Cisco ISE Aruba Integration in 5 simple steps

by

In this guide, we will walk you through the Cisco ISE Aruba integration configuration for 802.1x authentication of the client with Cisco ISE posture and dynamic VLAN and role assignment from Cisco ISE for Aruba wireless clients.

The earlier post detailed Cisco ISE posture configuration provides posture-related configuration of Cisco ISE . In this post, we will focus on Cisco ISE configuration related to Aruba and the configuration of the Aruba wireless controller for 802.1x, dynamic VLAN assignment, and role-based access.

Cisco ISE Aruba Integration – Overview

The configuration involves the below 6 steps:

  1. Create A Network device profile
  2. Add Network device
  3. Configure Authorization profile
  4. Configure Aruba wireless SSID, Role, and Capitive portal configuration.
  5. Common troubleshooting checklist.
  6. Verification

Cisco ISE Aruba Integration – Network Device profile

Step 1> Most important step is to create a correct network device profile. The Network device profile is used to configure ISE to send the correct parameter to Aruba to perform the desired actions. Create a network device profile: Navigate to Administration > Network device profiles > Click add. The profile can also be imported. You can get the device profile used for this post from Git Hub.

Add Network device profile

Ensure you select Aruba in the RADIUS Dictionaries. A Summary of the profile is shown below, CoA is enabled and Dynamic URL redirection is supported.

network device profile details - 1

In the Change of Authorization ( CoA ) section UDP 3799 port is used.. We have selected Disconnect as anattribute for CoA.

network device profile details - CoA

Under the redirection section, we have selected Dynamic URL

network device profile details - redirect

Cisco ISE Aruba Integration – Add Network Device

Step 2> We need to add the IP address of the Aruba IP. Ensure to select the network device profile configured in step 1.

Added network device on ISE

Added network device on ISE - 2

Cisco ISE Aruba Integration – Authorization Profile

Step 3> Configure two authorization profiles, One for Posture unknown, Non-Compliant devices and another for Posture compliant devices.

Ensure to change the Device profile. In the ACL we will type ISE-Posture.

Note: “ISE-Posture” is a profile to be configured on Aruba. It will be used for role-based access.

Cisco ISE authorization profile ACL

The web redirection will give a URL as below which needs to be configured on Aruba for user redirection.

Cisco ISE authorization profile web redirection

In the second authorization profile, we will send VLAN information to move the users to the desired VLAN.

Cisco ISE authorization profile permit access

Overall ISE authorization policies are configured as below:

ISE Authorization profile

Cisco ISE Aruba Integration – Aruba Configuration

Step 4> Configure SSID on Aruba Central. Name of the SSID ISE-POC

Select dynamic VLAN under client VLAN assignment and VLAN assignment add the desired VLAN for the SSID.

Cisco ISE Aruba integration - SSID configuration - VLAN

Cisco ISE Aruba integration - SSID configuration - VLAN assignment rules.

Select WPA2-Enterprise for the key management and define the radius server.

Cisco ISE Aruba integration - SSID configuration - Security.

While configuring the RADIUS server ensure to select dynamic authorization, this is required for CoA.

Aruba RADIUS Server

Under the Access Select network based. Once network-based access is selected role-based access is created automatically, the name of the role-based access will be equal to the name of the SSID.

Aruba SSID Access

Create an external captive portal that will be used for user redirection. Under the URL paste the value from the ISE authorization profile created in step 3.

Aruba External Captive portal

Create a role-based access rule with two entries, first is with enforce captive portal and second with allow to all destination.

Aruba Roles for full access and for captive portal access

Cisco ISE Aruba Integration – Verification

Check Radius Live logs under Cisco ISE to ensure all the correct authorization policies are hitting and CoA is successful.

ISE logs for posture

Cisco ISE Aruba Integration – Troubleshooting

The common problems we would see during the configuration are:

  1. CoA port UDP 3799 is not enabled from Cisco ISE towards the Aruba Access points.
  2. The network device profile is not configured properly which would lead to unexpected behavior on the Aruba end whereas on ISE we will observe authentication is successful.
  3. The configured user role name on ISE under the authorization profile does not match what is configured on the Arube end.
  4. For dynamic VLAN assignment ensure the port where the Access point is connected is a trunk port.
  5. If connectivity issues occur or the user machine does not get an IP address, change the SSID to a pre-shared key and confirm that users are getting the correct IP address and proper connectivity; it may not be an ISE issue.

Feel free to comment on what issues you observed during the configuration. We will update the document accordingly.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.