cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
15040
Views
0
Helpful
22
Replies

Aruba Wireless Controller and ISE

Jeffrey Jones
Level 5
Level 5

Ok, so we have the basic part working, but CoA is failing to respond to the request from the ISE server. Any ideas anyone?

Jeff

22 Replies 22

Tarik Admani
VIP Alumni
VIP Alumni

Jeffrey,

I am sure that Aruba doesnt support COA, can you confirm? You will have to deploy an inline posture node in order to handle the traffic policies after the user is authenticated from the aruba controller.

Thanks,

Tarik Admani

Actually Aruba does

just found this

http://community.arubanetworks.com/t5/Controller-Based-WLANs/Does-Aruba-Controller-support-switching-vlan-using-COA/ta-p/194579

Jeffrey Jones
Level 5
Level 5

Still would like to get this resolved, Radius authentication works great, but CoA never comes through, although the NAC Client says compliant.

Jeff,

You have to deploy another node (inline policy node) for devices that do not support COA. The ipep is a combinatoin of a radius proxy and a firewall. Traffic is dynamically changed through APIs that simulate COA so that users can get temporary access or become quarantined till they meet requirements.

This is a current requirement when deploying ISE with VPNs even with the Cisco ASA.

Thanks,

Tarik Admani
*Please rate helpful posts*

You completly ingnored my comments, I said Aruba does support CoA. I believe I figured it out on my own, and I did not have to do any Inline Policy nodes.

Jeff

Jeff,

You are correct I missed the comment, congrats on getting this resolved.

Tarik Admani
*Please rate helpful posts*

Jeffrey/all

I'm trying to configure ISE and Aruba Wireless Controller. Any suggestion to configure BYOD? have any documents ?

Regards

I have nothing published yet, but yes I have it working in some fashion with Aruba, I am still working out a few issues with CoA from the aruba side getting the correct NAD and NAD Port into the Aruba controller has beeen a pain. But got something to work that both cisco and aruba said wouldnt, neither tech support were helpful.

JJ

Hi Jeffrey,

That is gr8.

Can you please share the steps/config to support CoA on Aruba Controller with Cisco ISE?

Appreciate all the help here.

Cheers

Hi Jeffry,

I'd appreciate if you could send us some config information to make it work with ISE.

Cheers.

my current employer doesnt want me to disclose how we did it, basically they made a deal with Aruba not to disclose until Aruba comes in with there ISE like solution. However unfortunatly for me my last day here is 12/31/2012, but at that time I can give all the details.

Jeff

Ultimately, ISE sends CoA's to port 1700 (Cisco's original port).  When CoA became an RFC, the port moved to 3799 - but ISE is still using 1700, because that's what the Cisco NADs default to.  Aruba would be following port 3799, and expecting it there.

With that said, there is also the matter of CoA message-types to discuss.  The RFC only dictates one message (Message of Disconnect) aka: terminate.  To make the user experience better, and for the support of multiple stages of a single network (Session Aware Networking enhancement to dot1x that Cisco created) - Cisco developed new CoA messages, such as "Re-Auth" (important one) & "Port-Bounce" and others...

Aruba will most likely interperet any CoA message from Cisco as a DM (dicsonnect message) - and force a new session for the wireless device - which may work out / may not.  If you state you got it all working, that's terrific.  That means the Aruba probably had a setting to change the port to 1700 so it could get the messages from ISE.

is the DM Message non-disruptive to the end-user? 

Aaron

I have a mix of Cisco and Aruba gear and so I have been testing Aruba CPPM and CISCO ISE for interoperability with both and I can confirm that the Aruba ClearPass Policy Manager RADIUS CoA port is customizable and that ISE supports both ports 1700 and 3799, according to the document Cisco TrustSec How -To Guide: ISE Deployment Guides and Guidelines. So, if the NADs and/or the RADIUS servers support both ports we're good.  This is a lot like 1812,1813 and 1645, 1646 with RADIUS auth and accounting.  The following is a very helpful document by the way.

http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_50_ise_deployment_tg.pdf