Security

Reply
Occasional Contributor II

Aruba controller sending Framed IP Address information to Cisco ISE

Hi guys,

 

I have been digging around and have not found a definitive answer to this. I am working with a client using an Aruba infrastructure and ISE.

 

We have implemented a single SSID model(which is not recommended by Aruba) to achieve Onboarding and EAP-TLS(Certificate) connectivity. 

 

The initial connection asks the user for their AD credentials and once confirmed, they get redirected to the ISE captive portal, go through the onboarding process, generates a certificate and changes the supplicant parameters to use EAP-TLS. 

 

This is more to explain the setup, but the requirement is to have the controller send the IP information to ISE so that the IP can appear in the ISE logs, even prior to completing the Captive portal onboarding. At this point, although the process does complete and work, I have no IP visibility during the initial Captive portal process.

 

Is there a way to force the controller to send the Framed IP Address during the Radius request?

 

I can clearly see that the Captive portal web redirect link has all the information (IP, MAC, AP Profile,etc...) so if it is able to redirect to that link, that information should also be shared with ISE?

 

I can give more network details if required, but that is the gist of it. THe reason for the request is 1- for the visibility/troubleshooting in the event of an issue, but more importantly so that the ISE/Firepower are able to assign SGT's to the IP. That is Cisco proprietary and has no impact on the controller role or access. It is simply for the backend communication between a wired and wireless device. That is why the IP is required, even for the iniitial connection.

 

Please let me know if anyone else has been able to make this work or which option I can configure to achieve this goal.

 

Thanks for your help,

Guru Elite

Re: Aruba controller sending Framed IP Address information to Cisco ISE

The IP address is not available in the RADIUS request as the devices not yet have an IP address.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Occasional Contributor II

Re: Aruba controller sending Framed IP Address information to Cisco ISE

Hi Tim,

 

thanks for the quick response. That is what I was finding online, but also found other information stating that a device can send a Radius update during the accounting phase which could include the Framed IP. 

 

I know today, under our Clearpass solution, we get the IP information from the DHCP fingerprinting using Option 55. I am looking if this is also possible under Cisco ISE to give our Engineering group the requested IP upon the initial connection radius logs.

 

Thanks,

Guru Elite

Re: Aruba controller sending Framed IP Address information to Cisco ISE

The IP address is sent in an interim update as soon as it is known.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Occasional Contributor II

Re: Aruba controller sending Framed IP Address information to Cisco ISE

Hi Tim,

 

after doing some wiresharks, we noticed that the controller was simply not sending the accounting packets to the ISE node on that logon role. This obviously pointed to the controller(or misconfiguration) so after finding a website online explaning this exact issue and what caused it, we were able to fix it. 

 

https://gshaw0.wordpress.com/2016/05/25/save-yourself-from-insanity-aruba-captive-portal-radius-accounting/

 

Under the role, miscellaneous configurations, the default option is to have "Captive portal Check for Accounting" ticked on which then will only get accounting information from a captive portal connection. Since this is a bit more particular SSID which has an initial 802.1x connection prior to redirecting to the Captive portal, this was completely blocking/ignoring the accounting packets.

 

Once the box was unticked, accounting packets are being sent and now our ISE logs properly show the IP address of the client.

 

Just wanted to update this post if someone else has a similar scenario and doesn't want to dig as long.

 

Thanks again for your help,

 

Ben

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: