiler.log that match this condition you can see they are all endpoint updates (starting at 11:10:42), there isnt an add which tells me that something may have got dropped internally in the profiler process.


Also are you running on a appliance (because i see some probes enabled on gig3...can you verify this and turn off any probes that you arent using.


Tarik Admani
*Please rate helpful posts*

edondurguti Thu, 08/16/2012 - 13:11
User Badges:

Tarik,

thanks for your reply, yes it's in the appliance, and it showed that because the probes were enabled on all interfaces thats why it showed as failing.


P.s this ID

d18c8261-e7bc-11e1-95b6-5cf3fc25cfa8 I do not see it in this file:

[first]profiler.log

I do see it in the second one though, and it is because it worked the second time.

edondurguti Thu, 08/16/2012 - 13:13
User Badges:

012-08-16 10:33:59,222 INFO  2012-08-16 10:33:59,222  [CoAHandler][] cisco.profiler.infrastructure.profiling.CoAHandler- Skip CoA for DISCONNECTED end point 00:26:C6:6A:DE:22 (policy Workstation)


this is what I saw too

edondurguti Fri, 08/17/2012 - 07:19
User Badges:

Tarik,

I did not open a case with TAC yet becuase i am trying to figure it out myself, I think there is like a bug in the database or something because some things look weird and this is what i've found:

I have created some custom profiles with custom attributes like check for FQDN and all that, and then I have deleted them.

I've done the profile log ( thnx for the heads up) and I've found some errors and why the first time users get in can't be profiled:


It is trying to profile it with previous rules which I have deleted and are now still the the database somehow, I do not know how to solve this but here is the log part:


This is what is says first:


Caused by: Can not delete the rule with fqn NAC Group:NAC:PROFILERCheck_Test_for_fqdnRule4603716b-e44d-4b01-9308-2826829a79bcCheck7f9b8a99-9cdd-4402-b769-c85e4d38722f this is being refered by other rules [6e0b40d0-e322-11e1-ba0b-5cf3fc25cfa8,PROFILERRule_Test_for_fqdnRule4603716b-e44d-4b01-9308-2826829a79bc,]; nested exception is:




then:


Name:Microssssoft

FullName:TEST_FOR_FQDN

Description:this is the test for microsoft

MinimumCertaintyMetric:10

ActionId:

ScanActionId:6ed0fa70-be86-11e1-ba69-0050568e002b

ParentId:

Enabled:true

HasIdentityGrp:true

IdentityGrpID:79efb500-e310-11e1-ba0b-5cf3fc25cfa8

PolicyRules:{Test_for_fqdnRule4603716b-e44d-4b01-9308-2826829a79bc=-3}

:Unable to update EndpointPolicy. Unable to create / update EndpointPolicy. Rule must contain atleast one Check.

com.cisco.profiler.common.ProfilerException: Unable to update EndpointPolicy. Unable to create / update EndpointPolicy. Rule must contain atleast one Check.

    at com.cisco.profiler.api.EndpointPolicyHandler.update(EndpointPolicyHandler.java:320)


This Rule doesn't exist anymore, and when they show up in authorization as you can see from the screenshots above when users first hit the ISE (they do not have any identity group assigned to it)

edondurguti Fri, 08/17/2012 - 08:35
User Badges:

it's not collecting logs anymore I think, i'll rebooted it and probably reset the whole thing :]

Tarik Admani Fri, 08/17/2012 - 08:46
User Badges:
  • Green, 3000 points or more

Yeah I saw some message regarding the identity group not being able to be deleted also. Did you try deleting these endpoints and trying again?


I think you found an issue where an authorization policy may be left in the database, for that issue I suggest opening a TAC case to get this removed for you.


thanks,



Tarik Admani
*Please rate helpful posts*

edondurguti Fri, 08/17/2012 - 08:49
User Badges:

I understand when that profile is associated with an end point it doesn't evne let you delete, but anyway this has been from before, didnt' see timestamp, but now when i do a debug for the profiler it doesn't seem to get logs at all, I will see something else with Radius and then finally i will open a tac case if i'm stuck

I do appreciate your help

edondurguti Fri, 08/17/2012 - 20:47
User Badges:

Couldn't figure out what's going on, I think of resetting ISE since it's not in production yet, do you think I should do that before opening a tac case?

