Just wondering if anyone else is having CoA issues using patch 8 on wired infrastructure? I was troubleshooting CoA this morning in a 5 node deployment (1 x Admin, 1 x Monitoring, 1 x secondary admin/monitoring and 2 x PSN) and found that CoA was not working. I did a debug aaa pod and it said that POD message was dropped due to an unconfigured client and listed off the IP address of the primary admin node that I had initiated the CoA from (in the gui).
I thought this was strange in that I have always believed the CoA comes from the PSNs. I stopped the primary admin and did the same test using the secondary admin and the same error presented this time with the ip address of the secondary admin. I then proceeded to add the admin nodes as dynamic author clients and CoA started to work properly.
So in summary I am wondering whether this is a bug, a misunderstanding on my part or a change to the way that ISE CoA now works?
Cisco ISE does not issue a CoA for the following reasons:
An Endpoint disconnected from the network—When an endpoint disconnected from your network is discovered.
Authenticated wired (Extensible Authentication Protocol) EAP-capable endpoint—When an authenticated wired EAP-capable endpoint is discovered.
Multiple active sessions per port—When you have multiple active sessions on a single port, the profiling service issues a CoA with the Reauth option even though you have configured CoA with the Port Bounce option.
Packet-of-Disconnect CoA (Terminate Session) when a wireless endpoint is detected—If an endpoint is discovered as wireless, then a Packet-of-Disconnect CoA (Terminate-Session) is issued instead of the Port Bounce CoA. The benefit of this change is to support the Wireless LAN Controller (WLC) CoA.
An Endpoint Created through Guest Device Registration flow—When endpoints are created through device registration for the guests. Even though CoA is enabled globally in Cisco ISE, the profiling service does not issue a CoA so that the device registration flow is not affected. In particular, the PortBounce CoA global configuration breaks the flow of the connecting endpoint.
Global No CoA Setting overrides Policy CoA—Global No CoA overrides all configuration settings in endpoint profiling policies as there is no CoA issued in Cisco ISE irrespective of CoA configured per endpoint profiling policy.
I have just upgraded the deployment from 1.2 patch 8 up to 1.2.1 and the issue still persists. Thanks kindly for the information but I am well aware of the above mentioned scenarios.
To put it simply the issue presents when I issue a CoA from the administration GUI. What then happens is the switch gives the following error (where x.x.x.x is the IP of the admin node):
Jun 10 12:28:11: POD: x.x.x.x client not configured. Dropping POD packet.
Basically the admin node is purely an admin node no policy no monitoring. If I repeat the test from the secondary admin the same error occurs albeit with the secondary IP in the error. I can resolve this issue by adding the admin nodes as dynamic authors on the switch.
Just to clarify - I am correct in my assumption that all CoA should be from the PSNs?
CoA Not Initiating on Client Machine Symptoms or Issue Cisco ISE is not able to identify the specified Network Access Device (NAD). Conditions Click the magnifying glass icon in Authentications to display the steps in the Authentication Report. The logs display the following error message: • 11007 Could not locate Network Device or AAA Client Resolution Possible Causes • The administrator did not correctly configure the Network Access Device (NAD) type in Cisco ISE. • Could not find the network device or the AAA Client while accessing NAS by IP during authentication. Resolution • Add the NAD in Cisco ISE again, verifying the NAD type and settings. • Verify whether the Network Device or AAA client is correctly configured in Administration > Network Resources > Network Devices Symptoms or Issue Users logging into the Cisco ISE network are not experiencing the required Change of Authorization (CoA). Conditions Cisco ISE uses port 1700 by default for communicating RADIUS CoA requests from supported network devices. Possible Causes Cisco ISE network enforcement points (switches) may be missing key configuration commands, may be assigning the wrong port (for example, a port other than 1700), or have an incorrect or incorrectly entered key. Resolution Ensure the following commands are present in the switch configuration file (required on switch to activate CoA and configure the switch): aaa server radius dynamic-author client <Monitoring_node_IP_address> server-key <radius_key>
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...