cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4628
Views
10
Helpful
7
Replies

Fix for ISE Guest with Aruba and CoA Delay

joplant
Cisco Employee
Cisco Employee

I have been working on setting up ISE with an Aruba IAP running version 6.5.4.2 and ran into an issue that I think should be noted in the config guide published on cisco.com for configuring Aruba with ISE flow:

Configure Guest Flow with ISE 2.0 and Aruba WLC - Cisco

What we found when following the guide is that while the guest flow worked correctly, the CoA was taking 90 seconds to complete after successfully authenticating in the guest portal.  This caused the users to continue to get redirected for 90 seconds at which point the CoA finally went out and the users were able to access the network as expected.

The delay was highlighted in the ISE RADIUS CoA log entry as a StepLatency attribute showing 90502ms or around 90 seconds.

image002.png

This latency is related to the way Aruba sends MAC address related attributes in RADIUS messages.  By default, Aruba will send the MAC address as the username without any delimiters (for example 448500c110a6).  This can cause delays with ISE when generating the CoA to send to Aruba.

Aruba allows this delimiter to be configured for MAC addresses within the SSID setup:

211406-Configure-Guest-Flow-with-ISE-2-0-and-Ar-14.jpg

Once this delimiter was configured with a colon, the IAP had to be rebooted for the changes to take effect.  Afterwards, the CoA delays cleared and the process worked as expected, allowing guest users to access the network immediately.

1 Accepted Solution

Accepted Solutions

Craig Hyps
Advocate
Advocate

Yes, this issue was called out in the past on Community but I cannot find my response.  Obviously should have documented this much better since you were not able to find it in your troubleshooting.  

In addition to deliberate setting of the delimiter for Calling ID, you can also set the values for Called ID so that they are similar to what you might see from WLC...

As mentioned, changes made on ISE side have made original issue less common, but I still recommend to customers set these more deliberate settings rather than relying on ISE to normalize.

/Craig

View solution in original post

7 Replies 7

hariholla
Cisco Employee
Cisco Employee

Great catch and thanks for helping us with the tip to resolve this issue. Will talk to skuchere, who is the original author of that config guide.

hslai
Cisco Employee
Cisco Employee

I would suggest to click on the Feedback on the tech notes page.

Serhii Kucherenko
Cisco Employee
Cisco Employee

John thanks a lot for pointing to this. This Information has not been added initially as problem has not been seen with ISE version which was used for Article preparation (it was 2.0 with not patches if I'm not mistaken).

Later we saw this problem already for ISE 2.1 and issue with absent delimiter has been addressed on ISE side as part of the fix for - CSCvc80485

I'll add corresponding note to the Article and thanks again!

Craig Hyps
Advocate
Advocate

Yes, this issue was called out in the past on Community but I cannot find my response.  Obviously should have documented this much better since you were not able to find it in your troubleshooting.  

In addition to deliberate setting of the delimiter for Calling ID, you can also set the values for Called ID so that they are similar to what you might see from WLC...

As mentioned, changes made on ISE side have made original issue less common, but I still recommend to customers set these more deliberate settings rather than relying on ISE to normalize.

/Craig

Hey All,

Thanks a ton for your feedback on this!  It is much appreciated.

We are running ISE 2.3.0.298 in the lab.  I see that the fix for CSCvc80485 should be included there so not sure if we are hitting the exact same issue or something else.

Also, while the mac-address-delimiter setting of "colon" fixed the 90 second delay for users logging into the guest portal with their AD credentials, it actually didn't fix the 90 second delay for users entering guest credentials.  We are seeing a very similar 90 second delay when guest credentials are used.

We are going to try the additional delimiter settings above to see if they will resolve this.  If not, we will work with TAC.

Just to follow up, my customer implemented all the changes noted above and we are still seeing the 90 second delay, although now it is only periodically.   I have opened TAC SR 683532524 to troubleshoot, but it seems that the Aruba interoperability issue may not be fixed via CSCvc80485.

kurpeuslondon
Beginner
Beginner

Thanks a lot that was spot on ! I ran into the same issue today with setting up Guest flow between ise 2.3 patch 2 and Aruba 6.5.4.3. I experienced the 90 seconds delay and a quick google search led me to this page. It fixed it. Awesome.

Thumb up

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: