Security

 View Only
last person joined: 3 days ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

IAP 305 and 505 integration with Cisco ISE

This thread has been viewed 14 times
  • 1.  IAP 305 and 505 integration with Cisco ISE

    Posted Nov 27, 2023 06:28 AM

    Hi, good morning.

    We have integrated IAPs 305 and 505 with Cisco ISE and the authentication works fine, but we have detected some problems that we would like to solve like CoA, etc.. . We believe this is because iAPs use RFC-3576 and we would have to configure Cisco ISE to detect these devices as such. That is why we would like you to provide us with the attributes that need to be configured for both systems to understand each other. This is what we need to fill in:

    The problem we are having is that, for example, we can't launch CoA from the ISE, we also don't see the status of the machine (if it is connected) and then we are having problems with Posture policies (AntiMalware check and other EndPoints security policies). Please could you help us to complete this profile for the correct integration of iAPs with ISE? Cisco provided us with the following profile which did not work for us:

     


    Any suggestion?

    Thanks in advance.

    Javier Palomo.

     



  • 2.  RE: IAP 305 and 505 integration with Cisco ISE

    Posted Nov 28, 2023 08:27 AM

    What speifically isn't working?  Keep in mind ISE default CoA port is UDP/1700.  The IAPs default to UDP/3799 so make sure your CoA ports match first.  What NAD profile are you using on ISE? 

    https://community.cisco.com/t5/security-knowledge-base/how-to-cisco-ise-captive-portals-with-aruba-wireless/ta-p/4633904




  • 3.  RE: IAP 305 and 505 integration with Cisco ISE

    Posted Nov 30, 2023 10:43 AM

    Hi.

    Thank you for your answer, @ahollifield.

    Send a CoA deathentication is not working. We have a 802.1X EAP-TLS SSID for employees. The authentication is perfomed by ISE it works fine.

    They can connect and authenticate but on the ISE dashboard the most of our clients appear disconnected and some of them like connected:

    But we can't send them a CoA because the most of them appear like disconnected and we get an error:

    and when they appear like connected, ISE show us this warning:

    We have changed the CoA port in the Aruba IAP VCs to 1700 and 3799 (I think that default port in IAPs VC without controllers is 5999). We don't use MM neither controllers.

    Also we have changed CoA port on ISE to 3799 and 5999 but always we get the same errors.

    It is our NAD configuration:

    We tried changing the RFC but it doesn't work.

    Thanks.




  • 4.  RE: IAP 305 and 505 integration with Cisco ISE

    Posted Nov 30, 2023 10:51 AM
    Did you see the link I shared? That includes a vastly updated NAD profile vs the built in “Aruba Wireless” one that comes with ISE. I would upload that and configure your IAPs using that NAD profile instead.