08-27-2018 02:00 PM
I am trying to get Aruba VLAN pooling to work the way that Cisco WLC interface groups do. I have the Authentication policy set to All_AD_join_points. That is fine, working correctly. However when I created 2 different Authorization policies they are always passed to the default. The parameters that I have set for each Authorization policy is my company_ad:External Groups=ad string, network device name contains aruba wireless controller, EapAuthentication=EAP-MSCHAPv2, radius flow type=Wireless 802.1x. For the Authorization profiles I used Advanced Attribute Settings, Aruba:Aruba-Named-User-VLAN=VLAN pool from the Aruba Wireless controller. None of these seem to work and they go straight to the default Authorization profile. I used all the same parameters for the Cisco WLC except for the Advanced Attribute Settings that I set for Airespace:Airespace-Interface-Name=interface group. Does anyone see what I am doing wrong? I am stumped and there is not much documentation for this specific of a use case, at least that I have found. Any help/advice would be greatly appreciated.
Solved! Go to Solution.
08-27-2018 05:31 PM
You'd need to analyse the "Step" output of the Authorization logic in the Aruba call flow. it gives you a hint about which conditions it tested that led it the final result/conclusion.
One thing you should also consider is that, if you have an Aruba NAD, and you tag it as type Aruba (Device Profile = Aruba), then, your Authorization Result MUST also be of type Aruba, or Generic (i.e. vendor neutral). You cannot return a Cisco result to an Aruba device (the config allows it, but it won't actually work). If it's Vendor neutral then ISE performs its clever magic and tries to return the vendor appropriate attributes as per the device profile.
You might want to share your Authorization Policy Set screen capture?
08-27-2018 10:55 PM
08-27-2018 05:31 PM
You'd need to analyse the "Step" output of the Authorization logic in the Aruba call flow. it gives you a hint about which conditions it tested that led it the final result/conclusion.
One thing you should also consider is that, if you have an Aruba NAD, and you tag it as type Aruba (Device Profile = Aruba), then, your Authorization Result MUST also be of type Aruba, or Generic (i.e. vendor neutral). You cannot return a Cisco result to an Aruba device (the config allows it, but it won't actually work). If it's Vendor neutral then ISE performs its clever magic and tries to return the vendor appropriate attributes as per the device profile.
You might want to share your Authorization Policy Set screen capture?
08-27-2018 10:55 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide