Showing results for 
Search instead for 
Did you mean: 

ISE 3.1 guest flow with Aruba IAP

Abdul Pallares


In a ISE 3.1 deployment with Aruba IAP as NAD for central web auth to guests. The customer wants to apply a special policy for a group of corp users.

I'm able to do CoA and to get authenticated by guest captive portal. But found that the GuestFlow logic is not matched, so I see the following steps in live log when logging in to guests portals with a corporate user:

  1. A MAB access match
  2. A authentication mathc
  3. A new MAB access match

I was able to recognize the second MAB attempt as an athorized device by searching the device in "Endpoint Identity Groups:GuestEndpoints" but I'm not able to realyze how to associate this session with the user logged in, this is the step done by GuesFlow in a Cisco AP but it's not working with Aruba devices.

Does anyone have any idea on how to guet this association with Aruba IAP?


6 Replies 6

Hi Ahollfield,

Thanks for your response, I'v already read your post before asking this question. There I learned about the remember me approach for Aruba sessions. Unfortunatelly it doesn't cover our needs, because we need to match the AD group for the logged in user, so if the user is member of group X we let it go to corporate network, if not we assign a guest network.

Thanks again


If I am understanding correctly, you should be able to handle this with authz rules in ISE, just push different User Roles to the IAP for each user type.  Each role would then be associated with a different VLAN.  

Hi ahollfield,

Thanks again for your response. I'v double checked this but there is no way to catch the corporate login from the web portal. There is only one event in live log which is "Authentication passed", but I'm not able to catch it on Authz rules. Then there is a CoA for Dynamic Authorization and then the new MAB access with the endpoint added to GuestEndpoints group.

I'm not able to figure out how to use the user identity in this scenario. I can see that the session ID is maintained in all the flow, but can't find a way to get info from the session too. So I get stucked to the GuestEndpoint option.

Let me explain the objective so maybe it helps you to understand it.

1- Customer is deploying ISE for: Guest/Sponsor access and 802.1x using TEAP for corporate networks (Ethernet and Wifi)

2-802.1x will not work in an out of the box computer

3-Customer wants to use guest portal for partners to catch an AD group (Which are the IT Team which platform the corporate computers) and assign the corporate vlan to this sessions, so they are able to add the machine to the AD and get all the corporate GPOs, do autoenrollment, setup Wifi and Ethernet supplicants etc...

4- The setup is working over Ethernet, with Cisco switches using GuestFlow condition

Please if you have any question let me know and I'll try to clarify more the setup

Please let me add the policy we are using:


This is the rule we would like to match, but fails, identity never match here



This is the rule that match, once the user is authenticated.


This is the rule that redirects the users which access from ise node 1 to the captive portal on ise node 1




The flow coming from Cisco switches match prolerly on that rule:


But Guest_Flow condition is not working with Aruba devices.


Is there any way to get identity associated to an existing session and use it on authz rules?






Hello @Abdul Pallares were you able to resolve this? I am running into the same issue.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: