Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

first time CoA

I have this problem where first time users hit default reject profile because they are not being profiled. They remain unknown until i reconnect. Can this be because of the access point is 1231 converted to lightweight. (it does support change of vlan though). I have CoA set to ReAuth. Still not sure if this is a packet of disconnect issue with that AP. if someone faced this id appreciate the help

Sent from Cisco Technical Support iPhone App

39 REPLIES

first time CoA

If the AP is lightweight then the COA should be processed to the controller. If this is a standalone AP then yes that is the reason why you are facing this issue. For devices that do not support COA (i.e. ASAs and standalone APs) then you consider positioning and inline posture node (ipep) in order to hand the coa services...here is the documentation that covers the basics of the ipep node and how it bridges this limitation:

http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_ipep_deploy.html#wp1198610

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
Community Member

Re: first time CoA

Ur a hard working man. I appreciate. No its a lightweight AP. And as I said when they connect first time. They get to be unknown(even with mac only profiling) and they are rejected cuz last default is set to deny. They only need to reconnect and everything is fine. Have u seen this. Ive read about FirstTimeProfile but it doesnt seem to bounce them as it should for some reason. Is there anything that needs to be done?

Sent from Cisco Technical Support iPhone App

Re: first time CoA

I understand now. If you have coa set to reauth there is already a built in condition so that when a endpoint is profiled for the first time (goes from unknown to known) then COA is triggered:

http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_prof_pol.html#wp1555378

What version of ISE are you currently running also what version is your controller? If you are using mac filtering you need to be on WLC version 7.2.110 in order to support coa (radius nac) with mac filtering.

If you dont mind can you post a screenshot of when this occurs, before you reauthenticate and check the endpoint database does it still show as uknown or does it show mapped. In the authentication reports do you see an red entries with dynamic authorization is failing? Does this happen on all SSIDs on this AP?

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
Community Member

Re: first time CoA

cisco ise 1.1.1, WLC 7.0.220.0

Yes it adds up as a workstation in the identities after failing, cuz when I reconnect I'm all good, but if i dont reconnect I'm just stuck and eventually after 20 minutes it tries again and it succeeds.

here is a screenshot

P.s Radius State on WLC is None but I've tried both same scenario.

P.s.s I did read that link before I posted :}

Re: first time CoA

Hmm,

Do you have the AAA override set on the controller? It seems as if everything is working fine on the controller side but when the coa hits it seems as if the endpoint is matching the Profiled:Workstation endpoint group that is why you hit the deny access policy. Are you profiling these endpoints using the dhcp attribute?

Can you post a screenshot of your authorization policies.

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
Community Member

Re: first time CoA

Tarik,

yes I do have AAA override on the WLC,

here is the screenshot:

Community Member

Re: first time CoA

if you noticed on my first screenshot the profiled workstation is matched with permit access after I reconnect.

I do use DHCP option for profiling but I've tried even with mac address where I added mac attributes to WORKSTATION profile for example if mac CONTAINS OUI = Intel = Workstation still the same.

Re: first time CoA

Hi,

Do you have the radius probe enabled? Please enable it if you dont,it should speeds things up if ISE can profile the endpoint using the calling station id, instead of waiting for the dhcp traffic to arrive after authentication succeds.

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
Community Member

Re: first time CoA

I do have it enabled, I am currently at home will go to work tomorrow and try.

how do I differentiate between calling station ID? cuz that's not as a profiling attribute as of right now in the workstation profile. (I'd love to be able to differentiate windows machines through radius)

Community Member

Re: first time CoA

I see,

It has to be a mac address for calling station ID.

Unforutnately for me i have like 5k and they all start differently, can't match the OUI to it.

I'll see how to figure this out tomorrow at work, thanks for your help.

Re: first time CoA

You shouldnt have to configure any profiling policies, internally the ISE node should know the calling station id is the mac address and should roll up in the MACOUI check.

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
Community Member

Re: first time CoA

I see what you mean, I do understand how it works.

I will try something tomorrow, I think this is only doing it to the laptops not to iDevices as far as I can recall.

I will post updates tomorrow, I have some ideas that I need to try out.

I highly appreciate your help

Community Member

Re: first time CoA

Nope it does same thing even for iDevices, maybe a TAC case?

first time CoA

Hi,

Do you have the profiling services still enabled on the deployment page? Before opening a TAC case could you delete the endpoint, enable the profiler component to trace (http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_logging.html#wp1054671), reproduce the issue and then download the profiler.log file (http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_mnt.html#wpxref46056)

attach it here and take another screenshot of the first authentication, the COA request and then when you reattempt the connection and match the profile. (also download the log after you follow all these steps).

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
Community Member

Re: first time CoA

I do have profiling enabled

here are the files

btw, do i need to do debugging from secondary ( cuz the secondary node is set as the primary monitoring role)

https://dl.dropbox.com/u/75261564/ise.logs.zip

first time CoA

Hi,

We are taking the logs from the node itself, the monitoring node is for the authentications.

