Hi, Folks:
I am working on a test case about ISE integrated with Aruba WLC. Right now, I encounter a problem when security posture is enabled on ISE 2.2 and AnyConnect 4.6. we already passed the CPP redirect, Anyconnect web-deployment, and system scan, the Anyconnect also indicated the client system is compliant. The next step should be the Aruba WLC accepts the CoA request from ISE and disconnect the client, but it doesn’t happen.
In the ISE live log, we can see one log said “ No response received from Network Access Device after sending a Dynamic Authorization request”, which indicates NAD doesn't send the ACK back to ISE.
In the Aruba WLC CLI, we found Aruba controller considered the CoA request from ISE was bad auth and dropped it at all.
Does anyone have such experience how to address this issue and make them work?
I already double checked the ISE & Aruba WLC configuration.
- The NAD definition on ISE is right and its type is Aruba wireless, the CoA port is 3799
- Enabled RFC3576 in the Radius server configuration on Aruba WLC and CoA port is 3799
Accepted Solutions
We use version 6.5.3.2 of the Aruba controller code.
On Cisco the CoA is very simple and the Radius shared secret is used to initiate the authentications as well as listen for CoA. Aruba separates these two concepts more cleanly. It allows separate shared secrets to be created. Ensure they are identical because ISE does not allow this separation of duties!
Below is the section on the CoA shared secret configuration for ISE integration
And here is the Authentication/Accounting shared secret for ISE integration
Hi
We have an Aruba 7210 controller and have it integrated with ISE 2.3.
We use the latest publically available ISE Device Profile "ArubaWireless_ArubaOS_6_4_2_5"
No special trickery on the Aruba configuration. Of course you have to ensure that the Radius shared secret is identical on ISE and Aruba!!! 
In the case of Guest authentication I don't have any issues with CoA. It may be a good idea to perform a UDP packet capture on the PSN to see the request going out.
And also on the Aruba controller to see what the request looks like.
Aruba packet capture commands
- packet-capture controlpath udp all
- show packet-capture
- packet-capture copy-to-flash controlpath-pcap
- copy flash: controlpath-pcap.tar.gz ftp: 10.0.0.1 ftp_username
- no packet-capture controlpath udp all
Below is the CoA request from ISE (10.6.76.20) to Aruba (10.6.223.242)
And the response from Aruba to ISE
Hi, Arne:
I think the shared secret is fine otherwise we can't authenticate the client in the first phase. Anyway, I will reset the secret on both sides to make sure they are same completely.
BTW, I found the calling-station-id in your environment was different with mines. Your data format is 4C:EB:42:A9:F7:09, and the one in my test without any ":". which version is your Aruba mobility controller?
We use version 6.5.3.2 of the Aruba controller code.
On Cisco the CoA is very simple and the Radius shared secret is used to initiate the authentications as well as listen for CoA. Aruba separates these two concepts more cleanly. It allows separate shared secrets to be created. Ensure they are identical because ISE does not allow this separation of duties!
Below is the section on the CoA shared secret configuration for ISE integration
And here is the Authentication/Accounting shared secret for ISE integration
