Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Aruba Wireless Controller and ISE

Ok, so we have the basic part working, but CoA is failing to respond to the request from the ISE server. Any ideas anyone?

Jeff

22 REPLIES

Re: Aruba Wireless Controller and ISE

Jeffrey,

I am sure that Aruba doesnt support COA, can you confirm? You will have to deploy an inline posture node in order to handle the traffic policies after the user is authenticated from the aruba controller.

Thanks,

Tarik Admani

Tarik Admani *Please rate helpful posts*
New Member

Aruba Wireless Controller and ISE

Actually Aruba does

just found thishttp:/

just found this

http://community.arubanetworks.com/t5/Controller-Based-WLANs/Does-Aruba-Controller-support-switching-vlan-using-COA/ta-p/194579

New Member

Aruba Wireless Controller and ISE

Still would like to get this resolved, Radius authentication works great, but CoA never comes through, although the NAC Client says compliant.

Aruba Wireless Controller and ISE

Jeff,

You have to deploy another node (inline policy node) for devices that do not support COA. The ipep is a combinatoin of a radius proxy and a firewall. Traffic is dynamically changed through APIs that simulate COA so that users can get temporary access or become quarantined till they meet requirements.

This is a current requirement when deploying ISE with VPNs even with the Cisco ASA.

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
New Member

Aruba Wireless Controller and ISE

You completly ingnored my comments, I said Aruba does support CoA. I believe I figured it out on my own, and I did not have to do any Inline Policy nodes.

Jeff

Aruba Wireless Controller and ISE

Jeff,

You are correct I missed the comment, congrats on getting this resolved.

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
New Member

Aruba Wireless Controller and ISE

Jeffrey/all

I'm trying to configure ISE and Aruba Wireless Controller. Any suggestion to configure BYOD? have any documents ?

Regards

New Member

Aruba Wireless Controller and ISE

I have nothing published yet, but yes I have it working in some fashion with Aruba, I am still working out a few issues with CoA from the aruba side getting the correct NAD and NAD Port into the Aruba controller has beeen a pain. But got something to work that both cisco and aruba said wouldnt, neither tech support were helpful.

JJ

Cisco Employee

Aruba Wireless Controller and ISE

Hi Jeffrey,

That is gr8.

Can you please share the steps/config to support CoA on Aruba Controller with Cisco ISE?

Appreciate all the help here.

Cheers

New Member

Aruba Wireless Controller and ISE

Hi Jeffry,

I'd appreciate if you could send us some config information to make it work with ISE.

Cheers.

New Member

Aruba Wireless Controller and ISE

my current employer doesnt want me to disclose how we did it, basically they made a deal with Aruba not to disclose until Aruba comes in with there ISE like solution. However unfortunatly for me my last day here is 12/31/2012, but at that time I can give all the details.

Jeff

Cisco Employee

Aruba Wireless Controller and ISE

Ultimately, ISE sends CoA's to port 1700 (Cisco's original port).  When CoA became an RFC, the port moved to 3799 - but ISE is still using 1700, because that's what the Cisco NADs default to.  Aruba would be following port 3799, and expecting it there.

With that said, there is also the matter of CoA message-types to discuss.  The RFC only dictates one message (Message of Disconnect) aka: terminate.  To make the user experience better, and for the support of multiple stages of a single network (Session Aware Networking enhancement to dot1x that Cisco created) - Cisco developed new CoA messages, such as "Re-Auth" (important one) & "Port-Bounce" and others...

Aruba will most likely interperet any CoA message from Cisco as a DM (dicsonnect message) - and force a new session for the wireless device - which may work out / may not.  If you state you got it all working, that's terrific.  That means the Aruba probably had a setting to change the port to 1700 so it could get the messages from ISE.

is the DM Message non-disruptive to the end-user? 

Aaron

New Member

Aruba Wireless Controller and ISE

I have a mix of Cisco and Aruba gear and so I have been testing Aruba CPPM and CISCO ISE for interoperability with both and I can confirm that the Aruba ClearPass Policy Manager RADIUS CoA port is customizable and that ISE supports both ports 1700 and 3799, according to the document Cisco TrustSec How -To Guide: ISE Deployment Guides and Guidelines. So, if the NADs and/or the RADIUS servers support both ports we're good.  This is a lot like 1812,1813 and 1645, 1646 with RADIUS auth and accounting.  The following is a very helpful document by the way.

http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_50_ise_deployment_tg.pdf 

New Member

Hi jjonessec1969,any change

Hi jjonessec1969,

any change on this? Can you now disclose the steps to make ISE and Aruba work together? :)

Thank you in advance.

Best Regards,

molnar.erik

New Member

Aruba Wireless Controller and ISE

Interesting that CoA is working with Aruba, we were under the impression it was not. Any challenges you want to share with us in getting that integration in place?

Aruba Wireless Controller and ISE

New Member

Aruba Wireless Controller and ISE

it doesnt have to be inline to get Aruba to work, Aruba's issue is they currently have a bug in CoA so sometimes you will see CoA failures. Working with Aruba technical support on it now.

Cisco Employee

Aruba Wireless Controller and ISE

I was working on an Aruba and ISE deployment. The endpoint needed to be postured, but it never worked properly.

We saw that the endpoint was authenticated against ISE and the radius accept packet was received in the aruba controller. However, the iPEP session was never triggered and the endpoint never got access to the redirecction link. Is there an example of Aruba and iPEP you can share?

Cisco Employee

Aruba Wireless Controller and ISE

This might help you out.

"Certain  advanced use cases, such as those that involve posture assessment,  profiling, and web authentication, are not consistently available with  non-Cisco devices or may provide limited functionality, and are  therefore not supported with non-Cisco devices. In addition, certain  other advanced functions like central web authentication (CWA), Change  of Authorization (CoA), Security Group Access, and downloadable ACLs,  are only supported on Cisco devices.""

http://www.cisco.com/en/US/docs/security/ise/1.1.1/compatibility/ise_sdt.html

New Member

We only support LWA guest on

We only support LWA guest on the Aruba Controller with ISE. The captive portal is hosted on the Aruba controller. 

 

Additionally the AUP on the controller is just a link to the AUP page and there is no check box to select. By logging in you agree to the AUP implicitly. You can read the text of the AUP by clicking the link.

See the following VoD on how we can get preactivated guests to work on an Aruba controller. 

 

http://ecm-link.cisco.com/ecm/view/objectId/090dcae184b05aef/versionLabel/CURRENT

 

Also the ISE-Aruba integration guide is here: http://ecm-link.cisco.com/ecm/view/objectId/090dcae184a2f348/versionLabel/CURRENT

 

New Member

Links seem to be broken.

Links seem to be broken. Could you verify please?

7791
Views
0
Helpful
22
Replies