Cisco Bug: CSCvu43332 - ENH: Ability to use profiler CoA (Dynamic Authorization) for VPN sessions
May 30, 2020
- Cisco Identity Services Engine
Known Affected Releases
2.6(0.156) 2.7(0.356) 3.0(0.362)
Symptom: Profiler CoA (Dynamic Authorization) doesn't work for VPN sessions. When ISE sends a profiler or manual CoA it can do a reauthentication regardless if it is a MAB, 802.1x or VPN session. The ASA is expecting the authorization attributes within the CoA push as it cannot do a reauthentication for a VPN tunnel. In current ISE releases, after a profiler change, the CoA will be sent with the original attributes and the endpoint won't get the new attributes unless the session is completely ended. The profiler should be able to send a CoA push with the new attributes in a similar way as it handles CoA with posture flow over VPN. Conditions: VPN session authorized through ISE. Trying to blacklist an endpoint by using endpoint groups. For example moving to an endpoint group that has a full access DACL to a blacklist endpoint group that has a deny all access.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases