I am sure that Aruba doesnt support COA, can you confirm? You will have to deploy an inline posture node in order to handle the traffic policies after the user is authenticated from the aruba controller.
Still would like to get this resolved, Radius authentication works great, but CoA never comes through, although the NAC Client says compliant.
You have to deploy another node (inline policy node) for devices that do not support COA. The ipep is a combinatoin of a radius proxy and a firewall. Traffic is dynamically changed through APIs that simulate COA so that users can get temporary access or become quarantined till they meet requirements.
This is a current requirement when deploying ISE with VPNs even with the Cisco ASA.
*Please rate helpful posts*
You completly ingnored my comments, I said Aruba does support CoA. I believe I figured it out on my own, and I did not have to do any Inline Policy nodes.
You are correct I missed the comment, congrats on getting this resolved.
*Please rate helpful posts*
I'm trying to configure ISE and Aruba Wireless Controller. Any suggestion to configure BYOD? have any documents ?
I have nothing published yet, but yes I have it working in some fashion with Aruba, I am still working out a few issues with CoA from the aruba side getting the correct NAD and NAD Port into the Aruba controller has beeen a pain. But got something to work that both cisco and aruba said wouldnt, neither tech support were helpful.
That is gr8.
Can you please share the steps/config to support CoA on Aruba Controller with Cisco ISE?
Appreciate all the help here.
my current employer doesnt want me to disclose how we did it, basically they made a deal with Aruba not to disclose until Aruba comes in with there ISE like solution. However unfortunatly for me my last day here is 12/31/2012, but at that time I can give all the details.
Ultimately, ISE sends CoA's to port 1700 (Cisco's original port). When CoA became an RFC, the port moved to 3799 - but ISE is still using 1700, because that's what the Cisco NADs default to. Aruba would be following port 3799, and expecting it there.
With that said, there is also the matter of CoA message-types to discuss. The RFC only dictates one message (Message of Disconnect) aka: terminate. To make the user experience better, and for the support of multiple stages of a single network (Session Aware Networking enhancement to dot1x that Cisco created) - Cisco developed new CoA messages, such as "Re-Auth" (important one) & "Port-Bounce" and others...
Aruba will most likely interperet any CoA message from Cisco as a DM (dicsonnect message) - and force a new session for the wireless device - which may work out / may not. If you state you got it all working, that's terrific. That means the Aruba probably had a setting to change the port to 1700 so it could get the messages from ISE.
is the DM Message non-disruptive to the end-user?
I have a mix of Cisco and Aruba gear and so I have been testing Aruba CPPM and CISCO ISE for interoperability with both and I can confirm that the Aruba ClearPass Policy Manager RADIUS CoA port is customizable and that ISE supports both ports 1700 and 3799, according to the document Cisco TrustSec How -To Guide: ISE Deployment Guides and Guidelines. So, if the NADs and/or the RADIUS servers support both ports we're good. This is a lot like 1812,1813 and 1645, 1646 with RADIUS auth and accounting. The following is a very helpful document by the way.
any change on this? Can you now disclose the steps to make ISE and Aruba work together? :)
Thank you in advance.
Interesting that CoA is working with Aruba, we were under the impression it was not. Any challenges you want to share with us in getting that integration in place?
it doesnt have to be inline to get Aruba to work, Aruba's issue is they currently have a bug in CoA so sometimes you will see CoA failures. Working with Aruba technical support on it now.
I was working on an Aruba and ISE deployment. The endpoint needed to be postured, but it never worked properly.
We saw that the endpoint was authenticated against ISE and the radius accept packet was received in the aruba controller. However, the iPEP session was never triggered and the endpoint never got access to the redirecction link. Is there an example of Aruba and iPEP you can share?
This might help you out.
"Certain advanced use cases, such as those that involve posture assessment, profiling, and web authentication, are not consistently available with non-Cisco devices or may provide limited functionality, and are therefore not supported with non-Cisco devices. In addition, certain other advanced functions like central web authentication (CWA), Change of Authorization (CoA), Security Group Access, and downloadable ACLs, are only supported on Cisco devices.""
We only support LWA guest on the Aruba Controller with ISE. The captive portal is hosted on the Aruba controller.
Additionally the AUP on the controller is just a link to the AUP page and there is no check box to select. By logging in you agree to the AUP implicitly. You can read the text of the AUP by clicking the link.
See the following VoD on how we can get preactivated guests to work on an Aruba controller.
Also the ISE-Aruba integration guide is here: http://ecm-link.cisco.com/ecm/view/objectId/090dcae184a2f348/versionLabel/CURRENT