05-16-2018 08:58 AM
Hi, Folks:
I am working on a test case about ISE integrated with Aruba WLC. Right now, I encounter a problem when security posture is enabled on ISE 2.2 and AnyConnect 4.6. we already passed the CPP redirect, Anyconnect web-deployment, and system scan, the Anyconnect also indicated the client system is compliant. The next step should be the Aruba WLC accepts the CoA request from ISE and disconnect the client, but it doesn’t happen.
In the ISE live log, we can see one log said “ No response received from Network Access Device after sending a Dynamic Authorization request”, which indicates NAD doesn't send the ACK back to ISE.
In the Aruba WLC CLI, we found Aruba controller considered the CoA request from ISE was bad auth and dropped it at all.
Does anyone have such experience how to address this issue and make them work?
I already double checked the ISE & Aruba WLC configuration.
Solved! Go to Solution.
05-16-2018 08:10 PM
We use version 6.5.3.2 of the Aruba controller code.
On Cisco the CoA is very simple and the Radius shared secret is used to initiate the authentications as well as listen for CoA. Aruba separates these two concepts more cleanly. It allows separate shared secrets to be created. Ensure they are identical because ISE does not allow this separation of duties!
Below is the section on the CoA shared secret configuration for ISE integration
And here is the Authentication/Accounting shared secret for ISE integration
05-16-2018 10:51 AM
Hi Chenhui,
Have you consulted ISE 3rd party NAD configuration? ISE Third-Party NAD Profiles and Configs
Is there any way to know why Aruba WLC doesn't like the CoA from ISE? This is a good doc on ISE & Aruba WLC integration, check the troubleshoot section.
Configure Guest Flow with ISE 2.0 and Aruba WLC - Cisco
One more recent discussion on Aruba Community on the same subject.
Solved: Aruba 7010 Integration with Cisco ISE - Airheads Community
- Krish
05-16-2018 05:09 PM
Hi
We have an Aruba 7210 controller and have it integrated with ISE 2.3.
We use the latest publically available ISE Device Profile "ArubaWireless_ArubaOS_6_4_2_5"
No special trickery on the Aruba configuration. Of course you have to ensure that the Radius shared secret is identical on ISE and Aruba!!!
In the case of Guest authentication I don't have any issues with CoA. It may be a good idea to perform a UDP packet capture on the PSN to see the request going out.
And also on the Aruba controller to see what the request looks like.
Aruba packet capture commands
Below is the CoA request from ISE (10.6.76.20) to Aruba (10.6.223.242)
And the response from Aruba to ISE
05-16-2018 07:22 PM
Hi, Arne:
I think the shared secret is fine otherwise we can't authenticate the client in the first phase. Anyway, I will reset the secret on both sides to make sure they are same completely.
BTW, I found the calling-station-id in your environment was different with mines. Your data format is 4C:EB:42:A9:F7:09, and the one in my test without any ":". which version is your Aruba mobility controller?
05-16-2018 08:10 PM
We use version 6.5.3.2 of the Aruba controller code.
On Cisco the CoA is very simple and the Radius shared secret is used to initiate the authentications as well as listen for CoA. Aruba separates these two concepts more cleanly. It allows separate shared secrets to be created. Ensure they are identical because ISE does not allow this separation of duties!
Below is the section on the CoA shared secret configuration for ISE integration
And here is the Authentication/Accounting shared secret for ISE integration
05-16-2018 11:18 PM
Hi,Arne:
I reset the RFC3576 pre-shared key on Aruba WLC then all work now! I never thought the previous support engineer can make such stupid mistake, and he said the keys were indeed configured correctly. Thank you very much!!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide