Wired

last person joined: yesterday 

Bring performance and reliability to your network with the Aruba Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of the ArubaOS-Switch and ArubaOS-CX devices, and find ways to improve security across your network to bring together a mobile first solution.
Expand all | Collapse all

CoA Port Bounce with Cisco ISE and Aruba 2530

  • 1.  CoA Port Bounce with Cisco ISE and Aruba 2530

    Posted 25 days ago
    Hi,

    I am actually trying to implemement profiling with the Cisco ISE (2.7 patch2) and Aruba 2530 (SW 16.10.011).
    After profiling the devices, the ISE sends a CoA POrt Bounce to the switch.
    But I am still getting a "Missing attribute" back from the switch.

    On the switch, I have configured the following for CoA:
    radius-server host <IP-address> key <Some Pass>
    radius-server host <IP-address> dyn-authorization
    radius-server host <IP-address> time-window 0

    The CoA-NAKs increase with every attempt.

    On the ISE, I have configured the following for the device profile:


    from a packet dump, I can see that only a few attributes are sent to the switch via CoA:


    Any idea what´s missing here?

    Regards
    Joerg




    ------------------------------
    Joerg Dallhammer
    ------------------------------


  • 2.  RE: CoA Port Bounce with Cisco ISE and Aruba 2530

    Posted 24 days ago
    Hi,

    Use ClearPass ;-)

    You can look https://techhub.hpe.com/eginfolib/networking/docs/switches/WB/15-18/5998-8152_wb_2920_asg/content/ch06s11.html#List_Change_of_Authorization

    do you have check also the time on ISE and Switch ?

    ------------------------------
    PowerArubaSW : Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP...

    PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...)

    PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)..

    ACEP / ACMX #107 / ACDX #1281
    ------------------------------



  • 3.  RE: CoA Port Bounce with Cisco ISE and Aruba 2530

    Posted 24 days ago
    Hi Alexis,

    thanks for your reply.

    I have checked the document and checked the time on ISE and switch.
    Everything seems to be fine.

    But there are still attributes missing on the CoA that the switch expects.

    Regards
    Joerg

    ------------------------------
    Joerg Dallhammer
    ------------------------------



  • 4.  RE: CoA Port Bounce with Cisco ISE and Aruba 2530

    Posted 24 days ago
    Here is the capture for a CoA bounce-port as sent by ClearPass. I see more attributes, but am unsure which are the critical ones:
    On this switch an AP is connected to port 5 which is 802.1X authenticated, hence the user-name.

    This may help to find what you should add, and if you found out please post your results here.


    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC.
    ------------------------------



  • 5.  RE: CoA Port Bounce with Cisco ISE and Aruba 2530

    Posted 24 days ago
    Hi Herman,

    that´s what I suspect to get from the Cisco ISE, but from my packet dump I can see that the ISE is sending only parts of it even I have configured several more attributes.

    Seems to be an ISE issue.

    Thanks for your reply.


    ------------------------------
    Joerg Dallhammer
    ------------------------------



  • 6.  RE: CoA Port Bounce with Cisco ISE and Aruba 2530

    Posted 24 days ago
    Hi Joerg,

    I had similar issues at first trying to get ISE talking with ArubaOS-Switch. Here's a couple quick things to try:
    1. Make sure you have accounting turned on (aaa accounting network start-stop radius) otherwise ISE might not track the RADIUS session properly. Took a very long, very painful TAC for me to learn that lesson.
    2. Try "debug security radius-server" to see if you get any additional insight into the NAK

    Best of luck!
    Tom
    kd9cpb.com/homelab




  • 7.  RE: CoA Port Bounce with Cisco ISE and Aruba 2530

    Posted 23 days ago
    Hi Tom,

    thanks for your reply. 
    I am sure that accounting is configured, but I will doublecheck.
    Perhaps the debug will show me more.

    Regards
    Joerg

    ------------------------------
    Joerg Dallhammer
    ------------------------------



  • 8.  RE: CoA Port Bounce with Cisco ISE and Aruba 2530

    Posted 19 days ago
    Hi Tom,

    Radius was configured properly.
    Unfortunately, the debug output doesn´t give a hint, which attribute is missing.

    Regards
    Joerg

    ------------------------------
    Joerg Dallhammer
    ------------------------------



  • 9.  RE: CoA Port Bounce with Cisco ISE and Aruba 2530

    Posted 19 days ago
    is the time in sync between the switch and clearpass?
    Are you using a VIP in CLearPass? if so, do you also have it defined ?
    Have you tried taking a packet capture from ClearPass and on the switch as well?

    ------------------------------
    Victor Fabian
    ------------------------------



  • 10.  RE: CoA Port Bounce with Cisco ISE and Aruba 2530

    Posted 19 days ago
    Hi Victor,

    the Radius server is not a Clearpass, it is a Cisco ISE. It seems that the ISE configuration causes the issue.
    Time sync is ok.

    Regards
    Joerg

    ------------------------------
    Joerg Dallhammer
    ------------------------------



  • 11.  RE: CoA Port Bounce with Cisco ISE and Aruba 2530

    Posted 13 days ago
    Hi Joerg,

    I spent today working on a homelab involving Cisco ISE at https://kd9cpb.com/aruba-captive-portal, which refreshed my memory about the CoA config in the network device profile. Try removing RADIUS: Event-Timestamp and replace with NAS-Port-ID in the RFC 5176 section. I seem to remember this was something Aruba TAC had me try when I was first getting started with captive portals. I don't know if you might need to remove or change the port bounce settings; never needed that for my wired guest setup.



  • 12.  RE: CoA Port Bounce with Cisco ISE and Aruba 2530

    Posted 12 days ago
    Hi Tom,

    thanks for the reply.
    I did not try your settings, but today a got the following settings from Cisco TAC and they worked for my.
    Probably, there is more than one setting that works.
    Regards
    Joerg


    ------------------------------
    Joerg Dallhammer
    ------------------------------