ā11-20-2018 03:02 AM
Hello,
I have a customer who has Aruba WLAN integrated with ISE 2.4 (patch 4) for CWA. The customer has a requirement that a guest can register maximum 2 devices and at a time he should only login from one device. I tried to use " disconnect oldest connection" in the guest, but found that there is no COA being generated from ISE. Then I tried the "disconnect newest connection" which is working in a random manner. When it works I am able to see COA success message in the radius live logs. When it does not work I am getting COA failed message in live logs with error-cause as " Session Context Not Found". Did anyone came across the same scenario?. Kindly help.
ā11-20-2018 04:31 AM
ā11-20-2018 05:04 AM
I believe it is of limitation for ISE to work to third party NAD. The Aruba controller is working as expected. They did not try with Cisco Controller. I have a TAC case opened and they said they registered a software defect for the " disconnect oldest connection" issue. But for " disconnect newest connection" till now there is no solution.
ā11-20-2018 09:12 AM
ā11-20-2018 01:33 PM
Does the Aruba controller send Radius Accounting to ISE? I would imagine that the Aruba controller has nothing to do with this fault at all because the CoA is not initiated by it. If ISE does not send out a CoA then that is not the fault of the NAS.
ISE needs to maintain session state somehow and that's the part that's gone skew. Hence the question about Radius Accounting. Session management is so fundamental to any good Radius server and I don't recall ever seeoing a decent explanation of how this is done in ISE. If there is a good technical discussion about it then I'd like to know. it's like a magic black box.
ā11-20-2018 09:10 PM
Hi Arne,
Aruba controller do send the radius accouting to ISE. I can see that in the packet capture. I agree with you that the fault is not at the NAS side since CoA is a Radius server functionality. For the "oldest connection issue" the TAC told me that the session-id attribute for the oldest connection is not availble in the MNT node and thus ISE is not able to initiate a CoA. I am still waiting for their response. Actually the guest network is pretty big and due to this issue the customer has asked to hold the migration until the fix is given by the TAC.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide