topic Re: Aruba wireless integrated with ISE disconnect's endpoint randomly in Network Access Control

Aruba wireless integrated with ISE disconnect's endpoint randomly

ShalomETH — Thu, 11 Apr 2024 11:05:46 GMT

We have implemented a wireless network integrated with remote RADIUS authentication using Cisco ISE. To gain network access, a user's device posture needs to be compliant and the user must exist in the Active Directory identity store. However, after successful authentication and posturing, the network connection is disconnecting unexpectedly. We'd appreciate it if anyone has experience with this issue.

Re: Aruba wireless integrated with ISE disconnect's endpoint randomly

ahollifield — Thu, 11 Apr 2024 11:27:15 GMT

How do you have CoA configured? What is the auth method? What exactly is the Aruba NAD? IAP? Central? Mobility Controller? Are you performing redirection-based posture?

https://community.cisco.com/t5/security-documents/how-to-ask-the-community-for-help/ta-p/3704356

Re: Aruba wireless integrated with ISE disconnect's endpoint randomly

ShalomETH — Thu, 11 Apr 2024 12:19:46 GMT

Thank you for quick response

we have configured "Reauth" CoA type and used the default ArubaWireless network device profile
used PEAP auth method
yes we are using redirection based posture.
Aruba instance 515 AP
Aruba Instatnt Access Point

Re: Aruba wireless integrated with ISE disconnect's endpoint randomly

ahollifield — Thu, 11 Apr 2024 12:28:10 GMT

What port is CoA set to? I would highly suggest not using the built-in Aruba Wireless NAD profile and use this one: https://community.cisco.com/t5/security-knowledge-base/how-to-cisco-ise-captive-portals-with-aruba-wireless/ta-p/4633904

Why is PEAP being used? Why not EAP-TLS or TEAP? With certificates?

How are you handling the redirect page on Aruba? Static? Again reference the link I posted above for a dynamic way to handle this instead.

Since you are using Instant AP mode is the cluster healthy? Do you have RADIUS proxy enabled? Or is each AP defined as a NAD within ISE? Any reason not to use Aruba Central management instead?

Re: Aruba wireless integrated with ISE disconnect's endpoint randomly

ShalomETH — Fri, 12 Apr 2024 07:47:52 GMT

Now the authentication method is changed to TEAP with username and password.
The redirection was manually configured on Aruba AP because the default Arubawireless profile doesn't support dynamic redirection. We've now switched to dynamic redirection using the new profile you provided. but the Instant APs are not receiving the redirection link.
The cluster is healthy, Radius Proxy is disabled, and we have defined each AP as a NAD in ISE.

Re: Aruba wireless integrated with ISE disconnect's endpoint randomly

ahollifield — Fri, 12 Apr 2024 12:18:20 GMT

"not receiving the redirection link"? What do you mean? How have you confirmed this? What do the ISE live logs look like? Did you follow the other steps as needed in the link I posted?

Re: Aruba wireless integrated with ISE disconnect's endpoint randomly

ShalomETH — Mon, 15 Apr 2024 07:38:41 GMT

When an endpoint connects for the first time, it is redirected to the client provisioning portal to download the Cisco AnyConnect agent during default aubawireless profile usage. But, when we use the network device profile you provided, the endpoint isn't being redirected to the client provisioning portal.
Yes, we have followed the steps you provided.
The live log shows that posturing is on pending state.

Re: Aruba wireless integrated with ISE disconnect's endpoint randomly

ahollifield — Mon, 15 Apr 2024 12:17:55 GMT

Did you update the authorization rule accordingly to use the autogenerated PSN URL instead of whatever Static URL you had it set to?