11-01-2019 06:20 AM
I have a small Aruba environment that uses ISE 2.4 for the guest portal. The guest is able to connect to the guest WLAN, authenticate, and ultimately connect to the internet. Whats odd is that after logging in the client drops the wireless connection, then the wireless connection is reestablished and connects them to the internet. When I investigated this behavior it appears there are multiple hits on the authorization policy.
What also weird is that I have this INVALID under identity and not sure why that is caused.
My authorization policies look like this:
Redirect
AND Aruba:Aruba-Essid-Name = Guest-WiFi OR Network Access:NetworkDeviceName=WLC1, Network Access:NetworkDeviceName=WLC2 -> Redirect to Portal
Guest-Endpoint-Auth
IDGroup-Name = Endpoint IDGroup:GuestEndpoints -> Guest-Accept
Guest-User-Auth
InternalUser-IDGroup MATCHES User IDGroup:GuestType_Daily -> Guest-Accept
Solved! Go to Solution.
11-02-2019 12:16 AM
If you can reproduce the issue, you can reveal INVALID entry by going to Administration > System > Settings > Protocols > RADIUS and checking 'Disclose Invalid Usernames' (It may be different wording depending on ISE version).
You can also click on details of the CoA (Ones in the live log noted as Dynamic Authorization Succeeded) and look at the CoA reason to find out why CoA was issued which may provide hints.
11-02-2019 12:16 AM
If you can reproduce the issue, you can reveal INVALID entry by going to Administration > System > Settings > Protocols > RADIUS and checking 'Disclose Invalid Usernames' (It may be different wording depending on ISE version).
You can also click on details of the CoA (Ones in the live log noted as Dynamic Authorization Succeeded) and look at the CoA reason to find out why CoA was issued which may provide hints.
11-04-2019 05:19 AM
11-04-2019 06:32 AM
The INVALID appears to be for a MAB authentication. So it is more than likely just the MAC address again.
If this is happening every authentication, I would double check the timers on the Aruba. Ensure the session timer is at least 12 hours.
If this is happening only on the first auth of a device, its possible just profiling.
To really see what is going on, you need to dive deeper on the CoAs.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide