Cisco ISE and SNMP CoA Feature

ISE supports third-party NADs using Network Device Profiles:

NAD profiles define the capabilities of the third-party device with policy configuration. A network device profile contains the following:

• The protocols the network device support, such as RADIUS, TACACS+, and TrustSec. You can import any vendor-specific RADIUS dictionaries that exist for the device into ISE.
• The attributes and values that the device uses for the various flows such as Wired MAB and 802.1x. This allows ISE to detect the right flow type for your device according to the attributes it uses.
• The CoA capabilities the device has. While RFC 5176 defines the types of CoA requests, the required attributes in the requests vary depending on the device. For devices that do not support the RADIUS CoA type, ISE also supports SNMP CoA.

SNMP CoA is a new feature introduced in ISE 2.1.?Some of the network devices do not understand a RADIUS CoA sent by ISE. Since SNMP is supported by almost all NADs, CoA that uses SNMP became a viable option in such a scenario. An SNMP CoA is performed by an SNMP SetRequest sent from ISE to a NAD in order to set certain Object Identifiers (OIDs) which manage the operational status of a port.

The use of SNMP SetRequest messages is obvious; the?SetRequest-PDU?message contains a specification for variables whose values are to be modified by the network administrator. Remember that?SNMP does not include specific commands?to let a network administrator control a managed device. This is in fact the “control method”, by setting variables that affect the operation of the managed device.

1. SNMP Manager Creates?SetRequest-PDU:?Based on the information changes specified by the user through the SNMP application, the SNMP software on the network management station creates a?SetRequest-PDU?message. It contains a set of MIB object names and the values to which they are to be set.
2. SNMP Manager Sends?SetRequest-PDU:?The SNMP manager sends the PDU to the device being controlled.
3. SNMP Agent Receives and Processes?SetRequest-PDU:?The SNMP agent receives and processes the set request. It examines each object in the request along with the value to which the object is to be set, and determines if the request should or should not be honored.
4. SNMP Agent Makes Changes and Creates Response-PDU: Assuming that the information in the request was correct, the SNMP agent makes changes to its internal variables. The agent creates a Response-PDU to send back to the SNMP Manager, which either indicates that the request succeeded, or contains error codes to indicate any problems with the request found during processing.
5. SNMP Agent Sends?Response-PDU:?The agent sends the response back to the SNMP Manager.
6. SNMP Manager Processes?Response-PDU:?The manager processes the information in the Response-PDU to see the results of the set.

There are two settings on ISE which need to be configured for the SNMP CoA to work:

1. SNMP server settings of a NAD.
2. SNMP CoA settings of a NAD Profile.