- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-23-2017 05:33 PM - edited 03-11-2019 12:29 AM
I've got Aruba instant AP's using ISE for Guest authentication.
Users are authenticated successfully but it returns to login page again instead of redirection to original URL.
Radius logs shows the authentication is successful but it's not picking any authorization policy for some reason.
Solved! Go to Solution.
- Labels:
-
AAA
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-20-2022 04:08 AM
Hello,
I had the same problem, but I have resolved it. I used two different roles on Aruba one guest-redirect where I would redirect it to the cisco ISE portal and the other one guest-authenticated where I give internet access only and make sure that you do not enable "Download Role" on the Access tab when you create the SSID. On the Cisco ISE side also create two authorization profiles one for CWA where you would send the "Aruba-User-Role = guest-redirect" and the other one where you would send the "Aruba-User-Role = guest-authenticated. This has worked for me. I hope that will help you too.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-23-2017 08:30 PM
Hi,
Seems like COA is not happening. Could you please confirm the following:
1) Send the screenshot of ACL on WLC.
2) Check if WLC is configured for COA
Security > Radius > Authentication
Check if Support for COA is enabled.
http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html#anc5
Regards
Gagan
PS: rate helpful posts!!!!!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-23-2017 09:21 PM
Hi Gagan,
COA is enable in radius definition on Aruba controller but it looks it's using port 5999 which is a bit strange.
Predefined port for Aruba device in ISE is 3799.
Screen shot attached.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-24-2017 08:39 AM
To be honest, I have never seen different ports on both WLC and SERVER.
If you can make it 3799 and see if that makes any difference.
Regards
Gagan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-13-2022 07:23 PM
Hello,
I'm facing the same issue, portal page keeps looping.
Did you resolve the issue?
Please share
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-20-2022 04:08 AM
Hello,
I had the same problem, but I have resolved it. I used two different roles on Aruba one guest-redirect where I would redirect it to the cisco ISE portal and the other one guest-authenticated where I give internet access only and make sure that you do not enable "Download Role" on the Access tab when you create the SSID. On the Cisco ISE side also create two authorization profiles one for CWA where you would send the "Aruba-User-Role = guest-redirect" and the other one where you would send the "Aruba-User-Role = guest-authenticated. This has worked for me. I hope that will help you too.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-20-2022 04:49 AM
This is the way^
