Wired Intelligent Edge

 View Only
  • 1.  Dynamic Vlan Assignment /DACL's with Cisco ISE and ArubaOS-Switch

    Posted Mar 20, 2019 01:46 PM
      |   view attached

    Hi Created,

     

    This guide below is how to set up DACL's and how to dynamically assign a vlan to a device connecting to the network.

     



  • 2.  RE: Dynamic Vlan Assignment /DACL's with Cisco ISE and ArubaOS-Switch

    Posted Feb 23, 2023 06:54 PM

    is there a way to do a reassing os the DACL, if ofr example on the cisco ISE for thet user i need ot assing him a new ACL, can id do that with the COA?

    or is this not possible at all?




  • 3.  RE: Dynamic Vlan Assignment /DACL's with Cisco ISE and ArubaOS-Switch

    Posted Feb 27, 2023 06:36 AM

    What you normally would do is trigger a 'Terminate Session', where the switch will do a new authentication for the user/device and you can then return the new role/DACL as part of your policy/enforcement.

    I'm not sure if ISE support DACL for Aruba switches, but you may fallback to user roles and return a local user role.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 4.  RE: Dynamic Vlan Assignment /DACL's with Cisco ISE and ArubaOS-Switch

    Posted Feb 27, 2023 10:13 AM

    Hi Herman,

    Yes i have configure DACL from ISE to ARUBA switches and its working perfectly but i need to do changes of the DACL and i havent figure out how to do that.(use vsa 92 standard by the way) if you need the config just let me do a session withb the cliente to do screenshot of ise and the config of the switch(the hardest part was to send the client ip address to ISE).

    With the COA 'Terminate Session' if you have the experience with Cisco ISE could you show me how that configuration of the terminate session goes, i havent got that part i still have doubts with that configuration.

    Saludos,

    Gerardo Andree Mejia 




  • 5.  RE: Dynamic Vlan Assignment /DACL's with Cisco ISE and ArubaOS-Switch

    Posted Feb 28, 2023 01:17 AM

    You can initially deploy user role with policy and assign different user role having different policy based on your requirement using reauthentication CoA as below



    ------------------------------
    Shobana
    Aruba
    ------------------------------



  • 6.  RE: Dynamic Vlan Assignment /DACL's with Cisco ISE and ArubaOS-Switch

    Posted Feb 28, 2023 10:46 AM

    so i can add the:

    92

    NAC-Default-ACL

    and send that information on the reauthenticate for the Aruba siwtches rigth?

    i think i gettoting so what you do on the definition of the ISE is defines de VSA that im going to send the switch rigth?

    thanks for the help by the way.




  • 7.  RE: Dynamic Vlan Assignment /DACL's with Cisco ISE and ArubaOS-Switch

    Posted Mar 02, 2023 12:29 AM

    Yes we could send NAS-Filter-Rule via CoA.  



    ------------------------------
    Shobana
    Aruba
    ------------------------------



  • 8.  RE: Dynamic Vlan Assignment /DACL's with Cisco ISE and ArubaOS-Switch

    Posted Mar 10, 2023 09:45 AM
      |   view attached

    Hi Shobana, 

    i had problem with the COA re-authenticate

    this is the configuration i put on the ISE profile and sitll got no response from the switch

    do you see anything bad in there??

    am going to add the config of the switch i dont know if maybe theres something else that need to be done.

    thanks for the help.


    Attachment(s)

    txt
    config_sw.txt   4 KB 1 version


  • 9.  RE: Dynamic Vlan Assignment /DACL's with Cisco ISE and ArubaOS-Switch

    Posted Mar 13, 2023 12:16 AM

    You have to enable this CLI for radius dyn authorization 

    radius dyn-authorization enable

    radius dyn-authorization client {<IPV4> | <IPV6> | <HOSTNAME>}

    [secret-key [plaintext <PASSKEY> | ciphertext] <PASSKEY>]]

    [time-window <WIDTH>] [replay-protection {enable|disable}]

    More details here - 

    https://www.arubanetworks.com/techdocs/AOS-CX/10.08/HTML/security_6200-6300-6400/Content/Chp_RAD_dyn_auth/RAD_dyn_auth_cmds/rad-dyn-aut-com-fl-10.htm



    ------------------------------
    Shobana
    Aruba
    ------------------------------



  • 10.  RE: Dynamic Vlan Assignment /DACL's with Cisco ISE and ArubaOS-Switch

    Posted Mar 13, 2023 04:25 PM
    Edited by vivarock12 Mar 14, 2023 01:59 AM

    does this applyes to version 16.11  for AOS-S??