Solved: Aruba VLAN pools

novakam@wofford.edu · ‎08-27-2018

I am trying to get Aruba VLAN pooling to work the way that Cisco WLC interface groups do. I have the Authentication policy set to All_AD_join_points. That is fine, working correctly. However when I created 2 different Authorization policies they are always passed to the default. The parameters that I have set for each Authorization policy is my company_ad:External Groups=ad string, network device name contains aruba wireless controller, EapAuthentication=EAP-MSCHAPv2, radius flow type=Wireless 802.1x. For the Authorization profiles I used Advanced Attribute Settings, Aruba:Aruba-Named-User-VLAN=VLAN pool from the Aruba Wireless controller. None of these seem to work and they go straight to the default Authorization profile. I used all the same parameters for the Cisco WLC except for the Advanced Attribute Settings that I set for Airespace:Airespace-Interface-Name=interface group. Does anyone see what I am doing wrong? I am stumped and there is not much documentation for this specific of a use case, at least that I have found. Any help/advice would be greatly appreciated.

Arne Bier · ‎08-27-2018

You'd need to analyse the "Step" output of the Authorization logic in the Aruba call flow. it gives you a hint about which conditions it tested that led it the final result/conclusion.

One thing you should also consider is that, if you have an Aruba NAD, and you tag it as type Aruba (Device Profile = Aruba), then, your Authorization Result MUST also be of type Aruba, or Generic (i.e. vendor neutral). You cannot return a Cisco result to an Aruba device (the config allows it, but it won't actually work). If it's Vendor neutral then ISE performs its clever magic and tries to return the vendor appropriate attributes as per the device profile.

You might want to share your Authorization Policy Set screen capture?

View solution in original post

RichardAtkin · ‎08-27-2018

So you’ve written some Authorization policies for the Aruba Controller, but they aren’t getting hit and ISE is just sending your Default Authz Policy instead?

If yes, you need to look at the Conditions associated with your Aruba Authz Rule in ISE because something isn’t matching. Try simplifying them as much as you can - simplist approach is usually to make it look for an SSID and nothing else (RADIUS Called Station ID ends with YourSSIDname).

Alternatively, compare the attributes you are checking for in your Aruba Authz Condition against the attributes shown in ISE’s log for when the User ‘successfully’ hits the Default Rule and play spot the difference between your Aruba Authz Condition and the info ISE has about the Auth attempt, then edit your Condition appropriately.

View solution in original post

Arne Bier · ‎08-27-2018

You'd need to analyse the "Step" output of the Authorization logic in the Aruba call flow. it gives you a hint about which conditions it tested that led it the final result/conclusion.

One thing you should also consider is that, if you have an Aruba NAD, and you tag it as type Aruba (Device Profile = Aruba), then, your Authorization Result MUST also be of type Aruba, or Generic (i.e. vendor neutral). You cannot return a Cisco result to an Aruba device (the config allows it, but it won't actually work). If it's Vendor neutral then ISE performs its clever magic and tries to return the vendor appropriate attributes as per the device profile.

You might want to share your Authorization Policy Set screen capture?

RichardAtkin · ‎08-27-2018

So you’ve written some Authorization policies for the Aruba Controller, but they aren’t getting hit and ISE is just sending your Default Authz Policy instead?

If yes, you need to look at the Conditions associated with your Aruba Authz Rule in ISE because something isn’t matching. Try simplifying them as much as you can - simplist approach is usually to make it look for an SSID and nothing else (RADIUS Called Station ID ends with YourSSIDname).

Alternatively, compare the attributes you are checking for in your Aruba Authz Condition against the attributes shown in ISE’s log for when the User ‘successfully’ hits the Default Rule and play spot the difference between your Aruba Authz Condition and the info ISE has about the Auth attempt, then edit your Condition appropriately.