Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
1017
Views
0
Helpful
7
Replies

Aruba wireless integrated with ISE disconnect's endpoint randomly

ShalomETH
Level 1
Level 1

‎04-11-2024 04:05 AM

We have implemented a wireless network integrated with remote RADIUS authentication using Cisco ISE. To gain network access, a user's device posture needs to be compliant and the user must exist in the Active Directory identity store. However, after successful authentication and posturing, the network connection is disconnecting unexpectedly. We'd appreciate it if anyone has experience with this issue.48m7sltl.png

0 Helpful
7 Replies 7

ahollifield
VIP
VIP

‎04-11-2024 04:27 AM

How do you have CoA configured?  What is the auth method?  What exactly is the Aruba NAD?  IAP?  Central?  Mobility Controller?  Are you performing redirection-based posture?  

https://community.cisco.com/t5/security-documents/how-to-ask-the-community-for-help/ta-p/3704356

0 Helpful

ShalomETH
Level 1
Level 1
In response to ahollifield

‎04-11-2024 05:19 AM

Thank you for quick response

  • we have configured "Reauth" CoA type and used the default ArubaWireless network device profile
  • used PEAP auth method
  • yes we are using redirection based posture.
  • Aruba instance 515 AP
  • Aruba Instatnt Access Pointimgpsh_fullsize_anim (1).jpg
0 Helpful

ahollifield
VIP
VIP
In response to ShalomETH

‎04-11-2024 05:27 AM - edited ‎04-11-2024 05:28 AM

What port is CoA set to?  I would highly suggest not using the built-in Aruba Wireless NAD profile and use this one: https://community.cisco.com/t5/security-knowledge-base/how-to-cisco-ise-captive-portals-with-aruba-wireless/ta-p/4633904

Why is PEAP being used?  Why not EAP-TLS or TEAP?  With certificates?

How are you handling the redirect page on Aruba?  Static?  Again reference the link I posted above for a dynamic way to handle this instead.

Since you are using Instant AP mode is the cluster healthy?  Do you have RADIUS proxy enabled?  Or is each AP defined as a NAD within ISE?  Any reason not to use Aruba Central management instead?

 

 

0 Helpful

ShalomETH
Level 1
Level 1
In response to ahollifield

‎04-12-2024 12:47 AM

  • Now the authentication method is changed to TEAP with username and password.
  • The redirection was manually configured on Aruba AP because the default Arubawireless profile doesn't support dynamic redirection. We've now switched to dynamic redirection using the new profile you provided. but the Instant APs are not receiving the redirection link.
  • The cluster is healthy, Radius Proxy is disabled, and we have defined each AP as a NAD in ISE.

 

0 Helpful

ahollifield
VIP
VIP
In response to ShalomETH

‎04-12-2024 05:18 AM

"not receiving the redirection link"?  What do you mean?  How have you confirmed this?  What do the ISE live logs look like?  Did you follow the other steps as needed in the link I posted?

0 Helpful

ShalomETH
Level 1
Level 1
In response to ahollifield

‎04-15-2024 12:38 AM

  • When an endpoint connects for the first time, it is redirected to the client provisioning portal to download the Cisco AnyConnect agent during default aubawireless profile usage. But, when we use the network device profile you provided, the endpoint isn't being redirected to the client provisioning portal.
  • Yes, we have followed the steps you provided.
  • The live log shows that posturing is on pending state.
0 Helpful

ahollifield
VIP
VIP
In response to ShalomETH

‎04-15-2024 05:17 AM

Did you update the authorization rule accordingly to use the autogenerated PSN URL instead of whatever Static URL you had it set to?  

0 Helpful
Customers Also Viewed These Support Documents
Top