Hi, good morning.
We have integrated IAPs 305 and 505 with Cisco ISE and the authentication works fine, but we have detected some problems that we would like to solve like CoA, etc.. . We believe this is because iAPs use RFC-3576 and we would have to configure Cisco ISE to detect these devices as such. That is why we would like you to provide us with the attributes that need to be configured for both systems to understand each other. This is what we need to fill in:
The problem we are having is that, for example, we can't launch CoA from the ISE, we also don't see the status of the machine (if it is connected) and then we are having problems with Posture policies (AntiMalware check and other EndPoints security policies). Please could you help us to complete this profile for the correct integration of iAPs with ISE? Cisco provided us with the following profile which did not work for us:
Thanks in advance.
What speifically isn't working? Keep in mind ISE default CoA port is UDP/1700. The IAPs default to UDP/3799 so make sure your CoA ports match first. What NAD profile are you using on ISE?
Thank you for your answer, @ahollifield.
Send a CoA deathentication is not working. We have a 802.1X EAP-TLS SSID for employees. The authentication is perfomed by ISE it works fine.
They can connect and authenticate but on the ISE dashboard the most of our clients appear disconnected and some of them like connected:
But we can't send them a CoA because the most of them appear like disconnected and we get an error:
and when they appear like connected, ISE show us this warning:
We have changed the CoA port in the Aruba IAP VCs to 1700 and 3799 (I think that default port in IAPs VC without controllers is 5999). We don't use MM neither controllers.
Also we have changed CoA port on ISE to 3799 and 5999 but always we get the same errors.
It is our NAD configuration:
We tried changing the RFC but it doesn't work.
© Copyright 2024 Hewlett Packard Enterprise Development LPAll Rights Reserved.