09-30-2019 03:10 AM
Wired guest (employee) portal is working partially as the user gets a successful authentiion message. But then ISE sends automatically a CoA request to bounce the port. Switch gets the request and sends ount a NACK instead a ACK. If we look into the log detail ISE says the CoA failed with a result message - missing attribute.
These are the attributes we have created for CoA - Port Bounce in the network profile. See screenshot attributes.
Manually if we disconnect the cable and reconnect it back after a succesful authentication, user gets the correct VLAN (guest VLAN). So the built functionality works. But we have a issue with the CoA attributes we send towards the NAD. Am I correct?
CoA
Cisco ISE -----------> Netscalar---------------NAD
NAD ---------> Netscalar ----------------- Cisco ISE
What are we missing here? Has anyone got this working ever?
Solved! Go to Solution.
10-16-2019 06:53 AM - edited 10-16-2019 06:53 AM
We have shorted it out.
The issue was because we wre using ISE built-IN Guest Flow to do initiate the reauth process. It looks like Cisco ISE can't cope with the Aruba switches combined with Guest Flow process.
So we had to change the second process through Endpoint Identity Group based. It's all working now.
Every once in a week try to cleanup the Endpoint group so the users can follow the proces once more.
10-16-2019 06:53 AM - edited 10-16-2019 06:53 AM
We have shorted it out.
The issue was because we wre using ISE built-IN Guest Flow to do initiate the reauth process. It looks like Cisco ISE can't cope with the Aruba switches combined with Guest Flow process.
So we had to change the second process through Endpoint Identity Group based. It's all working now.
Every once in a week try to cleanup the Endpoint group so the users can follow the proces once more.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide