Solved: HPe / Aruba switches with ISE CoA issue (Wired guest portal)

Thiruchelvam Thurairaj · ‎09-30-2019

Wired guest (employee) portal is working partially as the user gets a successful authentiion message. But then ISE sends automatically a CoA request to bounce the port. Switch gets the request and sends ount a NACK instead a ACK. If we look into the log detail ISE says the CoA failed with a result message - missing attribute.

These are the attributes we have created for CoA - Port Bounce in the network profile. See screenshot attributes.

Manually if we disconnect the cable and reconnect it back after a succesful authentication, user gets the correct VLAN (guest VLAN). So the built functionality works. But we have a issue with the CoA attributes we send towards the NAD. Am I correct?

CoA

Cisco ISE -----------> Netscalar---------------NAD

NAD ---------> Netscalar ----------------- Cisco ISE

What are we missing here? Has anyone got this working ever?

Thiruchelvam Thurairaj · ‎10-16-2019

We have shorted it out.

The issue was because we wre using ISE built-IN Guest Flow to do initiate the reauth process. It looks like Cisco ISE can't cope with the Aruba switches combined with Guest Flow process.

So we had to change the second process through Endpoint Identity Group based. It's all working now.

Every once in a week try to cleanup the Endpoint group so the users can follow the proces once more.

View solution in original post

Thiruchelvam Thurairaj · ‎10-16-2019

We have shorted it out.

The issue was because we wre using ISE built-IN Guest Flow to do initiate the reauth process. It looks like Cisco ISE can't cope with the Aruba switches combined with Guest Flow process.

So we had to change the second process through Endpoint Identity Group based. It's all working now.

Every once in a week try to cleanup the Endpoint group so the users can follow the proces once more.