Understanding Aruba Wireless With Cisco ISE CWA

By adminAruba Mobility Conductor, Aruba Mobility Master 8.x, Aruba WLC, CWA ISE

Enable packet capture on the Aruba DMZ WLC.

(DMZANCHOR7210) [MDC] #packet-capture controlpath udp 1812,1813,3799,1700
(DMZANCHOR7210) [MDC] #packet-capture copy-to-flash controlpath-pcap

Copy the file from the Arbua WLC to the remote repository

#copy flash: controlpath-pcap.tar.gz scp: 10.0.0.4 lab /home/lab/iphone-controlpath-pcap.tar.gz
Password:*********

Secure file copy:
Press 'q' to abort.
....
File uploaded successfully

Open the file with wireshark

For MAC: 4A:22:75:04:9D:45, the successful flow is:

The successful flow is:

Initial MAB

The Aruba DMZ WLC (10.0.66.20) sent an “Access-Request” to Cisco ISE (10.0.77.37) in the DMZ:

User-Name = 4a2275049d45
Calling-Station-ID = 4A2275049D45

Cisco DMZ ISE (10.0.77.37) returns an “Access-Accept” to the Aruba WLC that contains the following:

  • ONBOARDING-AND-GUEST-ROLE
  • CWA redirect URL:
    • https://dmzwireless.netprojekralac.com:8443/portal/gateway?…&action=cwa…
  • This is the pre-auth role.

Verify the role on the Aruba DMZ WLC.

(DMZANCHOR7210) [MDC] #show user ip 10.0.78.31

User completes portal

After portal completion, Aruba sends another Access-Request for the same MAC:

4a2275049d45

ISE now returns:

User-Name = test79@localhost.com
Aruba-Role = 781-GUEST-ACCESS

Specifically:

RADIUS Code 2 (Access-Accept)

test79@localhost.com

CoA occurs

ISE sends:

CoA-Request (Code 40) to the DMZ Aruba:

10.0.77.37 -> 10.0.66.20
UDP 3799

Aruba replies:

CoA-ACK (Code 41)

not NAK.

This is critical: a working flow contains:

Code 40 = CoA Request
Code 41 = CoA ACK


 The Aruba DMZ WLC reauthenticates

Immediately after the ACK, Aruba performs another Access-Request.


ISE responds:

test79@localhost.com
781-GUEST-ACCESS


Verify on the Aruba WLC


Working sequence

MAB
↓
ONBOARDING-AND-GUEST-ROLE
↓
Portal Redirect
↓
User Authenticates
↓
ISE sends CoA
↓
Aruba ACKs CoA
↓
Aruba reauthenticates endpoint
↓
ISE returns 781-GUEST-ACCESS
↓
Client receives guest access

The key artifacts of the successful flow are:

Pre-auth role:
ONBOARDING-AND-GUEST-ROLE

Post-auth role:
781-GUEST-ACCESS

CoA:
Code 40

CoA Response:
Code 41 (ACK)

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.