11/25/22, 6:23 PM
How To: Cisco ISE Captive Portals with Aruba Wireless - Cisco Community
Cisco
Community
>
>
Technology and
Support
>
Security
>
Security Knowledge
Base
How To: Cisco ISE Captive Portals with Aruba
Wireless
How To: Cisco ISE Captive Portals with Aruba Wireless
ahollifield
Rising star

on ‎06-22-2022 06:23 PM - edited on ‎06-22-2022 06:50 PM by bradjohnson
How To: Cisco ISE Captive Portals with Aruba
Wireless
Authors: Adam Hollifield, Brad Johnson
Introduction
Prerequisites
Minimum Requirements
Components Used
Configuration
Aruba Wireless Controller
WLAN Creation
Authentication Configuration
Role & Policy Configuration
Cisco ISE
Aruba RADIUS Dictionary Addition
Aruba Network Device Profile
Aruba Authorization Profiles
Authentication Allowed Protocols Configuration
Policy Set Configuration
Verification
ISE RADIUS Live Logs
Aruba Mobility Controller
Introduction
https://community.cisco.com/t5/tkb/articleprintpage/tkb-id/4561-docs-security/article-id/7568
1/38
11/25/22, 6:23 PM
How To: Cisco ISE Captive Portals with Aruba Wireless - Cisco Community
Previous configurations for integrating Cisco ISE portals and Aruba Wireless used a static
external captive portal URL to redirect clients to an ISE portal. This required the use of
multiple authorization profiles and authorization rules per PSN. Aruba AOS 8.4 added
support for the Aruba-Captive-Portal-URL Vendor Specific Attribute (VSA) which allows for
dynamic URL redirection similar to what we see when configuring portal rules with Cisco
network access devices (NADs). This will enable additional scale, posture flows, and ease
of configuration when integrating Aruba wireless with Cisco Identity Services Engine.
Prerequisites
Minimum Requirements
The minimum software requirements for this configuration:
Aruba AOS 8.4 or later
Cisco ISE 2.4 or later
Components Used
The information in this document is based on these software versions:
Aruba Wireless Controller with AOS 8.10.0.1
Cisco ISE 3.1 with Patch 3
Configuration
Aruba Wireless Controller
WLAN Creation
https://community.cisco.com/t5/tkb/articleprintpage/tkb-id/4561-docs-security/article-id/7568
2/38
11/25/22, 6:23 PM
How To: Cisco ISE Captive Portals with Aruba Wireless - Cisco Community
1. Navigate to Configuration > Tasks > Create a new WLAN.
2. Fill in the SSID and select Guest as Primary usage. Select AP groups and Forwarding mode as
required by the wireless deployment. Click Next.
NOTE: it is best practice to broadcast WLANs only on specified AP groups and not use the default
group.
https://community.cisco.com/t5/tkb/articleprintpage/tkb-id/4561-docs-security/article-id/7568
3/38
11/25/22, 6:23 PM
How To: Cisco ISE Captive Portals with Aruba Wireless - Cisco Community
3. Select the VLAN and click Next.
4. Set Security to Internal Captive Portal, no auth or registration and click Next.
The Internal Captive Portal will not be used here and will be overridden by the captive portal URL
supplied by ISE through the Aruba-Captive-Portal-URL VSA. However, the Aruba Mobility Controller
requires some form of Captive Portal to be enabled on the WLAN to successfully redirect clients.
5. Click Next and Finish.
6. Click Pending Changes in the top right and click Deploy changes to deploy the configuration to the
Mobility Controller.
https://community.cisco.com/t5/tkb/articleprintpage/tkb-id/4561-docs-security/article-id/7568
4/38
11/25/22, 6:23 PM
How To: Cisco ISE Captive Portals with Aruba Wireless - Cisco Community
Authentication Configuration
1. Navigate to Configuration > Authentication > Auth Servers. Click the + button under All Servers.
Fill in name, select type as RADIUS, and fill in the IP address/hostname of the ISE PSN.
Click Submit. Repeat for each of the ISE PSNs.
2. Select the newly created RADIUS Server definition. Enter the Shared Key and click Submit. Repeat
for each of the ISE PSN RADIUS Server definitions.
https://community.cisco.com/t5/tkb/articleprintpage/tkb-id/4561-docs-security/article-id/7568
5/38
11/25/22, 6:23 PM
How To: Cisco ISE Captive Portals with Aruba Wireless - Cisco Community
3. Click the + button under All Servers. Change type to Dynamic Authorization and enter the IP
address of the ISE PSN. Click Submit. Repeat for each of the ISE PSNs.
4. Select the newly created RFC 3576 definition and enter the Key. Click Submit. Repeat for each of
the ISE PSN RFC 3576 definitions.
https://community.cisco.com/t5/tkb/articleprintpage/tkb-id/4561-docs-security/article-id/7568
6/38
11/25/22, 6:23 PM
How To: Cisco ISE Captive Portals with Aruba Wireless - Cisco Community
5. Click the + button under Server Groups. Enter a name. Click Submit.
6. Select the newly created Server Group and click the + button. Choose Add existing server and
select the ISE PSN RADIUS Server definition. Click Submit. Repeat for the rest of the ISE PSN
RADIUS Server definitions.
https://community.cisco.com/t5/tkb/articleprintpage/tkb-id/4561-docs-security/article-id/7568
7/38
11/25/22, 6:23 PM
How To: Cisco ISE Captive Portals with Aruba Wireless - Cisco Community
7. Navigate to Configuration > Authentication > AAA Profiles. Select the AAA profile for the newly
created WLAN, [SSID]_aaa_prof. Enable RADIUS Interim Accounting. Click Submit.
https://community.cisco.com/t5/tkb/articleprintpage/tkb-id/4561-docs-security/article-id/7568
8/38
11/25/22, 6:23 PM
How To: Cisco ISE Captive Portals with Aruba Wireless - Cisco Community
8. Select MAC Authentication. Change MAC Authentication Profile to Default. Click Submit.
9. Select MAC Authentication Server Group. Change Server Group to the ISE Server Group created
previously. Click Submit.
0. Select RADIUS Accounting Server Group. Change Server Group to the ISE Server Group created
previously. Click Submit.
https://community.cisco.com/t5/tkb/articleprintpage/tkb-id/4561-docs-security/article-id/7568
9/38
11/25/22, 6:23 PM
How To: Cisco ISE Captive Portals with Aruba Wireless - Cisco Community
1. Select RFC 3576 Server. Click the + button and select the ISE PSN from the drop down.
Click Submit. Repeat for each of the ISE PSN RFC 3576 server definitions.
2. Click Pending Changes in the top right and click Deploy changes to deploy the configuration to the
Mobility Controller.
https://community.cisco.com/t5/tkb/articleprintpage/tkb-id/4561-docs-security/article-id/7568
10/38
11/25/22, 6:23 PM
How To: Cisco ISE Captive Portals with Aruba Wireless - Cisco Community
Role & Policy Configuration
1. Navigate to Configuration > Roles & Policies > Policies and click the + button.
2. Set Policy Type to Session, enter a Policy Name, and an optional description. Click Submit.
3. Select the newly created policy and click the + button. Select Access Control and click OK. Create
a new forwarding rule allowing captive portal traffic to the ISE PSNs. Click Submit.
https://community.cisco.com/t5/tkb/articleprintpage/tkb-id/4561-docs-security/article-id/7568
11/38
11/25/22, 6:23 PM
How To: Cisco ISE Captive Portals with Aruba Wireless - Cisco Community
NOTE: This Policy enforces what traffic from the guest WLAN will be allowed BEFORE the guest
authenticates to the portal. This Policy can and should be customized for the individual network
environment and security requirements. At a minimum, the captive portal ports (typically 8443) must
be allowed from the guest users to the ISE PSNs during the redirect phase.
4. Navigate to Configuration > Roles & Policies > Roles and click the + button to create a new role.
Give the Role a Name and click Submit.
https://community.cisco.com/t5/tkb/articleprintpage/tkb-id/4561-docs-security/article-id/7568
12/38
11/25/22, 6:23 PM
How To: Cisco ISE Captive Portals with Aruba Wireless - Cisco Community
5. Select the newly created Role from the list. Click Show Advanced View.
6. Click the + button within Policies. Select Add an existing policy. Select type Session and select the
policy created in the previous step. Click Submit.
https://community.cisco.com/t5/tkb/articleprintpage/tkb-id/4561-docs-security/article-id/7568
13/38
11/25/22, 6:23 PM
How To: Cisco ISE Captive Portals with Aruba Wireless - Cisco Community
