Wired Intelligent Edge

Hi,

I am actually trying to implemement profiling with the Cisco ISE (2.7 patch2) and Aruba 2530 (SW 16.10.011).
After profiling the devices, the ISE sends a CoA POrt Bounce to the switch.
But I am still getting a "Missing attribute" back from the switch.

On the switch, I have configured the following for CoA:
radius-server host <IP-address> key <Some Pass>
radius-server host <IP-address> dyn-authorization
radius-server host <IP-address> time-window 0

The CoA-NAKs increase with every attempt.

On the ISE, I have configured the following for the device profile:



------------------------------
Joerg Dallhammer
------------------------------

Hi,

Use ClearPass ;-)

You can look https://techhub.hpe.com/eginfolib/networking/docs/switches/WB/15-18/5998-8152_wb_2920_asg/content/ch06s11.html#List_Change_of_Authorization

do you have check also the time on ISE and Switch ?

------------------------------
PowerArubaSW : Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP...

PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...)

PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)..

ACEP / ACMX #107 / ACDX #1281
------------------------------

Original Message:
Sent: Nov 03, 2020 11:33 AM
From: Joerg Dallhammer
Subject: CoA Port Bounce with Cisco ISE and Aruba 2530

Hi,

I am actually trying to implemement profiling with the Cisco ISE (2.7 patch2) and Aruba 2530 (SW 16.10.011).
After profiling the devices, the ISE sends a CoA POrt Bounce to the switch.
But I am still getting a "Missing attribute" back from the switch.

On the switch, I have configured the following for CoA:
radius-server host <IP-address> key <Some Pass>
radius-server host <IP-address> dyn-authorization
radius-server host <IP-address> time-window 0

The CoA-NAKs increase with every attempt.

On the ISE, I have configured the following for the device profile:

from a packet dump, I can see that only a few attributes are sent to the switch via CoA:

Any idea what´s missing here?

Regards
Joerg

------------------------------
Joerg Dallhammer
------------------------------

Hi Alexis,

thanks for your reply.

I have checked the document and checked the time on ISE and switch.
Everything seems to be fine.

But there are still attributes missing on the CoA that the switch expects.

Regards
Joerg

------------------------------
Joerg Dallhammer
------------------------------

Original Message:
Sent: Nov 04, 2020 02:35 AM
From: Alexis La Goutte
Subject: CoA Port Bounce with Cisco ISE and Aruba 2530

Hi,

Use ClearPass ;-)

You can look https://techhub.hpe.com/eginfolib/networking/docs/switches/WB/15-18/5998-8152_wb_2920_asg/content/ch06s11.html#List_Change_of_Authorization

do you have check also the time on ISE and Switch ?

------------------------------
PowerArubaSW : Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP...

PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...)

PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)..

ACEP / ACMX #107 / ACDX #1281

Original Message:
Sent: Nov 03, 2020 11:33 AM
From: Joerg Dallhammer
Subject: CoA Port Bounce with Cisco ISE and Aruba 2530

Hi,

I am actually trying to implemement profiling with the Cisco ISE (2.7 patch2) and Aruba 2530 (SW 16.10.011).
After profiling the devices, the ISE sends a CoA POrt Bounce to the switch.
But I am still getting a "Missing attribute" back from the switch.

On the switch, I have configured the following for CoA:
radius-server host <IP-address> key <Some Pass>
radius-server host <IP-address> dyn-authorization
radius-server host <IP-address> time-window 0

The CoA-NAKs increase with every attempt.

On the ISE, I have configured the following for the device profile:

from a packet dump, I can see that only a few attributes are sent to the switch via CoA:

Any idea what´s missing here?

Regards
Joerg

------------------------------
Joerg Dallhammer
------------------------------

Here is the capture for a CoA bounce-port as sent by ClearPass. I see more attributes, but am unsure which are the critical ones:


------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC.
------------------------------

Original Message:
Sent: Nov 03, 2020 11:33 AM
From: Joerg Dallhammer
Subject: CoA Port Bounce with Cisco ISE and Aruba 2530

Hi,

I am actually trying to implemement profiling with the Cisco ISE (2.7 patch2) and Aruba 2530 (SW 16.10.011).
After profiling the devices, the ISE sends a CoA POrt Bounce to the switch.
But I am still getting a "Missing attribute" back from the switch.

On the switch, I have configured the following for CoA:
radius-server host <IP-address> key <Some Pass>
radius-server host <IP-address> dyn-authorization
radius-server host <IP-address> time-window 0

The CoA-NAKs increase with every attempt.

On the ISE, I have configured the following for the device profile:

from a packet dump, I can see that only a few attributes are sent to the switch via CoA:

Any idea what´s missing here?

Regards
Joerg

------------------------------
Joerg Dallhammer
------------------------------

Hi Herman,

that´s what I suspect to get from the Cisco ISE, but from my packet dump I can see that the ISE is sending only parts of it even I have configured several more attributes.

Seems to be an ISE issue.

Thanks for your reply.


------------------------------
Joerg Dallhammer
------------------------------

Original Message:
Sent: Nov 04, 2020 06:12 AM
From: Herman Robers
Subject: CoA Port Bounce with Cisco ISE and Aruba 2530

Here is the capture for a CoA bounce-port as sent by ClearPass. I see more attributes, but am unsure which are the critical ones:

On this switch an AP is connected to port 5 which is 802.1X authenticated, hence the user-name.

This may help to find what you should add, and if you found out please post your results here.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC.

Original Message:
Sent: Nov 03, 2020 11:33 AM
From: Joerg Dallhammer
Subject: CoA Port Bounce with Cisco ISE and Aruba 2530

Hi,

I am actually trying to implemement profiling with the Cisco ISE (2.7 patch2) and Aruba 2530 (SW 16.10.011).
After profiling the devices, the ISE sends a CoA POrt Bounce to the switch.
But I am still getting a "Missing attribute" back from the switch.

On the switch, I have configured the following for CoA:
radius-server host <IP-address> key <Some Pass>
radius-server host <IP-address> dyn-authorization
radius-server host <IP-address> time-window 0

The CoA-NAKs increase with every attempt.

On the ISE, I have configured the following for the device profile:

from a packet dump, I can see that only a few attributes are sent to the switch via CoA:

Any idea what´s missing here?

Regards
Joerg

------------------------------
Joerg Dallhammer
------------------------------

Hi Joerg,

I had similar issues at first trying to get ISE talking with ArubaOS-Switch. Here's a couple quick things to try:
1. Make sure you have accounting turned on (aaa accounting network start-stop radius) otherwise ISE might not track the RADIUS session properly. Took a very long, very painful TAC for me to learn that lesson.
2. Try "debug security radius-server" to see if you get any additional insight into the NAK

Best of luck!
Tom
kd9cpb.com/homelab


Original Message:
Sent: Nov 03, 2020 11:33 AM
From: Joerg Dallhammer
Subject: CoA Port Bounce with Cisco ISE and Aruba 2530

Hi,

I am actually trying to implemement profiling with the Cisco ISE (2.7 patch2) and Aruba 2530 (SW 16.10.011).
After profiling the devices, the ISE sends a CoA POrt Bounce to the switch.
But I am still getting a "Missing attribute" back from the switch.

On the switch, I have configured the following for CoA:
radius-server host <IP-address> key <Some Pass>
radius-server host <IP-address> dyn-authorization
radius-server host <IP-address> time-window 0

The CoA-NAKs increase with every attempt.

On the ISE, I have configured the following for the device profile:

from a packet dump, I can see that only a few attributes are sent to the switch via CoA:

Any idea what´s missing here?

Regards
Joerg

------------------------------
Joerg Dallhammer
------------------------------

Hi Tom,

thanks for your reply.
I am sure that accounting is configured, but I will doublecheck.
Perhaps the debug will show me more.

Regards
Joerg

------------------------------
Joerg Dallhammer
------------------------------

Original Message:
Sent: Nov 04, 2020 04:42 PM
From: Tom Costello
Subject: CoA Port Bounce with Cisco ISE and Aruba 2530

Hi Joerg,

I had similar issues at first trying to get ISE talking with ArubaOS-Switch. Here's a couple quick things to try:
1. Make sure you have accounting turned on (aaa accounting network start-stop radius) otherwise ISE might not track the RADIUS session properly. Took a very long, very painful TAC for me to learn that lesson.
2. Try "debug security radius-server" to see if you get any additional insight into the NAK

Best of luck!
Tom
kd9cpb.com/homelab


Original Message:
Sent: Nov 03, 2020 11:33 AM
From: Joerg Dallhammer
Subject: CoA Port Bounce with Cisco ISE and Aruba 2530

Hi,

I am actually trying to implemement profiling with the Cisco ISE (2.7 patch2) and Aruba 2530 (SW 16.10.011).
After profiling the devices, the ISE sends a CoA POrt Bounce to the switch.
But I am still getting a "Missing attribute" back from the switch.

On the switch, I have configured the following for CoA:
radius-server host <IP-address> key <Some Pass>
radius-server host <IP-address> dyn-authorization
radius-server host <IP-address> time-window 0

The CoA-NAKs increase with every attempt.

On the ISE, I have configured the following for the device profile:

from a packet dump, I can see that only a few attributes are sent to the switch via CoA:

Any idea what´s missing here?

Regards
Joerg

------------------------------
Joerg Dallhammer
------------------------------

Hi Tom,

Radius was configured properly.
Unfortunately, the debug output doesn´t give a hint, which attribute is missing.

Regards
Joerg

------------------------------
Joerg Dallhammer
------------------------------

Original Message:
Sent: Nov 04, 2020 04:42 PM
From: Tom Costello
Subject: CoA Port Bounce with Cisco ISE and Aruba 2530

Hi Joerg,

I had similar issues at first trying to get ISE talking with ArubaOS-Switch. Here's a couple quick things to try:
1. Make sure you have accounting turned on (aaa accounting network start-stop radius) otherwise ISE might not track the RADIUS session properly. Took a very long, very painful TAC for me to learn that lesson.
2. Try "debug security radius-server" to see if you get any additional insight into the NAK

Best of luck!
Tom
kd9cpb.com/homelab


Original Message:
Sent: Nov 03, 2020 11:33 AM
From: Joerg Dallhammer
Subject: CoA Port Bounce with Cisco ISE and Aruba 2530

Hi,

I am actually trying to implemement profiling with the Cisco ISE (2.7 patch2) and Aruba 2530 (SW 16.10.011).
After profiling the devices, the ISE sends a CoA POrt Bounce to the switch.
But I am still getting a "Missing attribute" back from the switch.

On the switch, I have configured the following for CoA:
radius-server host <IP-address> key <Some Pass>
radius-server host <IP-address> dyn-authorization
radius-server host <IP-address> time-window 0

The CoA-NAKs increase with every attempt.

On the ISE, I have configured the following for the device profile:

from a packet dump, I can see that only a few attributes are sent to the switch via CoA:

Any idea what´s missing here?

Regards
Joerg

------------------------------
Joerg Dallhammer
------------------------------

is the time in sync between the switch and clearpass?
Are you using a VIP in CLearPass? if so, do you also have it defined ?
Have you tried taking a packet capture from ClearPass and on the switch as well?

------------------------------
Victor Fabian
------------------------------

Original Message:
Sent: Nov 09, 2020 09:10 AM
From: Joerg Dallhammer
Subject: CoA Port Bounce with Cisco ISE and Aruba 2530

Hi Tom,

Radius was configured properly.
Unfortunately, the debug output doesn´t give a hint, which attribute is missing.

Regards
Joerg

------------------------------
Joerg Dallhammer

Original Message:
Sent: Nov 04, 2020 04:42 PM
From: Tom Costello
Subject: CoA Port Bounce with Cisco ISE and Aruba 2530

Hi Joerg,

I had similar issues at first trying to get ISE talking with ArubaOS-Switch. Here's a couple quick things to try:
1. Make sure you have accounting turned on (aaa accounting network start-stop radius) otherwise ISE might not track the RADIUS session properly. Took a very long, very painful TAC for me to learn that lesson.
2. Try "debug security radius-server" to see if you get any additional insight into the NAK

Best of luck!
Tom
kd9cpb.com/homelab


Original Message:
Sent: Nov 03, 2020 11:33 AM
From: Joerg Dallhammer
Subject: CoA Port Bounce with Cisco ISE and Aruba 2530

Hi,

I am actually trying to implemement profiling with the Cisco ISE (2.7 patch2) and Aruba 2530 (SW 16.10.011).
After profiling the devices, the ISE sends a CoA POrt Bounce to the switch.
But I am still getting a "Missing attribute" back from the switch.

On the switch, I have configured the following for CoA:
radius-server host <IP-address> key <Some Pass>
radius-server host <IP-address> dyn-authorization
radius-server host <IP-address> time-window 0

The CoA-NAKs increase with every attempt.

On the ISE, I have configured the following for the device profile:

from a packet dump, I can see that only a few attributes are sent to the switch via CoA:

Any idea what´s missing here?

Regards
Joerg

------------------------------
Joerg Dallhammer
------------------------------

Hi Victor,

the Radius server is not a Clearpass, it is a Cisco ISE. It seems that the ISE configuration causes the issue.
Time sync is ok.

Regards
Joerg

------------------------------
Joerg Dallhammer
------------------------------

Original Message:
Sent: Nov 09, 2020 09:18 AM
From: Victor Fabian
Subject: CoA Port Bounce with Cisco ISE and Aruba 2530

is the time in sync between the switch and clearpass?
Are you using a VIP in CLearPass? if so, do you also have it defined ?
Have you tried taking a packet capture from ClearPass and on the switch as well?

------------------------------
Victor Fabian

Original Message:
Sent: Nov 09, 2020 09:10 AM
From: Joerg Dallhammer
Subject: CoA Port Bounce with Cisco ISE and Aruba 2530

Hi Tom,

Radius was configured properly.
Unfortunately, the debug output doesn´t give a hint, which attribute is missing.

Regards
Joerg

------------------------------
Joerg Dallhammer

Original Message:
Sent: Nov 04, 2020 04:42 PM
From: Tom Costello
Subject: CoA Port Bounce with Cisco ISE and Aruba 2530

Hi Joerg,

I had similar issues at first trying to get ISE talking with ArubaOS-Switch. Here's a couple quick things to try:
1. Make sure you have accounting turned on (aaa accounting network start-stop radius) otherwise ISE might not track the RADIUS session properly. Took a very long, very painful TAC for me to learn that lesson.
2. Try "debug security radius-server" to see if you get any additional insight into the NAK

Best of luck!
Tom
kd9cpb.com/homelab


Original Message:
Sent: Nov 03, 2020 11:33 AM
From: Joerg Dallhammer
Subject: CoA Port Bounce with Cisco ISE and Aruba 2530

Hi,

I am actually trying to implemement profiling with the Cisco ISE (2.7 patch2) and Aruba 2530 (SW 16.10.011).
After profiling the devices, the ISE sends a CoA POrt Bounce to the switch.
But I am still getting a "Missing attribute" back from the switch.

On the switch, I have configured the following for CoA:
radius-server host <IP-address> key <Some Pass>
radius-server host <IP-address> dyn-authorization
radius-server host <IP-address> time-window 0

The CoA-NAKs increase with every attempt.

On the ISE, I have configured the following for the device profile:

from a packet dump, I can see that only a few attributes are sent to the switch via CoA:

Any idea what´s missing here?

Regards
Joerg

------------------------------
Joerg Dallhammer
------------------------------

Hi Joerg,

I spent today working on a homelab involving Cisco ISE at https://kd9cpb.com/aruba-captive-portal, which refreshed my memory about the CoA config in the network device profile. Try removing RADIUS: Event-Timestamp and replace with NAS-Port-ID in the RFC 5176 section. I seem to remember this was something Aruba TAC had me try when I was first getting started with captive portals. I don't know if you might need to remove or change the port bounce settings; never needed that for my wired guest setup.

Original Message:
Sent: Nov 09, 2020 09:21 AM
From: Joerg Dallhammer
Subject: CoA Port Bounce with Cisco ISE and Aruba 2530

Hi Victor,

the Radius server is not a Clearpass, it is a Cisco ISE. It seems that the ISE configuration causes the issue.
Time sync is ok.

Regards
Joerg

------------------------------
Joerg Dallhammer

Original Message:
Sent: Nov 09, 2020 09:18 AM
From: Victor Fabian
Subject: CoA Port Bounce with Cisco ISE and Aruba 2530

is the time in sync between the switch and clearpass?
Are you using a VIP in CLearPass? if so, do you also have it defined ?
Have you tried taking a packet capture from ClearPass and on the switch as well?

------------------------------
Victor Fabian

Original Message:
Sent: Nov 09, 2020 09:10 AM
From: Joerg Dallhammer
Subject: CoA Port Bounce with Cisco ISE and Aruba 2530

Hi Tom,

Radius was configured properly.
Unfortunately, the debug output doesn´t give a hint, which attribute is missing.

Regards
Joerg

------------------------------
Joerg Dallhammer

Original Message:
Sent: Nov 04, 2020 04:42 PM
From: Tom Costello
Subject: CoA Port Bounce with Cisco ISE and Aruba 2530

Hi Joerg,

I had similar issues at first trying to get ISE talking with ArubaOS-Switch. Here's a couple quick things to try:
1. Make sure you have accounting turned on (aaa accounting network start-stop radius) otherwise ISE might not track the RADIUS session properly. Took a very long, very painful TAC for me to learn that lesson.
2. Try "debug security radius-server" to see if you get any additional insight into the NAK

Best of luck!
Tom
kd9cpb.com/homelab


Original Message:
Sent: Nov 03, 2020 11:33 AM
From: Joerg Dallhammer
Subject: CoA Port Bounce with Cisco ISE and Aruba 2530

Hi,

I am actually trying to implemement profiling with the Cisco ISE (2.7 patch2) and Aruba 2530 (SW 16.10.011).
After profiling the devices, the ISE sends a CoA POrt Bounce to the switch.
But I am still getting a "Missing attribute" back from the switch.

On the switch, I have configured the following for CoA:
radius-server host <IP-address> key <Some Pass>
radius-server host <IP-address> dyn-authorization
radius-server host <IP-address> time-window 0

The CoA-NAKs increase with every attempt.

On the ISE, I have configured the following for the device profile:

from a packet dump, I can see that only a few attributes are sent to the switch via CoA:

Any idea what´s missing here?

Regards
Joerg

------------------------------
Joerg Dallhammer
------------------------------

Hi Tom,

thanks for the reply.
I did not try your settings, but today a got the following settings from Cisco TAC and they worked for my.
Probably, there is more than one setting that works.

------------------------------
Joerg Dallhammer
------------------------------

Original Message:
Sent: Nov 14, 2020 11:38 PM
From: Tom Costello
Subject: CoA Port Bounce with Cisco ISE and Aruba 2530

Hi Joerg,

I spent today working on a homelab involving Cisco ISE at https://kd9cpb.com/aruba-captive-portal, which refreshed my memory about the CoA config in the network device profile. Try removing RADIUS: Event-Timestamp and replace with NAS-Port-ID in the RFC 5176 section. I seem to remember this was something Aruba TAC had me try when I was first getting started with captive portals. I don't know if you might need to remove or change the port bounce settings; never needed that for my wired guest setup.

Original Message:
Sent: Nov 09, 2020 09:21 AM
From: Joerg Dallhammer
Subject: CoA Port Bounce with Cisco ISE and Aruba 2530

Hi Victor,

the Radius server is not a Clearpass, it is a Cisco ISE. It seems that the ISE configuration causes the issue.
Time sync is ok.

Regards
Joerg

------------------------------
Joerg Dallhammer

Original Message:
Sent: Nov 09, 2020 09:18 AM
From: Victor Fabian
Subject: CoA Port Bounce with Cisco ISE and Aruba 2530

is the time in sync between the switch and clearpass?
Are you using a VIP in CLearPass? if so, do you also have it defined ?
Have you tried taking a packet capture from ClearPass and on the switch as well?

------------------------------
Victor Fabian

Original Message:
Sent: Nov 09, 2020 09:10 AM
From: Joerg Dallhammer
Subject: CoA Port Bounce with Cisco ISE and Aruba 2530

Hi Tom,

Radius was configured properly.
Unfortunately, the debug output doesn´t give a hint, which attribute is missing.

Regards
Joerg

------------------------------
Joerg Dallhammer

Original Message:
Sent: Nov 04, 2020 04:42 PM
From: Tom Costello
Subject: CoA Port Bounce with Cisco ISE and Aruba 2530

Hi Joerg,

I had similar issues at first trying to get ISE talking with ArubaOS-Switch. Here's a couple quick things to try:
1. Make sure you have accounting turned on (aaa accounting network start-stop radius) otherwise ISE might not track the RADIUS session properly. Took a very long, very painful TAC for me to learn that lesson.
2. Try "debug security radius-server" to see if you get any additional insight into the NAK

Best of luck!
Tom
kd9cpb.com/homelab


Original Message:
Sent: Nov 03, 2020 11:33 AM
From: Joerg Dallhammer
Subject: CoA Port Bounce with Cisco ISE and Aruba 2530

Hi,

I am actually trying to implemement profiling with the Cisco ISE (2.7 patch2) and Aruba 2530 (SW 16.10.011).
After profiling the devices, the ISE sends a CoA POrt Bounce to the switch.
But I am still getting a "Missing attribute" back from the switch.

