Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
997
Views
2
Helpful
8
Replies

Cisco ISE stealthwatch integration - ANC not working with aruba

vivarock12
Level 1
Level 1

‎04-26-2023 11:02 AM

Hello,

so i have the following problem i have an Stealthwatch and ISE integration at the moment and is working, i can see the 802.1x users on ise and stealthwatch with the ip and mac address, in that way everything is working as spected but when i do the change over on the stealthwatch to the ANC-Policy that a specific users should use i got a problem on Cisco ISE and ARUBA switch.

vivarock12_0-1682531543024.png

as you can see in the picture above the error the i get is when i do the change on the stheatlwatch and then being send to the ARUBA switch but the aruba is not responding correctly to the request.(afeter that i do a manual COa and is working as spected)

After double checking i see that the Radius VSA that is being send is CISCO AV PAIR, as you can see below:

vivarock12_1-1682531694796.png

so the question: is ther a way to change that parameter from CISCO AV PAIR to just a normal COA port-bounce or shutdown instead?

because that the only thing not working on the implementation, DACL and manualy changing the ANC-Policy and then doing a manual port-bounce is working.

does anyone has any idea on how to do this?

thanks for the help.

0 Helpful
8 Replies 8

vivarock12
Level 1
Level 1
In response to Nancy Saini

‎05-03-2023 07:05 AM

just for you to know today i will be trying with terminate to see because it looks like the COA TERMINATE does not use Cisco-AV-PAIR and is the standar parameter if it works ill show the complete guide on how to make this work.

and thank for the help by the way.

0 Helpful

ahollifield
VIP
VIP

‎05-03-2023 08:46 AM

Are you using a custom Aruba Network Device Profile?  Or are you using the Cisco one for this NAD?  Is this an AOS-S or AOS-CX switch?

vivarock12
Level 1
Level 1
In response to ahollifield

‎05-05-2023 12:42 PM

a custum one with specific parameter for COA directions

0 Helpful

ahollifield
VIP
VIP
In response to vivarock12

‎05-05-2023 12:45 PM

The switch must not like what you are returning for the CoA attributes.  What exact parameters are you returning?  AOS-S or AOS-CX? 

thomas
Cisco Employee
Cisco Employee
In response to vivarock12

‎05-07-2023 09:08 AM

You need to get real specific with the details in your responses if you would like us to make suggestions. 

We need configurations, error messages, and what your exact COA parameters are.

Please explain why your "custom one" was necessary and why the default one for Aruba was unacceptable or did not work.

See How to Ask The Community for Help 

0 Helpful

vivarock12
Level 1
Level 1
In response to thomas

‎05-08-2023 07:13 AM

ok i follow the Aruba manual that defines the parameters for a COA Re-authenticate or COA port bounce:

DACL’S AND VLAN ASSIGNMENT

vivarock12_0-1683554209793.pngvivarock12_1-1683554224899.png

this configuration where suggested on aruba comunnity(link bellow):
https://community.arubanetworks.com/discussion/coa-port-bounce-with-cisco-ise-and-aruba-2530#bm2e01654f-d7c4-4709-ac4d-d7099b805112

for RADIUS COA terminate:

https://community.arubanetworks.com/discussion/coa-terminate-session#bm9f53ab89-d904-4e0e-9306-018695ecfd1e

and that the link before is for the parameter of Radius COA terminate.

vivarock12_4-1683554810623.png

THE PROBLEM:

but the problem lies on the following when i apply a change on the Stealthwatch, CISCO ISE allways send to the SWITCH the Cisco AV-PAIR VSA and aruba is now able to get the information from that VSA.

as suggested from @Nancy Saini  i should be using a terminate because that a standar parameter thant being send:

vivarock12_2-1683554404318.png

this is a capture from the link that @Nancy Saini share before, but the problem is that ANC does not give that parameter at all to be chose as the action taken when the change is send from stealthwatch.

https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/admin_guide/b_ise_admin_guide_22/b_ise_admin_guide_22_chapter_01100.html (ADAPTIVE NETWORK CONTROL MANUAL)

vivarock12_3-1683554547013.png

as you canse in here those are the 3 options and those use a Cisco only VSA.

so is there a way to define that when you do this change it should use the parameters define on the device profile specific configuration or not because everything else work, DACL and manual Port-bounce, termination from cisco ISE directly done, to the switch so the integratino is working but lets say with a extra step.

here how it should work:

https://www.youtube.com/watch?v=BAN3CaYsunw&t=141s

but insted you need to got to ENDPOINTS DASHBOARD and do the COA manualy.

i spect your comments thanks for the help.

0 Helpful

vivarock12
Level 1
Level 1
In response to thomas

‎05-11-2023 10:19 PM - edited ‎06-26-2023 12:31 PM

.

0 Helpful
Customers Also Viewed These Support Documents