7. Repeat this procedure again adding the logon-control and captiveportal Policies to this Role.
8. Re-order the policies so that the Policy created previously is listed between logon-control and
captiveportal.
https://community.cisco.com/t5/tkb/articleprintpage/tkb-id/4561-docs-security/article-id/7568
14/38
11/25/22, 6:23 PM
How To: Cisco ISE Captive Portals with Aruba Wireless - Cisco Community
9. Select the Captive Portal tab. Move slider to Internal Captive Portal, no auth or registration.
The Internal Captive Portal will not be used here and will be overridden by the captive portal URL
supplied by ISE through the Aruba-Captive-Portal-URL VSA. However, the Aruba Mobility Controller
requires some form of Captive Portal to be enabled on the Role to successfully redirect clients.
0. Click Submit.
1. Click Pending Changes in the top right and click Deploy changes to deploy the configuration to the
Mobility Controller.
You may also wish to create a custom role for the guest users once the user successfully
authenticates to the Captive Portal. In this example, the Aruba default guest Role is used
for this purpose.
Cisco ISE
Aruba RADIUS Dictionary Addition
https://community.cisco.com/t5/tkb/articleprintpage/tkb-id/4561-docs-security/article-id/7568
15/38
11/25/22, 6:23 PM
How To: Cisco ISE Captive Portals with Aruba Wireless - Cisco Community
The default Aruba RADIUS dictionary in Cisco ISE does not contain the RADIUS
VSA Aruba-Captive-Portal-URL. This must be manually created before configuring the
network device profile.
1. Navigate to Policy > Policy Elements > Dictionaries.
2. Expand System > RADIUS > RADIUS Vendors and click on the Aruba entry.
3. Click Dictionary Attributes and then Add.
4. Fill in the information as follows:
Attribute Name: Aruba-Captive-Portal-URL
https://community.cisco.com/t5/tkb/articleprintpage/tkb-id/4561-docs-security/article-id/7568
16/38
11/25/22, 6:23 PM
How To: Cisco ISE Captive Portals with Aruba Wireless - Cisco Community
Description: [optional]
Data Type: STRING
ID: 43
5. Click Submit and verify the new attribute shows up under the Dictionary Attributes menu.
Aruba Network Device Profile
The default Aruba Network Device Profile in Cisco ISE does not support URL redirection via
RADIUS VSA. A custom Network Device Profile for Aruba AOS controllers has been
created and is attached to this article.
1. Navigate to Administration > Network Resources > Network Device Profiles. Click the Import
button. Browse the Aruba_AOS.xml file and click Import.
https://community.cisco.com/t5/tkb/articleprintpage/tkb-id/4561-docs-security/article-id/7568
17/38
11/25/22, 6:23 PM
How To: Cisco ISE Captive Portals with Aruba Wireless - Cisco Community
2. Navigate to Administration > Network Resources > Network Devices and click the +Add button.
3. Add an entry for the Aruba Mobility Controller ensuring to select the custom Aruba_AOS Network
Device Profile imported in the previous step. Specify the IP Address of the Mobility Controller and
the RADIUS Shared Secret.
https://community.cisco.com/t5/tkb/articleprintpage/tkb-id/4561-docs-security/article-id/7568
18/38
11/25/22, 6:23 PM
How To: Cisco ISE Captive Portals with Aruba Wireless - Cisco Community
4. Click Save.
Aruba Authorization Profiles
1. Navigate to Policy > Policy Elements > Results > Authorization > Authorization Profiles.
2. Click the +Add button.
This authorization (authz) profile will be for redirecting the unknown guest user.
https://community.cisco.com/t5/tkb/articleprintpage/tkb-id/4561-docs-security/article-id/7568
19/38
11/25/22, 6:23 PM
How To: Cisco ISE Captive Portals with Aruba Wireless - Cisco Community
3. Give the authz profile a name, select Aruba_AOS as the Network Device Profile.
4. Within Common Tasks click the checkbox for ACL and specify the name of the Role created for the
redirect on the Aruba Mobility Controller. NOTE: these names much match exactly.
5. Check the box for Web Redirection and specify the corresponding portal type and portal.
Click Save.
This guide does not cover the creation of a portal on ISE. For this example, the Default Hostspot
Guest Portal is used.
6. Click the +Add button again.
This authorization profile is for the authenticated guest.
https://community.cisco.com/t5/tkb/articleprintpage/tkb-id/4561-docs-security/article-id/7568
20/38
11/25/22, 6:23 PM
How To: Cisco ISE Captive Portals with Aruba Wireless - Cisco Community
7. Give the authz profile a name, select Aruba_AOS as the Network Device Profile.
8. Within Common Tasks click the checkbox for ACL and specify the name of the Role for the guest
users on the Aruba Mobility Controller.
NOTE: these names much match exactly. You may also wish to create a custom role for the guest
users once the user successfully authenticates to the Captive Portal. In this example, the Aruba
default guest role is used for this purpose.
Authentication Allowed Protocols
Configuration
1. Navigate to Policy > Policy Elements > Results > Authentication > Allowed Protocols. Click
the +Add button to create a new Allowed Protocols Service.
2. Give the Allowed Protocols Service a name and optional description. Disable all other protocols
except for Process Host Lookup and PAP/ASCII. Click Save.
https://community.cisco.com/t5/tkb/articleprintpage/tkb-id/4561-docs-security/article-id/7568
21/38
11/25/22, 6:23 PM
How To: Cisco ISE Captive Portals with Aruba Wireless - Cisco Community
Policy Set Configuration
1. Navigate to Policy > Policy Sets and click the + button to create a new policy set.
2. Give the policy set a name and within conditions, specify Aruba-Aruba-Essid-Name
CONTAINS [SSID].
Replace [SSID] with the name of the SSID configured on the Mobility Controller.
3. For Allowed Protocols/Server Sequence, select the MAB allowed protocols created in the previous
section.
4. Click Save and then click the greater than sign (>) on the far right of the policy set to open the new
Policy Set.
https://community.cisco.com/t5/tkb/articleprintpage/tkb-id/4561-docs-security/article-id/7568
22/38
11/25/22, 6:23 PM
How To: Cisco ISE Captive Portals with Aruba Wireless - Cisco Community
5. Expand Authentication Policy and specify Internal Endpoints in the Use column of
the Default authc policy.
6. Change If User not found within Options to Continue.
7. Expand Authorization Policy and click the plus (+) button to create a new authz policy.
8. Specify a name for the policy and for Conditions specify IdentityGroup-Name EQUALS Endpoint
Identity Groups:GuestEndpoints.
This guide is using the Remember Me guest flow so if the endpoint MAC address exists in the
specified endpoint group they will automatically be granted guest access.
9. Specify the Aruba Guest Permit authorization profile in the Results column.
0. Specify the Aruba Guest Redirect authorization profile in the Results column for the Default authz
policy.
1. Click Save.
Verification
ISE RADIUS Live Logs
Navigate to Operations > RADIUS > Live Logs. From bottom to top in the screenshot
below, the Live Logs should first show the Aruba Guest Redirect authz profile. Followed
by the Change of Authorization (CoA) once the user logs into the captive portal. Finally,
https://community.cisco.com/t5/tkb/articleprintpage/tkb-id/4561-docs-security/article-id/7568
23/38
11/25/22, 6:23 PM
How To: Cisco ISE Captive Portals with Aruba Wireless - Cisco Community
the endpoint re-authenticating to the wireless network and receiving the Aruba Guest
Permit authz profile.
The endpoint should also be a member of the GuestEndpoints Group within Context
Visibility > Endpoints after logging into the captive portal.
Aruba Mobility Controller
https://community.cisco.com/t5/tkb/articleprintpage/tkb-id/4561-docs-security/article-id/7568
24/38
11/25/22, 6:23 PM
How To: Cisco ISE Captive Portals with Aruba Wireless - Cisco Community
Navigate to Dashboard > Overview and click on the clients view. Before authentication to
the captive portal, the client should be assigned the guest-redirect role.
After authentication to the captive portal, the client should be assigned the guest role.
AAA

