Buy or Renew
Buy or Renew
NOTICE: The community will be in READ-ONLY Sept. 6 – 9 to add Umbrella release notes and announcements. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
683
Views
0
Helpful
5
Replies

ISE 2.4 CWA integration with Aruba Controller | Maximum Simultaneous Sessions Logins per guest user does not work properly

SHABEEB KUNHIPOCKER
Level 3
Level 3

‎11-20-2018 03:02 AM

Hello,

 

I have a customer who has Aruba WLAN integrated with ISE 2.4 (patch 4) for CWA. The customer has a requirement that a guest can register maximum 2 devices and at a time he should only login from one device. I tried to use " disconnect oldest connection" in the guest, but found that there is no COA being generated from ISE. Then I tried the "disconnect newest connection" which is working in a random manner. When it works I am able to see COA success message in the radius live logs. When it does not work I am getting COA failed message in live logs with error-cause as " Session Context Not Found". Did anyone came across the same scenario?. Kindly help.

0 Helpful
5 Replies 5

Jason Kunst
Cisco Employee
Cisco Employee

‎11-20-2018 04:31 AM

I have heard about this but would need tac to troubleshoot as well

Likely Aruba controller issue buggy.

Have they tried with Cisco controller?
0 Helpful

SHABEEB KUNHIPOCKER
Level 3
Level 3
In response to Jason Kunst

‎11-20-2018 05:04 AM

I believe it is  of limitation for ISE to work to third party NAD. The Aruba controller is working as expected. They did not try with Cisco Controller. I have a TAC case opened and they said they registered a software defect for the " disconnect oldest connection" issue. But for " disconnect newest connection" till now there is no solution.

 

 

 

0 Helpful

Jason Kunst
Cisco Employee
Cisco Employee
In response to SHABEEB KUNHIPOCKER

‎11-20-2018 09:12 AM

you have an internal thread going on as well. will follow up and see how we can work together. please continue working through tac
0 Helpful

Arne Bier
VIP
VIP
In response to SHABEEB KUNHIPOCKER

‎11-20-2018 01:33 PM

Does the Aruba controller send Radius Accounting to ISE? I would imagine that the Aruba controller has nothing to do with this fault at all because the CoA is not initiated by it.  If ISE does not send out a CoA then that is not the fault of the NAS.

 

ISE needs to maintain session state somehow and that's the part that's gone skew.  Hence the question about Radius Accounting.  Session management is so fundamental to any good Radius server and I don't recall ever seeoing a decent explanation of how this is done in ISE.  If there is a good technical discussion about it then I'd like to know.  it's like a magic black box.

0 Helpful

SHABEEB KUNHIPOCKER
Level 3
Level 3
In response to Arne Bier

‎11-20-2018 09:10 PM

Hi Arne,

Aruba controller do send the radius accouting to ISE. I can see that in the packet capture. I agree with you that the fault is not at the NAS side since CoA is a Radius server functionality. For the "oldest connection issue" the TAC told me that the session-id attribute for the oldest connection is not availble in the MNT node and thus ISE is not able to initiate a CoA. I am still waiting for their response. Actually the guest network is pretty big and due to this issue the customer has asked to hold the migration until the fix is given by the TAC.

 

0 Helpful
Customers Also Viewed These Support Documents