It was for AOS-CX, threads got changed. For AOS configuration you mentioned is correct. Check the pcap from CISCO ISE and check what was missing.
Original Message:
Sent: Mar 14, 2023 01:59 AM
From: vivarock12
Subject: CoA Port Bounce with Cisco ISE and Aruba 2530
does this applyes to version 16.11 for AOS-S??
Original Message:
Sent: Mar 13, 2023 12:16 AM
From: Shobana Nandakumar
Subject: CoA Port Bounce with Cisco ISE and Aruba 2530
ou have to enable this CLI for radius dyn authorization
radius dyn-authorization enable
radius dyn-authorization client {<IPV4> | <IPV6> | <HOSTNAME>}
[secret-key [plaintext <PASSKEY> | ciphertext] <PASSKEY>]]
[time-window <WIDTH>] [replay-protection {enable|disable}]
More details here -
https://www.arubanetworks.com/techdocs/AOS-CX/10.08/HTML/security_6200-6300-6400/Content/Chp_RAD_dyn_auth/RAD_dyn_auth_cmds/rad-dyn-aut-com-fl-10.html
------------------------------
Shobana
Aruba
Original Message:
Sent: Mar 10, 2023 09:48 AM
From: vivarock12
Subject: CoA Port Bounce with Cisco ISE and Aruba 2530
i just got the config from the setich and the command
tell me if you see anything incorrect thanks for the help
Original Message:
Sent: Feb 27, 2023 10:39 AM
From: vivarock12
Subject: CoA Port Bounce with Cisco ISE and Aruba 2530
i will havwe access to the switch soon to get those commands
Original Message:
Sent: Feb 27, 2023 06:32 AM
From: Herman Robers
Subject: CoA Port Bounce with Cisco ISE and Aruba 2530
Topic mentions 2530 which would be similar to 2930F for CoA perspective.
Can you see if the CoA reaches the switch?
show radius dyn-authorization
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Feb 23, 2023 06:27 PM
From: vivarock12
Subject: CoA Port Bounce with Cisco ISE and Aruba 2530
Hi,
with what switch were you working im using a ARUBA2930f-48g-4sfp with this configuration on ISE but is not working for me what im trying to do is a port bounce and assing a new ACL on a 802.1x Client that already had a ACL assing via VSA 92 before.
can you giveme any clue
Original Message:
Sent: Nov 16, 2020 07:26 AM
From: jdallhammer
Subject: CoA Port Bounce with Cisco ISE and Aruba 2530
Hi Tom,
thanks for the reply.
I did not try your settings, but today a got the following settings from Cisco TAC and they worked for my.
Probably, there is more than one setting that works.
------------------------------
Joerg Dallhammer
Original Message:
Sent: Nov 14, 2020 11:38 PM
From: Tom Costello
Subject: CoA Port Bounce with Cisco ISE and Aruba 2530
Hi Joerg,
I spent today working on a homelab involving Cisco ISE at https://kd9cpb.com/aruba-captive-portal, which refreshed my memory about the CoA config in the network device profile. Try removing RADIUS: Event-Timestamp and replace with NAS-Port-ID in the RFC 5176 section. I seem to remember this was something Aruba TAC had me try when I was first getting started with captive portals. I don't know if you might need to remove or change the port bounce settings; never needed that for my wired guest setup.
Original Message:
Sent: Nov 09, 2020 09:21 AM
From: Joerg Dallhammer
Subject: CoA Port Bounce with Cisco ISE and Aruba 2530
Hi Victor,
the Radius server is not a Clearpass, it is a Cisco ISE. It seems that the ISE configuration causes the issue.
Time sync is ok.
Regards
Joerg
------------------------------
Joerg Dallhammer
Original Message:
Sent: Nov 09, 2020 09:18 AM
From: Victor Fabian
Subject: CoA Port Bounce with Cisco ISE and Aruba 2530
is the time in sync between the switch and clearpass?
Are you using a VIP in CLearPass? if so, do you also have it defined ?
Have you tried taking a packet capture from ClearPass and on the switch as well?
------------------------------
Victor Fabian
Original Message:
Sent: Nov 09, 2020 09:10 AM
From: Joerg Dallhammer
Subject: CoA Port Bounce with Cisco ISE and Aruba 2530
Hi Tom,
Radius was configured properly.
Unfortunately, the debug output doesn´t give a hint, which attribute is missing.
Regards
Joerg
------------------------------
Joerg Dallhammer
Original Message:
Sent: Nov 04, 2020 04:42 PM
From: Tom Costello
Subject: CoA Port Bounce with Cisco ISE and Aruba 2530
Hi Joerg,
I had similar issues at first trying to get ISE talking with ArubaOS-Switch. Here's a couple quick things to try:
1. Make sure you have accounting turned on (aaa accounting network start-stop radius) otherwise ISE might not track the RADIUS session properly. Took a very long, very painful TAC for me to learn that lesson.
2. Try "debug security radius-server" to see if you get any additional insight into the NAK
Best of luck!
Tom
kd9cpb.com/homelab
Original Message:
Sent: Nov 03, 2020 11:33 AM
From: Joerg Dallhammer
Subject: CoA Port Bounce with Cisco ISE and Aruba 2530
Hi,
I am actually trying to implemement profiling with the Cisco ISE (2.7 patch2) and Aruba 2530 (SW 16.10.011).
After profiling the devices, the ISE sends a CoA POrt Bounce to the switch.
But I am still getting a "Missing attribute" back from the switch.
On the switch, I have configured the following for CoA:
radius-server host <IP-address> key <Some Pass>
radius-server host <IP-address> dyn-authorization
radius-server host <IP-address> time-window 0
The CoA-NAKs increase with every attempt.
On the ISE, I have configured the following for the device profile:
------------------------------
Joerg Dallhammer
------------------------------