On the switch, I have configured the following for CoA:
radius-server host <IP-address> key <Some Pass>
radius-server host <IP-address> dyn-authorization
radius-server host <IP-address> time-window 0

The CoA-NAKs increase with every attempt.

On the ISE, I have configured the following for the device profile:

from a packet dump, I can see that only a few attributes are sent to the switch via CoA:

Any idea what´s missing here?

Regards
Joerg

------------------------------
Joerg Dallhammer
------------------------------

Hi,

with what switch were you working im using a ARUBA2930f-48g-4sfp with this configuration on ISE but is not working for me what im trying to do is a port bounce and assing a new ACL on a 802.1x Client that already had a ACL assing via VSA 92 before.

can you giveme any clue

Original Message:
Sent: Nov 16, 2020 07:26 AM
From: jdallhammer
Subject: CoA Port Bounce with Cisco ISE and Aruba 2530

Hi Tom,

thanks for the reply.
I did not try your settings, but today a got the following settings from Cisco TAC and they worked for my.
Probably, there is more than one setting that works.

Regards
Joerg

------------------------------
Joerg Dallhammer

Original Message:
Sent: Nov 14, 2020 11:38 PM
From: Tom Costello
Subject: CoA Port Bounce with Cisco ISE and Aruba 2530

Hi Joerg,

I spent today working on a homelab involving Cisco ISE at https://kd9cpb.com/aruba-captive-portal, which refreshed my memory about the CoA config in the network device profile. Try removing RADIUS: Event-Timestamp and replace with NAS-Port-ID in the RFC 5176 section. I seem to remember this was something Aruba TAC had me try when I was first getting started with captive portals. I don't know if you might need to remove or change the port bounce settings; never needed that for my wired guest setup.

Original Message:
Sent: Nov 09, 2020 09:21 AM
From: Joerg Dallhammer
Subject: CoA Port Bounce with Cisco ISE and Aruba 2530

Hi Victor,

the Radius server is not a Clearpass, it is a Cisco ISE. It seems that the ISE configuration causes the issue.
Time sync is ok.

Regards
Joerg

------------------------------
Joerg Dallhammer

Original Message:
Sent: Nov 09, 2020 09:18 AM
From: Victor Fabian
Subject: CoA Port Bounce with Cisco ISE and Aruba 2530

is the time in sync between the switch and clearpass?
Are you using a VIP in CLearPass? if so, do you also have it defined ?
Have you tried taking a packet capture from ClearPass and on the switch as well?

------------------------------
Victor Fabian

Original Message:
Sent: Nov 09, 2020 09:10 AM
From: Joerg Dallhammer
Subject: CoA Port Bounce with Cisco ISE and Aruba 2530

Hi Tom,

Radius was configured properly.
Unfortunately, the debug output doesn´t give a hint, which attribute is missing.

Regards
Joerg

------------------------------
Joerg Dallhammer

Original Message:
Sent: Nov 04, 2020 04:42 PM
From: Tom Costello
Subject: CoA Port Bounce with Cisco ISE and Aruba 2530

Hi Joerg,

I had similar issues at first trying to get ISE talking with ArubaOS-Switch. Here's a couple quick things to try:
1. Make sure you have accounting turned on (aaa accounting network start-stop radius) otherwise ISE might not track the RADIUS session properly. Took a very long, very painful TAC for me to learn that lesson.
2. Try "debug security radius-server" to see if you get any additional insight into the NAK

Best of luck!
Tom
kd9cpb.com/homelab


Original Message:
Sent: Nov 03, 2020 11:33 AM
From: Joerg Dallhammer
Subject: CoA Port Bounce with Cisco ISE and Aruba 2530

Hi,

I am actually trying to implemement profiling with the Cisco ISE (2.7 patch2) and Aruba 2530 (SW 16.10.011).
After profiling the devices, the ISE sends a CoA POrt Bounce to the switch.
But I am still getting a "Missing attribute" back from the switch.

On the switch, I have configured the following for CoA:
radius-server host <IP-address> key <Some Pass>
radius-server host <IP-address> dyn-authorization
radius-server host <IP-address> time-window 0

The CoA-NAKs increase with every attempt.

On the ISE, I have configured the following for the device profile:

from a packet dump, I can see that only a few attributes are sent to the switch via CoA:

Any idea what´s missing here?

Regards
Joerg

------------------------------
Joerg Dallhammer
------------------------------

Topic mentions 2530 which would be similar to 2930F for CoA perspective.

Can you see if the CoA reaches the switch?

show radius dyn-authorization

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Feb 23, 2023 06:27 PM
From: vivarock12
Subject: CoA Port Bounce with Cisco ISE and Aruba 2530

Hi,

with what switch were you working im using a ARUBA2930f-48g-4sfp with this configuration on ISE but is not working for me what im trying to do is a port bounce and assing a new ACL on a 802.1x Client that already had a ACL assing via VSA 92 before.

can you giveme any clue

Original Message:
Sent: Nov 16, 2020 07:26 AM
From: jdallhammer
Subject: CoA Port Bounce with Cisco ISE and Aruba 2530

Hi Tom,

thanks for the reply.
I did not try your settings, but today a got the following settings from Cisco TAC and they worked for my.
Probably, there is more than one setting that works.

Regards
Joerg

------------------------------
Joerg Dallhammer

Original Message:
Sent: Nov 14, 2020 11:38 PM
From: Tom Costello
Subject: CoA Port Bounce with Cisco ISE and Aruba 2530

Hi Joerg,

I spent today working on a homelab involving Cisco ISE at https://kd9cpb.com/aruba-captive-portal, which refreshed my memory about the CoA config in the network device profile. Try removing RADIUS: Event-Timestamp and replace with NAS-Port-ID in the RFC 5176 section. I seem to remember this was something Aruba TAC had me try when I was first getting started with captive portals. I don't know if you might need to remove or change the port bounce settings; never needed that for my wired guest setup.

Original Message:
Sent: Nov 09, 2020 09:21 AM
From: Joerg Dallhammer
Subject: CoA Port Bounce with Cisco ISE and Aruba 2530

Hi Victor,

the Radius server is not a Clearpass, it is a Cisco ISE. It seems that the ISE configuration causes the issue.
Time sync is ok.

Regards
Joerg

------------------------------
Joerg Dallhammer

Original Message:
Sent: Nov 09, 2020 09:18 AM
From: Victor Fabian
Subject: CoA Port Bounce with Cisco ISE and Aruba 2530

is the time in sync between the switch and clearpass?
Are you using a VIP in CLearPass? if so, do you also have it defined ?
Have you tried taking a packet capture from ClearPass and on the switch as well?

------------------------------
Victor Fabian

Original Message:
Sent: Nov 09, 2020 09:10 AM
From: Joerg Dallhammer
Subject: CoA Port Bounce with Cisco ISE and Aruba 2530

Hi Tom,

Radius was configured properly.
Unfortunately, the debug output doesn´t give a hint, which attribute is missing.

Regards
Joerg

------------------------------
Joerg Dallhammer

Original Message:
Sent: Nov 04, 2020 04:42 PM
From: Tom Costello
Subject: CoA Port Bounce with Cisco ISE and Aruba 2530

Hi Joerg,

I had similar issues at first trying to get ISE talking with ArubaOS-Switch. Here's a couple quick things to try:
1. Make sure you have accounting turned on (aaa accounting network start-stop radius) otherwise ISE might not track the RADIUS session properly. Took a very long, very painful TAC for me to learn that lesson.
2. Try "debug security radius-server" to see if you get any additional insight into the NAK

Best of luck!
Tom
kd9cpb.com/homelab


Original Message:
Sent: Nov 03, 2020 11:33 AM
From: Joerg Dallhammer
Subject: CoA Port Bounce with Cisco ISE and Aruba 2530

Hi,

I am actually trying to implemement profiling with the Cisco ISE (2.7 patch2) and Aruba 2530 (SW 16.10.011).
After profiling the devices, the ISE sends a CoA POrt Bounce to the switch.
But I am still getting a "Missing attribute" back from the switch.

On the switch, I have configured the following for CoA:
radius-server host <IP-address> key <Some Pass>
radius-server host <IP-address> dyn-authorization
radius-server host <IP-address> time-window 0

The CoA-NAKs increase with every attempt.

On the ISE, I have configured the following for the device profile:

from a packet dump, I can see that only a few attributes are sent to the switch via CoA:

Any idea what´s missing here?

Regards
Joerg

------------------------------
Joerg Dallhammer
------------------------------