Solved: Re: CoA Port Bounce with Cisco ISE and Aruba 2530

joerg · ‎11-04-2020

Hi,

I am actually trying to implemement profiling with the Cisco ISE (2.7 patch2) and Aruba 2530 (SW 16.10.011).
After profiling the devices, the ISE sends a CoA POrt Bounce to the switch.
But I am still getting a "Missing attribute" back from the switch.

On the switch, I have configured the following for CoA:
radius-server host <IP-address> key <Some Pass>
radius-server host <IP-address> dyn-authorization
radius-server host <IP-address> time-window 0

The CoA-NAKs increase with every attempt.

On the ISE, I have configured the following for the device profile:

ISE device profile.png

from a packet dump, I can see that only a few attributes are sent to the switch via CoA:

Any idea what´s missing here?

Regards
Joerg

Damien Miller · ‎11-04-2020

Here's what I recently used for Aruba CoA, it tested out fine. We changed to UDP 1700 on the Aruba config to match the Cisco equipment in the environment and existing load balancer config. To be fair, this is being used on wireless/wired with 303 model RAPs. I don't have a proper hp/aruba switch.

View solution in original post

Mohammed al Baqari · ‎11-04-2020

Seems there is a glitch cuz CoA should include NAS-Port-ID for the port to
be bounced. I don't see it in the snapshot. I know this the case for Cisco
switches. We might be having interop issue here. Look for initial radius
access request and see if it includes port id.

***** please remember to rate useful posts

joerg · ‎11-04-2020

Hi Mohammed,

I will try and let you know about the results.

Thanks

Regards

Joerg

joerg · ‎11-09-2020

Hi Mohammed,

I have added the NAS-Port-ID, but still the same.

The NAS-Port-ID is included in the initial Radius access request, but missing in the CoA of the ISE.

Regards

Joerg

Mohammed al Baqari · ‎11-09-2020

Hi,

Did you follow the configs suggested by @Damien Miller.? Try it as it could
work. If NAS-Port-ID is not sent, the switch won't know which port to
bounce, unless the session ID is included in CoA.

In anyway, you need to tweak it to overcome this interop issue. I am sorry
but no experience with Aruba integration.

Damien Miller · ‎11-04-2020

Here's what I recently used for Aruba CoA, it tested out fine. We changed to UDP 1700 on the Aruba config to match the Cisco equipment in the environment and existing load balancer config. To be fair, this is being used on wireless/wired with 303 model RAPs. I don't have a proper hp/aruba switch.

joerg · ‎11-09-2020

Hi Damien,

unfortunately, this did not work for me with the HPE switches.

I will do some further investigations.

Thanks.

Regards

Joerg

SudarshanCherukupally13196 · ‎10-05-2022

Hi @Damien Miller ,

I am in similar situation. Where my Aruba controllers in DMZ space and with Wired Guest Traffic. It has 3799 port for CoA. I want to do CoA Port bounce. I have also made the "CoA Termination" in the Guest HotSpot Portal.

Will your network device profile setting still work in my case ?

ahollifield · ‎10-05-2022

I would use the Network Device Profile linked in this article here: How To: Cisco ISE Captive Portals with Aruba Wireless - Cisco Community

SudarshanCherukupally13196 · ‎10-05-2022

HI @ahollifield , the article is wonderful made and brilliant. we are suing the similar way with Aruba-captive-portal-url vsa. All working good with the Aruba Wireless Controllers. Problem we have with Aruba Wired Controllers. So we are looking to do CoA PortBounce in the new custom device profile. Since Cisco didnt have provided the Aruba Wired Controller network device profile. It has for HP an Alcatel Wired.

Regards,
Sudarshan

ahollifield · ‎10-06-2022

Ahh got it. Wired controller like you are doing UBT to a mobility controller? Is there a wired switch involved here?

joerg · ‎11-16-2020

Hi everybody,

finally I got the following configuration from TAC, which worked for my case.