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
Community Member

first time CoA

done,

got it from the primary are you able to download the files?

Re: first time CoA

I downloaded them, do you have a screenshot of the timeframe on when you reproduced the issue?

I would like get the timestamps and mac on when you attempted it.

disregard, i just opened the zip file.

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
Community Member

Re: first time CoA

they are on the sides for authorization, it's all withing 3 minutes

Re: first time CoA

You sent me the prrt.log files I need the profiler.log file.

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
Community Member

Re: first time CoA

Community Member

Re: first time CoA

oh my bad cuz it's above it kinda messed up rows, give me a sec

Community Member

first time CoA

let me know if you got them

https://dl.dropbox.com/u/75261564/ise.logs.zip so i can delete the files

Community Member

first time CoA

I also get emails as alarms saying

Dynamic Authorization Failed for Device:WLC-PRIMARY

first time CoA

Hi,

Your best bet is to open a tac case, after looking through the logs I dont see the profiler log capturing radius even that occured at 11:09, it seems as if the endpoint was created well before the debugs were turned on because there is an endpoint id assigned.

If I were you, i would open a tac case and reproduce the issue with a packet capture from the WLC (you can go to monitor > tools > tcpdump) you can filter using ip host (wlcipadd). Provide this information to tac along with the screenshots that you provided and you should get a quick turnaround.

If you want to debug this yourself you can, the endpoint id is (d18c8261-e7bc-11e1-95b6-5cf3fc25cfa8) and when you see the entries in the profiler.log that match this condition you can see they are all endpoint updates (starting at 11:10:42), there isnt an add which tells me that something may have got dropped internally in the profiler process.

Also are you running on a appliance (because i see some probes enabled on gig3...can you verify this and turn off any probes that you arent using.

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
Community Member

first time CoA

Tarik,

thanks for your reply, yes it's in the appliance, and it showed that because the probes were enabled on all interfaces thats why it showed as failing.

P.s this ID

d18c8261-e7bc-11e1-95b6-5cf3fc25cfa8 I do not see it in this file:

[first]profiler.log

I do see it in the second one though, and it is because it worked the second time.

Community Member

first time CoA

012-08-16 10:33:59,222 INFO  2012-08-16 10:33:59,222  [CoAHandler][] cisco.profiler.infrastructure.profiling.CoAHandler- Skip CoA for DISCONNECTED end point 00:26:C6:6A:DE:22 (policy Workstation)

this is what I saw too

Community Member

first time CoA

Tarik,

I did not open a case with TAC yet becuase i am trying to figure it out myself, I think there is like a bug in the database or something because some things look weird and this is what i've found:

I have created some custom profiles with custom attributes like check for FQDN and all that, and then I have deleted them.

I've done the profile log ( thnx for the heads up) and I've found some errors and why the first time users get in can't be profiled:

It is trying to profile it with previous rules which I have deleted and are now still the the database somehow, I do not know how to solve this but here is the log part:

This is what is says first:

Caused by: Can not delete the rule with fqn NAC Group:NAC:PROFILERCheck_Test_for_fqdnRule4603716b-e44d-4b01-9308-2826829a79bcCheck7f9b8a99-9cdd-4402-b769-c85e4d38722f this is being refered by other rules [6e0b40d0-e322-11e1-ba0b-5cf3fc25cfa8,PROFILERRule_Test_for_fqdnRule4603716b-e44d-4b01-9308-2826829a79bc,]; nested exception is:

then:

Name:Microssssoft

FullName:TEST_FOR_FQDN

Description:this is the test for microsoft

MinimumCertaintyMetric:10

ActionId:

ScanActionId:6ed0fa70-be86-11e1-ba69-0050568e002b

ParentId:

Enabled:true

HasIdentityGrp:true

IdentityGrpID:79efb500-e310-11e1-ba0b-5cf3fc25cfa8

PolicyRules:{Test_for_fqdnRule4603716b-e44d-4b01-9308-2826829a79bc=-3}

:Unable to update EndpointPolicy. Unable to create / update EndpointPolicy. Rule must contain atleast one Check.

com.cisco.profiler.common.ProfilerException: Unable to update EndpointPolicy. Unable to create / update EndpointPolicy. Rule must contain atleast one Check.

    at com.cisco.profiler.api.EndpointPolicyHandler.update(EndpointPolicyHandler.java:320)

This Rule doesn't exist anymore, and when they show up in authorization as you can see from the screenshots above when users first hit the ISE (they do not have any identity group assigned to it)

Community Member

first time CoA

it's not collecting logs anymore I think, i'll rebooted it and probably reset the whole thing :]

1375
Views
0
Helpful
39
Replies
CreatePlease to create content