I did work with another account team, to prove out the WX5002 under ISE 2.0 (before Auth VLAN feature.  Most flows were successfully validated including some enhancements to ensure proper working with BYOD.  Since this testing conducted outside of Cisco QA and before we started posting to community, the NAD profile and config were never collected for posting.  From my notes, default HP Wireless profile was used.

Hi Craig

I started testing ISE Guest integration with an H3C WX5004 today and we used the H3C's CLI config snippet posted on the community forum.  It's somewhat useful and we have a half working solution so far.  I am wondering how you got the CoA working?  Does the H3C understand CoA?

And then how do you tell it which ACL's to apply (e.g. Portal ACL vs Guest Authenticated ACL)?

regards

Arne

Mixed feedback on the CoA support.  One report for WX5002 was that it did not, but then had another team validate the same platform with CWA and other web-enabled flows with CoA.  So there may be changes based on version deployed or hw revs.  Ultimately would need validation with your specific product and version.

The sample config posted shows that the H3C supports static URL.  In that case, you set the portal to be the one generated in the ISE Authorization Profile for 3rd-party redirect. The URL redirect type is set in NAD Profile.

Here is example for posted H3C config:  HP-H3C-A5500-NAD-Config

#

portal server iseportal ip 10.10.13.188 port 8443 url https://10.10.13.188:8443/portal/gateway?portal=a6b8fa70-fc3e-11e4-a67c-005056bf2f0a&action=cwa

#

portal free-rule 10 source ip any destination ip any

#

In the above example, the actual redirect URL was listed.  However, we provide option to set a "normalized URL" to reduce the length of entry.  Example:

     https://iseHost:8443/portal/g?p=6Rqz8dJ91WOjPibM6BAP5JQPEb

Once user redirected to PSN, it will be redirected again to more detailed example shown in config snippet.

Craig

Hi,

The following H3C WLAN  devices are supporting RADIUS CoA.

Software version:

• WX2500E-CMW520-E3703P61 (WX2540E)
• WAC360-CMW520-E3703P61 (WAC360 series)
• WX5004-CMW520-R2509P61 (WX5000 series)
• WX3500E-CMW520-R3709P61 (WX3500E series)
• WX6103-CMW520- R2509P61 (WX6000 series)
• WX5500E-CMW520-R2609P61 (WX5500E series)
• WX3000-CMW520-R3509P61 (WX3000E series)

HPE (H3C) 830 WLAN also.

To configure the CoA client  on NAD:

"radius dynamic-author client trusted ip < ISE ip-address>"

"undo radius dynamic-author client trusted"    to remove it

Default behavior is:

The device does not trust the DAE packets sent by any IP addresses.

To configure the CoA port  on NAD:

Hi @smashash and @Jason Kunst

I have revisited this topic and I noticed something that I'd like confirmation on please.  

The HPE wireless controller that I am working with is supported, but after speaking to HPE and Aruba engineers, they tell me that I have to use an auth-vlan mechanism on the HPE controller. And when I implemented this as they directed, I can't get it to work because I never see the CoA from ISE.

Here is what happens

1) HPE Controller sends MAC address to ISE

2) ISE does lookup and doesn't find it - ISE sends Access-Reject to HPE controller (this is the crux of it)

3) HPE gets Access-Reject and places user in auth-vlan and kicks off a URL redirection (which points to ISE)

4) User logs into ISE portal successfull - getsuccess page because credentials match.

5) .....*BOOOOOM* - ISE doesn't send a CoA because it doesn't have a session for this portal login .... since ISE sent an Access-Reject.   

CoA only seems possible if ISE has an active session as a result of a positive MAB auth.  Is this true?  I mean, if I send an Access-Reject to a NAS, I don't expect an Accounting Start to come back as a result!!!  That would be weird.

If Craig were still around I would have asked him this, but he mentioned in earlier responses in this thread that the ISE 2.0 config was never captured.  Pity.  

Hi Arne,

That is correct. it requires active session in ISE to send CoA.

Have you tried the Auth-VLAN (Guest-VLAN)  solution for 3rdparty NADs?

more info:

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-21/200604-Configure-Third-Party-NAD-Redirection-on.html

@smashash - thanks for the link - @Jason Kunst my customer has started evaluating this but it's not a trivial matter, since we have around 900 locations, each needing its own DHCP scope.  The PSN's are centrally located in two DC's. 

And then the operational overhead - try adding 900 scopes into an ISE GUI!!!  And then we don't only have one PSN - we have 4. This config doesn't replicate across PSN's.  How does one manage the DHCP leases?  Is there management and monitoring for this in ISE?

Sure thing.  Is there any particular format/template or location for this document?  I was planning to put the document under Cisco Community > Technology and Support > Security > Identity Services Engine (ISE)

Give me a few days and it will be done.