Solved: Re: Issue with Posture with Cisco ISE and Aruba CX switch.

Sergey Polski · ‎01-11-2024

Hello everyone.

I have the following setup. 1 ISE 3.2 (patch 4) server (running in my Lab for PoC) and 1 Aruba 6000 switch with latest 10.13.0005 firmware.

I have defined NAD profile for Aruba by copying pre-defined profile for Aruba Wireless and added custom VSA for port bounce.

Port bounce work correctly while re-authentication does not. I've tried to use radius atributes from the following post, but this haven't worked for me. I'm getting 407, Invalid Attribute Value from the switch.

https://community.cisco.com/t5/network-access-control/802-1x-coa-reauthenticate-aruba-switch/m-p/4822423#M581394

If I'm trying to do posture without re-authentication, ISE send CoA request to the switch, switch bounces the port and posture module on Cisco Secure Client run again, send result to ISE and ISE bounces the port. And it hapens over and over.

Have anyone implemented posture with Aruba CX switches?

Thank you

hslai · ‎01-12-2024

@Sergey Polski If ISE is sending AVP as configured in the NAD profile, then please seek support from the NAD product support team as to why it is giving you invalid attribute value.

Note that, for NAD profiles, only fixed values are supported for the attributes to be sent as part of CoA requests from ISE. This is a known issue -- CSCwe52049.

View solution in original post

hslai · ‎01-12-2024

@Sergey Polski If ISE is sending AVP as configured in the NAD profile, then please seek support from the NAD product support team as to why it is giving you invalid attribute value.

Note that, for NAD profiles, only fixed values are supported for the attributes to be sent as part of CoA requests from ISE. This is a known issue -- CSCwe52049.