Guest

Preview Tool

Cisco Bug: CSCvu43332 - ENH: Ability to use profiler CoA (Dynamic Authorization) for VPN sessions

Last Modified

May 30, 2020

Products (1)

  • Cisco Identity Services Engine

Known Affected Releases

2.6(0.156) 2.7(0.356) 3.0(0.362)

Description (partial)

Symptom:
Profiler CoA (Dynamic Authorization) doesn't work for VPN sessions.
When ISE sends a profiler or manual CoA it can do a reauthentication regardless if it is a MAB, 802.1x or VPN session. The ASA is expecting the authorization attributes within the CoA push as it cannot do a reauthentication for a VPN tunnel. In current ISE releases, after a profiler change, the CoA will be sent with the original attributes and the endpoint won't get the new attributes unless the session is completely ended.
The profiler should be able to send a CoA push with the new attributes in a similar way as it handles CoA with posture flow over VPN.

Conditions:
VPN session authorized through ISE.
Trying to blacklist an endpoint by using endpoint groups. For example moving to an endpoint group that has a full access DACL to a blacklist endpoint group that has a deny all access.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.