Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4802
Views
10
Helpful
7
Replies

Fix for ISE Guest with Aruba and CoA Delay

Go to solution
joplant
Cisco Employee
Cisco Employee

‎11-21-2017 02:08 PM

I have been working on setting up ISE with an Aruba IAP running version 6.5.4.2 and ran into an issue that I think should be noted in the config guide published on cisco.com for configuring Aruba with ISE flow:

Configure Guest Flow with ISE 2.0 and Aruba WLC - Cisco

What we found when following the guide is that while the guest flow worked correctly, the CoA was taking 90 seconds to complete after successfully authenticating in the guest portal.  This caused the users to continue to get redirected for 90 seconds at which point the CoA finally went out and the users were able to access the network as expected.

The delay was highlighted in the ISE RADIUS CoA log entry as a StepLatency attribute showing 90502ms or around 90 seconds.

image002.png

This latency is related to the way Aruba sends MAC address related attributes in RADIUS messages.  By default, Aruba will send the MAC address as the username without any delimiters (for example 448500c110a6).  This can cause delays with ISE when generating the CoA to send to Aruba.

Aruba allows this delimiter to be configured for MAC addresses within the SSID setup:

211406-Configure-Guest-Flow-with-ISE-2-0-and-Ar-14.jpg

Once this delimiter was configured with a colon, the IAP had to be rebooted for the changes to take effect.  Afterwards, the CoA delays cleared and the process worked as expected, allowing guest users to access the network immediately.

1 Accepted Solution

Accepted Solutions

Go to solution
Craig Hyps
Level 10
Level 10

‎11-23-2017 02:46 AM

Yes, this issue was called out in the past on Community but I cannot find my response.  Obviously should have documented this much better since you were not able to find it in your troubleshooting.  

In addition to deliberate setting of the delimiter for Calling ID, you can also set the values for Called ID so that they are similar to what you might see from WLC...

As mentioned, changes made on ISE side have made original issue less common, but I still recommend to customers set these more deliberate settings rather than relying on ISE to normalize.

/Craig

View solution in original post

0 Helpful
7 Replies 7

Go to solution
hariholla
Cisco Employee
Cisco Employee

‎11-21-2017 04:30 PM

Great catch and thanks for helping us with the tip to resolve this issue. Will talk to skuchere, who is the original author of that config guide.

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee

‎11-21-2017 04:50 PM

I would suggest to click on the Feedback on the tech notes page.

0 Helpful

Go to solution
Serhii Kucherenko
Cisco Employee
Cisco Employee

‎11-22-2017 08:30 AM

John thanks a lot for pointing to this. This Information has not been added initially as problem has not been seen with ISE version which was used for Article preparation (it was 2.0 with not patches if I'm not mistaken).

Later we saw this problem already for ISE 2.1 and issue with absent delimiter has been addressed on ISE side as part of the fix for - CSCvc80485

I'll add corresponding note to the Article and thanks again!

Go to solution
Craig Hyps
Level 10
Level 10

‎11-23-2017 02:46 AM

Yes, this issue was called out in the past on Community but I cannot find my response.  Obviously should have documented this much better since you were not able to find it in your troubleshooting.  

In addition to deliberate setting of the delimiter for Calling ID, you can also set the values for Called ID so that they are similar to what you might see from WLC...

As mentioned, changes made on ISE side have made original issue less common, but I still recommend to customers set these more deliberate settings rather than relying on ISE to normalize.

/Craig

0 Helpful

Go to solution
joplant
Cisco Employee
Cisco Employee
In response to Craig Hyps

‎11-28-2017 12:56 PM

Hey All,

Thanks a ton for your feedback on this!  It is much appreciated.

We are running ISE 2.3.0.298 in the lab.  I see that the fix for CSCvc80485 should be included there so not sure if we are hitting the exact same issue or something else.

Also, while the mac-address-delimiter setting of "colon" fixed the 90 second delay for users logging into the guest portal with their AD credentials, it actually didn't fix the 90 second delay for users entering guest credentials.  We are seeing a very similar 90 second delay when guest credentials are used.

We are going to try the additional delimiter settings above to see if they will resolve this.  If not, we will work with TAC.

0 Helpful

Go to solution
joplant
Cisco Employee
Cisco Employee
In response to joplant

‎11-29-2017 11:17 AM

Just to follow up, my customer implemented all the changes noted above and we are still seeing the 90 second delay, although now it is only periodically.   I have opened TAC SR 683532524 to troubleshoot, but it seems that the Aruba interoperability issue may not be fixed via CSCvc80485.

0 Helpful

Go to solution
kurpeuslondon
Level 1
Level 1

‎03-05-2018 02:25 PM

Thanks a lot that was spot on ! I ran into the same issue today with setting up Guest flow between ise 2.3 patch 2 and Aruba 6.5.4.3. I experienced the 90 seconds delay and a quick google search led me to this page. It fixed it. Awesome.

Thumb up

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents