topic Re: Cisco ISE stealthwatch integration - ANC not working with aruba in Network Access Control

Cisco ISE stealthwatch integration - ANC not working with aruba

vivarock12 — Wed, 26 Apr 2023 18:02:25 GMT

Hello,

so i have the following problem i have an Stealthwatch and ISE integration at the moment and is working, i can see the 802.1x users on ise and stealthwatch with the ip and mac address, in that way everything is working as spected but when i do the change over on the stealthwatch to the ANC-Policy that a specific users should use i got a problem on Cisco ISE and ARUBA switch.

as you can see in the picture above the error the i get is when i do the change on the stheatlwatch and then being send to the ARUBA switch but the aruba is not responding correctly to the request.(afeter that i do a manual COa and is working as spected)

After double checking i see that the Radius VSA that is being send is CISCO AV PAIR, as you can see below:

so the question: is ther a way to change that parameter from CISCO AV PAIR to just a normal COA port-bounce or shutdown instead?

because that the only thing not working on the implementation, DACL and manualy changing the ANC-Policy and then doing a manual port-bounce is working.

does anyone has any idea on how to do this?

thanks for the help.

Re: Cisco ISE stealthwatch integration - ANC not working with aruba

Nancy Saini — Wed, 26 Apr 2023 18:16:49 GMT

Check this community link for CoA port bounce : https://community.cisco.com/t5/network-access-control/coa-port-bounce-vs-coa-session-termination-with-port-bounce/td-p/4044275

Re: Cisco ISE stealthwatch integration - ANC not working with aruba

vivarock12 — Wed, 03 May 2023 14:05:39 GMT

just for you to know today i will be trying with terminate to see because it looks like the COA TERMINATE does not use Cisco-AV-PAIR and is the standar parameter if it works ill show the complete guide on how to make this work.

and thank for the help by the way.

Re: Cisco ISE stealthwatch integration - ANC not working with aruba

ahollifield — Wed, 03 May 2023 15:46:54 GMT

Are you using a custom Aruba Network Device Profile? Or are you using the Cisco one for this NAD? Is this an AOS-S or AOS-CX switch?

Re: Cisco ISE stealthwatch integration - ANC not working with aruba

vivarock12 — Fri, 05 May 2023 19:42:15 GMT

a custum one with specific parameter for COA directions

Re: Cisco ISE stealthwatch integration - ANC not working with aruba

ahollifield — Fri, 05 May 2023 19:45:20 GMT

The switch must not like what you are returning for the CoA attributes. What exact parameters are you returning? AOS-S or AOS-CX?

Re: Cisco ISE stealthwatch integration - ANC not working with aruba

thomas — Sun, 07 May 2023 16:08:15 GMT

You need to get real specific with the details in your responses if you would like us to make suggestions.

We need configurations, error messages, and what your exact COA parameters are.

Please explain why your "custom one" was necessary and why the default one for Aruba was unacceptable or did not work.

See

Re: Cisco ISE stealthwatch integration - ANC not working with aruba

vivarock12 — Mon, 08 May 2023 14:13:50 GMT

ok i follow the Aruba manual that defines the parameters for a COA Re-authenticate or COA port bounce:

DACL’S AND VLAN ASSIGNMENT

this configuration where suggested on aruba comunnity(link bellow):
https://community.arubanetworks.com/discussion/coa-port-bounce-with-cisco-ise-and-aruba-2530#bm2e01654f-d7c4-4709-ac4d-d7099b805112

for RADIUS COA terminate:

https://community.arubanetworks.com/discussion/coa-terminate-session#bm9f53ab89-d904-4e0e-9306-018695ecfd1e

and that the link before is for the parameter of Radius COA terminate.

THE PROBLEM:

but the problem lies on the following when i apply a change on the Stealthwatch, CISCO ISE allways send to the SWITCH the Cisco AV-PAIR VSA and aruba is now able to get the information from that VSA.

as suggested from @Nancy Saini i should be using a terminate because that a standar parameter thant being send:

this is a capture from the link that @Nancy Saini share before, but the problem is that ANC does not give that parameter at all to be chose as the action taken when the change is send from stealthwatch.

https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/admin_guide/b_ise_admin_guide_22/b_ise_admin_guide_22_chapter_01100.html (ADAPTIVE NETWORK CONTROL MANUAL)

as you canse in here those are the 3 options and those use a Cisco only VSA.

so is there a way to define that when you do this change it should use the parameters define on the device profile specific configuration or not because everything else work, DACL and manual Port-bounce, termination from cisco ISE directly done, to the switch so the integratino is working but lets say with a extra step.

here how it should work:

https://www.youtube.com/watch?v=BAN3CaYsunw&t=141s

but insted you need to got to ENDPOINTS DASHBOARD and do the COA manualy.

i spect your comments thanks for the help.

Re: Cisco ISE stealthwatch integration - ANC not working with aruba

vivarock12 — Mon, 26 Jun 2023 19:31:49 GMT