cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3274
Views
15
Helpful
7
Replies

CoA Port Bounce with Cisco ISE and Aruba 2530

joerg
Beginner
Beginner

Hi,

I am actually trying to implemement profiling with the Cisco ISE (2.7 patch2) and Aruba 2530 (SW 16.10.011).
After profiling the devices, the ISE sends a CoA POrt Bounce to the switch.
But I am still getting a "Missing attribute" back from the switch.

On the switch, I have configured the following for CoA:
radius-server host <IP-address> key <Some Pass>
radius-server host <IP-address> dyn-authorization
radius-server host <IP-address> time-window 0

The CoA-NAKs increase with every attempt.

On the ISE, I have configured the following for the device profile:

ISE device profile.png

from a packet dump, I can see that only a few attributes are sent to the switch via CoA:

COA Dump_LI.jpg

Any idea what´s missing here?

Regards
Joerg

 

 

1 ACCEPTED SOLUTION

Accepted Solutions

Damien Miller
VIP Advisor VIP Advisor
VIP Advisor

Here's what I recently used for Aruba CoA, it tested out fine. We changed to UDP 1700 on the Aruba config to match the Cisco equipment in the environment and existing load balancer config. To be fair, this is being used on wireless/wired with 303 model RAPs. I don't have a proper hp/aruba switch. 
aruba.JPG

View solution in original post

7 REPLIES 7

Mohammed al Baqari
VIP Advisor VIP Advisor
VIP Advisor
Seems there is a glitch cuz CoA should include NAS-Port-ID for the port to
be bounced. I don't see it in the snapshot. I know this the case for Cisco
switches. We might be having interop issue here. Look for initial radius
access request and see if it includes port id.

***** please remember to rate useful posts

Hi Mohammed,

 

I will try and let you know about the results.

Thanks

 

Regards

Joerg

Hi Mohammed,

 

I have added the NAS-Port-ID, but still the same.

The NAS-Port-ID is included in the initial Radius access request, but missing in the CoA of the ISE.

 

Regards

Joerg

Hi,

Did you follow the configs suggested by @Damien Miller.? Try it as it could
work. If NAS-Port-ID is not sent, the switch won't know which port to
bounce, unless the session ID is included in CoA.

In anyway, you need to tweak it to overcome this interop issue. I am sorry
but no experience with Aruba integration.

Damien Miller
VIP Advisor VIP Advisor
VIP Advisor

Here's what I recently used for Aruba CoA, it tested out fine. We changed to UDP 1700 on the Aruba config to match the Cisco equipment in the environment and existing load balancer config. To be fair, this is being used on wireless/wired with 303 model RAPs. I don't have a proper hp/aruba switch. 
aruba.JPG

Hi Damien,

 

unfortunately, this did not work for me with the HPE switches.

I will do some further investigations.

Thanks.

 

Regards

Joerg

joerg
Beginner
Beginner

Hi everybody,

 

finally I got the following configuration from TAC, which worked for my case.coa_aruba2.PNG

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: