Controllerless Networks

Hi Guys,

 

I am stucked on something that is beyond my head now. I have a simple lab setup with:

- Aruba IAP 115 running Version 6.5.3.0

- Cisco 3750 switch running IOS 12.2(55)SE11 (also configured as DHCP server)

- CPPM on version 6.6.0.81015 (Integrated with AD)

- Cisco ISE on version 2.3.x (Integrated with AD)

- Microsoft AD based on Server 2012


IAP has been configured with Corporate SSID (802.1x). Intention is to have a policy if a user belongs to AD group "Normal", he will be assigned a user role normal_user/VLAN 50 and if the user belongs to AD group "VIP", he will be assigned the role vip_user/VLAN30.


This is working as anticipated if I integrate ClearPass with IAP. Users get proper role and VLAN based on group membership.


For some odd reason this is not working if I integrate IAP with ISE.
I can see user being authenticated successfully. ISE is passing proper VLAN and user role back to IAP.

Client disconnects as soon as authentication completes. On IAP, I can see user session with proper role. But for some strange reason, client disconnects as soon as authenticaion completes.

I would rule out IAP config or client issue as same setup works perfectly fine if I use CPPM as authenticaion server instead of ISE.

Any thoughts?

 

Below are outputs for IAP and ISE:

 

*********************************************************************************************************
 6/7/2017 21:48:17 PM    Target: Jibran-Test-IAP    Command: show clients 
*********************************************************************************************************

Client List
-----------
Name  IP Address  MAC Address        OS  ESSID      Access Point     Channel  Type  Role         IPv6 Address  Signal   Speed (mbps)
----  ----------  -----------        --  -----      ------------     -------  ----  ----         ------------  ------   ------------
      0.0.0.0    14:a5:1a:0e:c4:78      Corporate  Jibran-Test-IAP  11       GN    vip_user     --            0(poor)  0(poor)
      0.0.0.0     ec:9b:f3:3e:ee:aa      Corporate  Jibran-Test-IAP  11       GN    normal_user  --            0(poor)  0(poor)
Number of Clients   :2
Info timestamp      :342088

 

 

	12304	Extracted EAP-Response containing PEAP challenge-response
	11808	Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated
	15041	Evaluating Identity Policy
	15006	Matched Default Rule
	15013	Selected Identity Source - Jibran-AD
	24430	Authenticating user against Active Directory - Jibran-AD
	24325	Resolving identity - vip_user
	24313	Search for matching accounts at join point - jibran.local
	24319	Single matching account found in forest - jibran.local
	24323	Identity resolution detected single matching account
	24343	RPC Logon request succeeded - vip_user@jibran.local
	24402	User authentication against Active Directory succeeded - Jibran-AD
	22037	Authentication Passed
	11824	EAP-MSCHAP authentication attempt passed
	12305	Prepared EAP-Request with another PEAP challenge
	11006	Returned RADIUS Access-Challenge
	11001	Received RADIUS Access-Request
	11018	RADIUS is re-using an existing session
	12304	Extracted EAP-Response containing PEAP challenge-response
	11810	Extracted EAP-Response for inner method containing MSCHAP challenge-response
	11814	Inner EAP-MSCHAP authentication succeeded
	11519	Prepared EAP-Success for inner EAP method
	12314	PEAP inner method finished successfully
	12305	Prepared EAP-Request with another PEAP challenge
	11006	Returned RADIUS Access-Challenge
	11001	Received RADIUS Access-Request
	11018	RADIUS is re-using an existing session
	12304	Extracted EAP-Response containing PEAP challenge-response
	24423	ISE has not been able to confirm previous successful machine authentication
	15036	Evaluating Authorization Policy
	24432	Looking up user in Active Directory - Jibran-AD
	24355	LDAP fetch succeeded - jibran.local
	24416	User's Groups retrieval from Active Directory succeeded - Jibran-AD
	24355	LDAP fetch succeeded - jibran.local
	24420	User's Attributes retrieval from Active Directory succeeded - Jibran-AD
	15048	Queried PIP - Jibran-AD.ExternalGroups
	15004	Matched rule - Aruba Vip User
	15016	Selected Authorization Profile - aruba_vip_user,PermitAccess
	15016	Selected Authorization Profile - aruba_vip_user,PermitAccess
	12306	PEAP authentication succeeded
	11503	Prepared EAP-Success
	11002	Returned RADIUS Access-Accept

What radius attributes are you returning to set the role and VLAN?

Also you should manually disconnect the IAP user after you make each change on the ISE side to ensure that old settings are not being reused...
http://community.arubanetworks.com/t5/Controllerless-Networks/How-to-force-disconnect-a-client-in-Aruba-Central/td-p/294466

Hi Colin,

 

Yes I have tried manually disconnecting the user but result remains the same.

 

The attributes I am returnign are Aruba-user-role and Aruba-user-VLAN:

 

For Normal User:

Access Type = ACCESS_ACCEPT
Aruba-User-Role = normal_user
Aruba-User-Vlan = 50

 

For VIP User:

Access Type = ACCESS_ACCEPT
Aruba-User-Role = vip_user
Aruba-User-Vlan = 30

 

Returning same attributes via CPPM and works fine:

 

Radius:Aruba:Aruba-User-Role	normal_user
Radius:Aruba:Aruba-User-Vlan	50

 

Radius:Aruba:Aruba-User-Role	vip_user
Radius:Aruba:Aruba-User-Vlan	30

Please try debugging the client connection by using the commands in the thread here. http://community.arubanetworks.com/t5/Controllerless-Networks/Troubleshooting-user-connectivity-issues-on-Instant-AP/m-p/79610/highlight/true#M1969

Hi Colin,

 

Could not find anything unusual except name=null.

 

Please find attached.

What is the Mac address of the client?

Its 14:a5:1a:0e:c4:78

It says that your radius server is rejecting the client:

 

Jun  7 22:17:44  stm[2633]: <132207> <ERRS> |AP Jibran-Test-IAP@20.0.0.4 stm|  RADIUS reject for station normal_user 14:a5:1a:0e:c4:78 from server CiscoISE.
Jun  7 22:17:44  stm[2633]: <132053> <ERRS> |AP Jibran-Test-IAP@20.0.0.4 stm|  Dropping the radius packet for Station 14:a5:1a:0e:c4:78 18:64:72:9c:ce:31 doing 802.1x
Jun  7 22:17:44  cli[2608]: <541003> <WARN> |AP Jibran-Test-IAP@20.0.0.4 cli|  Client 14:a5:1a:0e:c4:78 is failed to authenticate, failure count is 1.
Jun  7 22:17:46  stm[2633]: stm_send_sta_offline: Sending sta offline msg to CLI0, mac='14:a5:1a:0e:c4:78'

May be that is a typo while entering the password. Cannot see same error on subsequent attempts. Please refer to logs after manually disconecting user @ 23:05:38:

*********************************************************************************************************
 6/7/2017 23:06:18 PM    Target: Jibran-Test-IAP    Command: show log debug
*********************************************************************************************************

Jun  7 22:51:42  stm[2633]: __HIGHER_PRECEDENCE_COMPARE: 1110: matched_rule_index=30008, sap_sta->acl_rule_index=0, precedence_result=1
Jun  7 22:51:42  stm[2633]: stm_send_sta_update: Sending sta update msg to CLI0, mac='14:a5:1a:0e:c4:78'
Jun  7 22:51:42  cli[2608]: <541004> <WARN> |AP Jibran-Test-IAP@20.0.0.4 cli|  recv_stm_sta_update: receive station msg, mac-14:a5:1a:0e:c4:78 bssid-18:64:72:9c:ce:31 essid-Corporate.
Jun  7 22:51:42  stm[2633]: stm_start_acct_for_post_1xauth_user: 18218: ip not ready for sta '14:a5:1a:0e:c4:78'
Jun  7 22:51:42  stm[2633]: stm_send_sta_offline: Sending sta offline msg to CLI0, mac='14:a5:1a:0e:c4:78'
Jun  7 22:51:42  stm[2633]: sap_sta_mac_ppsk_timer_start: 17521: mac ppsk timer start
Jun  7 22:51:42  stm[2633]: stm_send_sta_offline: Sending sta offline msg to CLI0, mac='14:a5:1a:0e:c4:78'
Jun  7 22:51:42  cli[2608]: <541004> <WARN> |AP Jibran-Test-IAP@20.0.0.4 cli|  recv_sta_offline: receive station msg, mac-14:a5:1a:0e:c4:78 bssid-18:64:72:9c:ce:31 essid-Corporate.
Jun  7 22:51:42  sapd[2627]: sapd_proc_stm_reset_key: Got STM Reset key bss=18:64:72:9c:ce:31 mac=14:a5:1a:0e:c4:78, idx=0
Jun  7 22:52:00  syslog: main, 2755: opcode is show
Jun  7 22:52:03  mini_httpd[10298]: handle_request: 2296: SSL_accept fail, child exit after 0 requests error state on socket
Jun  7 22:52:03  mini_httpd[10299]: handle_request: 2296: SSL_accept fail, child exit after 0 requests error state on socket
Jun  7 22:52:05  syslog: main, 2755: opcode is show
Jun  7 22:52:15  syslog: main, 2755: opcode is support
Jun  7 22:52:15  syslog: process_msg_ref: 22: got msg_ref of len 9750 and body '/tmp/.cli_msg_66Sjmd'
Jun  7 22:52:15  syslog: process_msg_ref: 47: opening '/tmp/.cli_msg_66Sjmd'
Jun  7 22:52:15  syslog: process_msg_ref: 52: reading large msg
Jun  7 22:52:15  syslog: process_msg_ref: 55: read large msg of 9749 bytes
Jun  7 22:52:30  syslog: main, 2755: opcode is show
Jun  7 22:53:16  rngd: read=768 bytes_read=0 size=2500
Jun  7 22:53:30  syslog: main, 2755: opcode is show
Jun  7 22:53:47  awc[2605]: isc_init: could not resolve 'device.arubanetworks.com'
Jun  7 22:53:47  awc[2605]: isc_init failed
Jun  7 22:54:00  syslog: main, 2755: opcode is show
Jun  7 22:54:21  rngd: read=768 bytes_read=768 size=2500
Jun  7 22:54:30  syslog: main, 2755: opcode is show
Jun  7 22:54:32  cli[2608]: <541004> <WARN> |AP Jibran-Test-IAP@20.0.0.4 cli|  recv_sta_online: receive station msg, mac-14:a5:1a:0e:c4:78 bssid-18:64:72:9c:ce:21 essid-Corporate.
Jun  7 22:54:32  stm[2633]: recv_radius_acct_multi_session_id: 18172: got mac='14:a5:1a:0e:c4:78', name='(null)', start_time='1496839142 (Wed Jun  7 22:39:02 2017 )'
Jun  7 22:54:32  sapd[2627]: sapd_proc_stm_reset_key: Got STM Reset key bss=18:64:72:9c:ce:21 mac=14:a5:1a:0e:c4:78, idx=0
Jun  7 22:54:32  sapd[2627]: <127038> <WARN> |AP Jibran-Test-IAP@20.0.0.4 sapd| |ids-ap| AP(18:64:72:9c:ce:20): Cleared Station Associated to Rogue AP: An AP is no longer detecting a client 14:a5:1a:0e:c4:78 associated to a rogue access point (BSSID 88:a6:c6:98:dc:c8 and SSID Cisco on CHANNEL 1).
Jun  7 22:54:32  stm[2633]: iap_fmt_called_station_id: Called Station ID Type is (0)
Jun  7 22:54:32  stm[2633]: iap_fmt_called_station_id: Called Station ID buffer is (186472c1cce2)
Jun  7 22:54:32  stm[2633]: iap_fmt_called_station_id: Called Station ID Type is (0)
Jun  7 22:54:32  stm[2633]: iap_fmt_called_station_id: Called Station ID buffer is (186472c1cce2)
Jun  7 22:54:32  stm[2633]: iap_fmt_called_station_id: Called Station ID Type is (0)
Jun  7 22:54:32  stm[2633]: iap_fmt_called_station_id: Called Station ID buffer is (186472c1cce2)
Jun  7 22:54:32  stm[2633]: iap_fmt_called_station_id: Called Station ID Type is (0)
Jun  7 22:54:32  stm[2633]: iap_fmt_called_station_id: Called Station ID buffer is (186472c1cce2)
Jun  7 22:54:32  stm[2633]: iap_fmt_called_station_id: Called Station ID Type is (0)
Jun  7 22:54:32  stm[2633]: iap_fmt_called_station_id: Called Station ID buffer is (186472c1cce2)


Jun  7 22:54:32  stm[2633]: iap_fmt_called_station_id: Called Station ID Type is (0)
Jun  7 22:54:32  stm[2633]: iap_fmt_called_station_id: Called Station ID buffer is (186472c1cce2)
Jun  7 22:54:32  stm[2633]: iap_fmt_called_station_id: Called Station ID Type is (0)
Jun  7 22:54:32  stm[2633]: iap_fmt_called_station_id: Called Station ID buffer is (186472c1cce2)
Jun  7 22:54:32  stm[2633]: iap_fmt_called_station_id: Called Station ID Type is (0)
Jun  7 22:54:32  stm[2633]: iap_fmt_called_station_id: Called Station ID buffer is (186472c1cce2)
Jun  7 22:54:32  stm[2633]: iap_fmt_called_station_id: Called Station ID Type is (0)
Jun  7 22:54:32  stm[2633]: iap_fmt_called_station_id: Called Station ID buffer is (186472c1cce2)
Jun  7 22:54:32  stm[2633]: __HIGHER_PRECEDENCE_COMPARE: 1110: matched_rule_index=30008, sap_sta->acl_rule_index=0, precedence_result=1
Jun  7 22:54:32  stm[2633]: stm_send_sta_update: Sending sta update msg to CLI0, mac='14:a5:1a:0e:c4:78'
Jun  7 22:54:32  stm[2633]: stm_start_acct_for_post_1xauth_user: 18218: ip not ready for sta '14:a5:1a:0e:c4:78'
Jun  7 22:54:32  cli[2608]: <541004> <WARN> |AP Jibran-Test-IAP@20.0.0.4 cli|  recv_stm_sta_update: receive station msg, mac-14:a5:1a:0e:c4:78 bssid-18:64:72:9c:ce:21 essid-Corporate.
Jun  7 22:54:32  stm[2633]: stm_send_sta_offline: Sending sta offline msg to CLI0, mac='14:a5:1a:0e:c4:78'
Jun  7 22:54:32  stm[2633]: sap_sta_mac_ppsk_timer_start: 17521: mac ppsk timer start
Jun  7 22:54:32  stm[2633]: stm_send_sta_offline: Sending sta offline msg to CLI0, mac='14:a5:1a:0e:c4:78'
Jun  7 22:54:32  cli[2608]: <541004> <WARN> |AP Jibran-Test-IAP@20.0.0.4 cli|  recv_sta_offline: receive station msg, mac-14:a5:1a:0e:c4:78 bssid-18:64:72:9c:ce:21 essid-Corporate.
Jun  7 22:54:32  sapd[2627]: sapd_proc_stm_reset_key: Got STM Reset key bss=18:64:72:9c:ce:21 mac=14:a5:1a:0e:c4:78, idx=0
Jun  7 22:54:59  syslog: main, 2755: opcode is show
Jun  7 22:55:26  rngd: read=768 bytes_read=1536 size=2500
Jun  7 22:55:29  syslog: main, 2755: opcode is show
Jun  7 22:56:29  syslog: main, 2755: opcode is show
Jun  7 22:56:31  rngd: read=768 bytes_read=2304 size=2500
Jun  7 22:56:31  rngd: 3072 bytes read from TPM
Jun  7 22:56:59  syslog: main, 2755: opcode is show
Jun  7 22:57:29  syslog: main, 2755: opcode is show
Jun  7 22:58:53  awc[2605]: isc_init: could not resolve 'device.arubanetworks.com'
Jun  7 22:58:53  awc[2605]: isc_init failed
Jun  7 22:59:00  syslog: main, 2755: opcode is show
Jun  7 23:00:00  syslog: main, 2755: opcode is show
Jun  7 23:01:30  syslog: main, 2755: opcode is show
Jun  7 23:03:00  syslog: main, 2755: opcode is show
Jun  7 23:03:55  awc[2605]: isc_init: could not resolve 'device.arubanetworks.com'
Jun  7 23:03:55  awc[2605]: isc_init failed
Jun  7 23:04:00  syslog: main, 2755: opcode is show
Jun  7 23:05:00  syslog: main, 2755: opcode is show
Jun  7 23:05:33  mini_httpd[11874]: handle_request: 2296: SSL_accept fail, child exit after 0 requests error state on socket
Jun  7 23:05:34  mini_httpd[11875]: handle_request: 2296: SSL_accept fail, child exit after 0 requests error state on socket
Jun  7 23:05:35  syslog: main, 2755: opcode is show
Jun  7 23:05:38  syslog: main, 2755: opcode is action
Jun  7 23:05:38  cli[2608]: <341101> <WARN> |AP Jibran-Test-IAP@20.0.0.4 cli|  Execute command-disconnect-user mac 14:a5:1a:0e:c4:78.
Jun  7 23:05:38  cli[2608]: <541023> <WARN> |AP Jibran-Test-IAP@20.0.0.4 cli|  disconnect_user,20713: del client 14:a5:1a:0e:c4:78, client count 0.
Jun  7 23:05:38  cli[2608]: <541026> <WARN> |AP Jibran-Test-IAP@20.0.0.4 cli|  disconnect_user: send disconnect user, AP ip: 20.0.0.4, client ip 30.0.0.7.
Jun  7 23:05:38  stm[2633]: handle_disconnect_user: 10055: Cannot find sta infor for sta '14:a5:1a:0e:c4:78'
Jun  7 23:05:39  syslog: main, 2755: opcode is show
Jun  7 23:05:44  cli[2608]: <541004> <WARN> |AP Jibran-Test-IAP@20.0.0.4 cli|  recv_sta_online: receive station msg, mac-14:a5:1a:0e:c4:78 bssid-18:64:72:9c:ce:31 essid-Corporate.


a_online,1246: add client 14:a5:1a:0e:c4:78, client count 1.
Jun  7 23:05:44  stm[2633]: recv_radius_acct_multi_session_id: 18172: got mac='14:a5:1a:0e:c4:78', name='(null)', start_time='1496840743 (Wed Jun  7 23:05:43 2017 )'
Jun  7 23:05:44  sapd[2627]: sapd_proc_stm_reset_key: Got STM Reset key bss=18:64:72:9c:ce:31 mac=14:a5:1a:0e:c4:78, idx=0
Jun  7 23:05:44  stm[2633]: iap_fmt_called_station_id: Called Station ID Type is (0)
Jun  7 23:05:44  stm[2633]: iap_fmt_called_station_id: Called Station ID buffer is (186472c1cce2)
Jun  7 23:05:48  mini_httpd[11912]: handle_request: 2296: SSL_accept fail, child exit after 0 requests error state on socket
Jun  7 23:05:49  mini_httpd[11913]: handle_request: 2296: SSL_accept fail, child exit after 0 requests error state on socket
Jun  7 23:05:49  stm[2633]: iap_fmt_called_station_id: Called Station ID Type is (0)
Jun  7 23:05:49  stm[2633]: iap_fmt_called_station_id: Called Station ID buffer is (186472c1cce2)
Jun  7 23:05:49  stm[2633]: iap_fmt_called_station_id: Called Station ID Type is (0)
Jun  7 23:05:49  stm[2633]: iap_fmt_called_station_id: Called Station ID buffer is (186472c1cce2)
Jun  7 23:05:49  stm[2633]: iap_fmt_called_station_id: Called Station ID Type is (0)
Jun  7 23:05:49  stm[2633]: iap_fmt_called_station_id: Called Station ID buffer is (186472c1cce2)
Jun  7 23:05:49  stm[2633]: iap_fmt_called_station_id: Called Station ID Type is (0)
Jun  7 23:05:49  stm[2633]: iap_fmt_called_station_id: Called Station ID buffer is (186472c1cce2)
Jun  7 23:05:49  stm[2633]: iap_fmt_called_station_id: Called Station ID Type is (0)
Jun  7 23:05:49  stm[2633]: iap_fmt_called_station_id: Called Station ID buffer is (186472c1cce2)
Jun  7 23:05:49  stm[2633]: iap_fmt_called_station_id: Called Station ID Type is (0)
Jun  7 23:05:49  stm[2633]: iap_fmt_called_station_id: Called Station ID buffer is (186472c1cce2)
Jun  7 23:05:49  stm[2633]: iap_fmt_called_station_id: Called Station ID Type is (0)
Jun  7 23:05:49  stm[2633]: iap_fmt_called_station_id: Called Station ID buffer is (186472c1cce2)
Jun  7 23:05:49  stm[2633]: iap_fmt_called_station_id: Called Station ID Type is (0)
Jun  7 23:05:49  stm[2633]: iap_fmt_called_station_id: Called Station ID buffer is (186472c1cce2)
Jun  7 23:05:49  stm[2633]: __HIGHER_PRECEDENCE_COMPARE: 1110: matched_rule_index=30008, sap_sta->acl_rule_index=0, precedence_result=1
Jun  7 23:05:49  stm[2633]: stm_send_sta_update: Sending sta update msg to CLI0, mac='14:a5:1a:0e:c4:78'
Jun  7 23:05:49  stm[2633]: stm_start_acct_for_post_1xauth_user: 18218: ip not ready for sta '14:a5:1a:0e:c4:78'
Jun  7 23:05:49  cli[2608]: <541004> <WARN> |AP Jibran-Test-IAP@20.0.0.4 cli|  recv_stm_sta_update: receive station msg, mac-14:a5:1a:0e:c4:78 bssid-18:64:72:9c:ce:31 essid-Corporate.
Jun  7 23:05:49  stm[2633]: stm_send_sta_offline: Sending sta offline msg to CLI0, mac='14:a5:1a:0e:c4:78'
Jun  7 23:05:49  stm[2633]: sap_sta_mac_ppsk_timer_start: 17521: mac ppsk timer start
Jun  7 23:05:49  stm[2633]: stm_send_sta_offline: Sending sta offline msg to CLI0, mac='14:a5:1a:0e:c4:78'
Jun  7 23:05:49  cli[2608]: <541004> <WARN> |AP Jibran-Test-IAP@20.0.0.4 cli|  recv_sta_offline: receive station msg, mac-14:a5:1a:0e:c4:78 bssid-18:64:72:9c:ce:31 essid-Corporate.
Jun  7 23:05:49  sapd[2627]: sapd_proc_stm_reset_key: Got STM Reset key bss=18:64:72:9c:ce:31 mac=14:a5:1a:0e:c4:78, idx=0
Jun  7 23:05:53  syslog: main, 2755: opcode is show
Jun  7 23:06:17  syslog: main, 2755: opcode is support
Jun  7 23:06:17  syslog: main, 2755: opcode is support

 

 

That log is inconclusive.  Did you try to just send back an accept without the radius attributes? (start small)..

Yes I tried.. Same result.

I would do a pcap between the IAP and the ISE server of the radius packets to see what is being passed back and forth...

Hi Colin,

I have done hte packet capture and it looks like IAP is receiving Access-Accept message with correct attributes. Also attached PCAP file if you can go throgh it. ISE IP Address is 192.168.0.205 & IAP is 20.0.0.4

Frame 585: 395 bytes on wire (3160 bits), 395 bytes captured (3160 bits)
Ethernet II, Src: Vmware_0d:4f:fd (00:0c:29:0d:4f:fd), Dst: CiscoInc_04:52:c0 (30:37:a6:04:52:c0)
Internet Protocol Version 4, Src: 192.168.0.205, Dst: 20.0.0.4
User Datagram Protocol, Src Port: 1812, Dst Port: 49566
RADIUS Protocol
    Code: Access-Accept (2)
    Packet identifier: 0x81 (129)
    Length: 353
    Authenticator: 8751b2479ac9dcb4ce07ae88ed015d28
    [This is a response to a request in frame 584]
    [Time from request: 0.015640000 seconds]
    Attribute Value Pairs
        AVP: l=10 t=User-Name(1): vip_user
        AVP: l=67 t=State(24): 52656175746853657373696f6e3a63306138303063645274...
        AVP: l=88 t=Class(25): 434143533a63306138303063645274767770386556675f64...
        AVP: l=6 t=EAP-Message(79) Last Segment[1]
        AVP: l=18 t=Message-Authenticator(80): c11d6eb4c5e508372dbad472440f3b0d
        AVP: l=58 t=Vendor-Specific(26) v=Microsoft(311)
        AVP: l=58 t=Vendor-Specific(26) v=Microsoft(311)
        AVP: l=12 t=Vendor-Specific(26) v=Aruba Networks Inc(14823)
            AVP Type: 26
            AVP Length: 12
            VSA: l=6 t=Aruba-User-Vlan(2): 30
                Aruba-User-Vlan: 30
        AVP: l=16 t=Vendor-Specific(26) v=Aruba Networks Inc(14823)
            AVP Type: 26
            AVP Length: 16
            VSA: l=10 t=Aruba-User-Role(1): vip_user
                Aruba-User-Role: vip_user

 

 

Uploaded PCAP file at below link:

http://s000.tinyupload.com/?file_id=01020657595839532534

Also, for the sake of troubleshooting, I kept everything unchanged except replacing ISE with CPPM as RADIUS server on IAP. As expected, eveything worked well. CPPM IP Address is 192.168.0.207. PCAP uploaded at below link:

http://s000.tinyupload.com/?file_id=73346906703880133266

Any clue guys?

Has this case already been resolved? Also do you have a step by step guide how to do this Cisco ISE and Aruba IAP integration? 

Here is the guide:

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200270-ISE-2-0-3rd-Party-integration-with-Aruba.html