Btw ISE does profile in HREAP with WLC code 7.0.x.x but doesn't change vlan in HREAP

Tarik Admani Fri, 08/17/2012 - 22:48
User Badges:
  • Green, 3000 points or more

You can try to issue a factory reset in order to reset the database.


However if you are running hreap (flexconnect now a days) that local switching isnt supported with ISE, the reason for this is that the initial authentication is done through the capwap tunnel but any acl or redirection wont occur since the traffic is locally switched hence the reason why flexconnect isnt supported with ISE for advanced features (coa, redirection acls...etc)


Thanks,


Tarik Admani
*Please rate helpful posts*

edondurguti Fri, 08/17/2012 - 22:52
User Badges:

Hmmmm. Interesting. I thought the vlan change would be supported on 7.2 WLC with flex connect. I know WLC doesnt support flexconnect acls. U sure 7.2 doesnt support vlan

Change?


Sent from Cisco Technical Support iPhone App

Tarik Admani Sat, 08/18/2012 - 00:18
User Badges:
  • Green, 3000 points or more

You are correct that this will work with 7.2, I thought you were referring to 7.0 code...the documentation says that it doesnt support (1.1.1 release notes) flexconnect. However this seems to be a bug and doesnt show it is only extended to vlan assignment.


Thanks,


Tarik Admani
*Please rate helpful posts*

edondurguti Tue, 08/21/2012 - 19:31
User Badges:

Just for the info if someone ever comes here:

ISE 1.1.1 and WLC 7.2.x.x do support VLAN change and there is something called FLEX CONNECT ACLs which work great :] with a little reading about them

Anyway Thanks Tarik, I did reset the ise application it didn't help the problem is that the MAC is not recognized (there is no rule to create identity group based on that OUI so no group is selected and they get denied)

there is a couple of work arounds that we came up with:

Create an isolated VLAN and set secondary ip helper address to point to ISE, once they request the dhcp, ISE will have the dhcp probe collect the dhcp-class-identifier (for microsoft) and profile as windows workstation.

Iphones are getting profiled based on their hostname, if it doesn't have a hostname well it's only identified as an APPLE DEVICE, so without some kind of SPAN or HTTP probe I don't think you can drill deeper.

You can always statically assign people to identity groups.

I've been brainstorming the profile thingy lol

Tarik Admani Tue, 08/21/2012 - 21:59
User Badges:
  • Green, 3000 points or more

Also keep in mind that the Cisco product line is constantly adding features more recently for example the dhcp profiling option from the WLC (hopefully it will send more attributes much like the ios device sensor feature). If you take advantage of the device registration feature or any means of redirecting users to guest portal and having them authenticate again (this will only occur once)..for example.


Users that authenticate through mschapv2 (peap) and their device isnt profiled as an apple-iphone..ipad...etc and they are stuck in the apple device identity group, you can redirect them to the guest portal. You can configure your guest identity sequence to include AD so that users can enter their credentials again, get redirected to the AUP and then be profiled as an apple iphone...this doesnt do anything for you with regards to flex connect (not able to perform coa) but its a workaround that will help you if you come across this issue. I am sure there will be feature that will help reauthenticate users through the flexconnect deployments since the coa and radius traffic is performed through the management plane, so its only a matter of time (in my opinion) before this will work in a flexconnect environment.



Tarik Admani
*Please rate helpful posts*

edondurguti Tue, 08/21/2012 - 22:26
User Badges:

Thanks for your input man

So I can create an authorization for APPLE DEVICES to go to guestportal and add AD sequence there, just with me the ACL wouldn't work cuz i am on flex, and the AUTOLOGIN wouldnt popup (as for guest access) because apple has implemented it through a file that tries to download from their server:

http://www.apple.com/library/test/success.html so i can deny this with flex connect acl or routed acl on the local router, then i'm sure it will popup, once iphone cannot get that file it will open safari and then i'm redirected :]

Tarik Admani Wed, 08/22/2012 - 02:53
User Badges:
  • Green, 3000 points or more

The auto login is designed to detect a 302 response when the http get request is sent. If ise didn't use https then this would work a little better. It's a probe that apple designed in order to detect the captive portal and to "magically" pop up the login page in order to get access.


Thanks,


Sent from Cisco Technical Support iPad App

Actions

This Discussion