cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1607
Views
10
Helpful
7
Replies
Highlighted
Cisco Employee

Fix for ISE Guest with Aruba and CoA Delay

I have been working on setting up ISE with an Aruba IAP running version 6.5.4.2 and ran into an issue that I think should be noted in the config guide published on cisco.com for configuring Aruba with ISE flow:

Configure Guest Flow with ISE 2.0 and Aruba WLC - Cisco

What we found when following the guide is that while the guest flow worked correctly, the CoA was taking 90 seconds to complete after successfully authenticating in the guest portal.  This caused the users to continue to get redirected for 90 seconds at which point the CoA finally went out and the users were able to access the network as expected.

The delay was highlighted in the ISE RADIUS CoA log entry as a StepLatency attribute showing 90502ms or around 90 seconds.

image002.png

This latency is related to the way Aruba sends MAC address related attributes in RADIUS messages.  By default, Aruba will send the MAC address as the username without any delimiters (for example 448500c110a6).  This can cause delays with ISE when generating the CoA to send to Aruba.

Aruba allows this delimiter to be configured for MAC addresses within the SSID setup:

211406-Configure-Guest-Flow-with-ISE-2-0-and-Ar-14.jpg

Once this delimiter was configured with a colon, the IAP had to be rebooted for the changes to take effect.  Afterwards, the CoA delays cleared and the process worked as expected, allowing guest users to access the network immediately.

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Advocate

Yes, this issue was called out in the past on Community but I cannot find my response.  Obviously should have documented this much better since you were not able to find it in your troubleshooting.  

In addition to deliberate setting of the delimiter for Calling ID, you can also set the values for Called ID so that they are similar to what you might see from WLC...

As mentioned, changes made on ISE side have made original issue less common, but I still recommend to customers set these more deliberate settings rather than relying on ISE to normalize.

/Craig

View solution in original post

7 REPLIES 7
Highlighted
Cisco Employee

Great catch and thanks for helping us with the tip to resolve this issue. Will talk to skuchere, who is the original author of that config guide.

Highlighted
Cisco Employee

I would suggest to click on the Feedback on the tech notes page.

Highlighted
Cisco Employee

John thanks a lot for pointing to this. This Information has not been added initially as problem has not been seen with ISE version which was used for Article preparation (it was 2.0 with not patches if I'm not mistaken).

Later we saw this problem already for ISE 2.1 and issue with absent delimiter has been addressed on ISE side as part of the fix for - CSCvc80485

I'll add corresponding note to the Article and thanks again!

Highlighted
Advocate

Yes, this issue was called out in the past on Community but I cannot find my response.  Obviously should have documented this much better since you were not able to find it in your troubleshooting.  

In addition to deliberate setting of the delimiter for Calling ID, you can also set the values for Called ID so that they are similar to what you might see from WLC...

As mentioned, changes made on ISE side have made original issue less common, but I still recommend to customers set these more deliberate settings rather than relying on ISE to normalize.

/Craig

View solution in original post

Highlighted

Hey All,

Thanks a ton for your feedback on this!  It is much appreciated.

We are running ISE 2.3.0.298 in the lab.  I see that the fix for CSCvc80485 should be included there so not sure if we are hitting the exact same issue or something else.

Also, while the mac-address-delimiter setting of "colon" fixed the 90 second delay for users logging into the guest portal with their AD credentials, it actually didn't fix the 90 second delay for users entering guest credentials.  We are seeing a very similar 90 second delay when guest credentials are used.

We are going to try the additional delimiter settings above to see if they will resolve this.  If not, we will work with TAC.

Highlighted

Just to follow up, my customer implemented all the changes noted above and we are still seeing the 90 second delay, although now it is only periodically.   I have opened TAC SR 683532524 to troubleshoot, but it seems that the Aruba interoperability issue may not be fixed via CSCvc80485.

Highlighted
Beginner

Thanks a lot that was spot on ! I ran into the same issue today with setting up Guest flow between ise 2.3 patch 2 and Aruba 6.5.4.3. I experienced the 90 seconds delay and a quick google search led me to this page. It fixed it. Awesome.

Thumb up