Identity Services Engine (ISE)
aruba ise portal wireless
 Aruba_AOS.zip 

10 Helpful
Share
Comments
Leo Laohoo
VIP Community Legend

‎06-22-2022 06:26 PM
@ahollifield,
Do you have this in PDF form, please?
https://community.cisco.com/t5/tkb/articleprintpage/tkb-id/4561-docs-security/article-id/7568
25/38
11/25/22, 6:23 PM
How To: Cisco ISE Captive Portals with Aruba Wireless - Cisco Community
bradjohnson
Cisco Employee

‎06-22-2022 06:38 PM
You can generate a printer friendly version by going to the top-right of the page, click
Options > Printer Friendly Page.
From there you can print to PDF.
Leo Laohoo
VIP Community Legend

‎06-22-2022 07:00 PM
Thanks, @bradjohnson.
https://community.cisco.com/t5/tkb/articleprintpage/tkb-id/4561-docs-security/article-id/7568
26/38
11/25/22, 6:23 PM
How To: Cisco ISE Captive Portals with Aruba Wireless - Cisco Community
rrrsseta
Beginner

‎06-29-2022 07:14 AM
Hi,
Is it possibile to make setup like this but using built-in "Guest_Flow" condition instead of
relying on GuestEndpoints group?
Will ISE recognize "Guest_Flow" for third party NAD like Aruba?
Magret
Beginner

‎07-19-2022 04:37 AM
Dear,
May I know where to download "Aruba_AOS.XML" file?
bradjohnson
Cisco Employee

‎07-19-2022 04:40 AM
@Magret It is at the bottom of the article.
https://community.cisco.com/t5/tkb/articleprintpage/tkb-id/4561-docs-security/article-id/7568
27/38
11/25/22, 6:23 PM
How To: Cisco ISE Captive Portals with Aruba Wireless - Cisco Community
Magret
Beginner

‎07-19-2022 07:18 PM
Thanks @bradjohnson
tonyang
Beginner

‎08-13-2022 08:33 AM
Hi,
First, thank you for the sharing. But I have a quesiton for you.
For the "initial role" and "mac authentication defaul role" in "guest_aaa_prof", it's "guestguest-logon".But the user role defined is "guest-redirect". May I confirm with you if the
"initial role" and "mac authentication defaul role" is "guest-redirect" in "guest_aaa_prof" ?
Looking forward to your early reply.
https://community.cisco.com/t5/tkb/articleprintpage/tkb-id/4561-docs-security/article-id/7568
28/38
11/25/22, 6:23 PM
How To: Cisco ISE Captive Portals with Aruba Wireless - Cisco Community
ahollifield
Rising star

‎08-13-2022 08:54 AM
The initial role and mac-auth-default roles actually do not matter since we are overriding the role value
from the RADIUS response from ISE using the Aruba-User-Role VSA. They can technically be set to
anything since they will never be used in this flow. For the example and How To doc, I just left them at
the Aruba default values.
tonyang
Beginner

‎08-14-2022 01:39 AM
Thanks for your reply. May I know whether the defined user role "guest-redirect" will be
associated with aaa profile ?
ahollifield
Rising star

‎08-14-2022 10:11 AM
It does not. The role just must be defined on the controller and the name must match
EXACTLY with what is pushed in the VSA from ISE.
tonyang
Beginner

‎08-16-2022 08:26 AM
https://community.cisco.com/t5/tkb/articleprintpage/tkb-id/4561-docs-security/article-id/7568
29/38
11/25/22, 6:23 PM
How To: Cisco ISE Captive Portals with Aruba Wireless - Cisco Community
Thank you. I completed the configuratin and met the issue that the redirect URL didn't work
on the client side. From the tcpdump packet, the attribute "Aruba-Captive-Portal-URL"
was shown unknon attribute in the radius. Do you have any idea of this ?
ahollifield
Rising star

‎08-16-2022 10:13 AM
Did you import the XML Network Device Profile into your ISE deployment? Did you assign
that Network Device Profile to the definition for your Mobility Controller? What version of
AOS?
tonyang
Beginner

‎08-16-2022 06:43 PM
Yes, the XML was imported and associated to network devices (Aruba Controllers). The
AOS is version 8.6.0.9. I am not sure if the XLM file can support AOS 8.6.0.9 ? I saw the
testing environment is running on AOS 8.10.0.1.
https://community.cisco.com/t5/tkb/articleprintpage/tkb-id/4561-docs-security/article-id/7568
30/38
11/25/22, 6:23 PM
How To: Cisco ISE Captive Portals with Aruba Wireless - Cisco Community
bradjohnson
Cisco Employee

‎08-16-2022 06:50 PM
That shouldn't matter as the RADIUS VSA Aruba-Captive-Portal-URL was added to
ArubaOS 8.4. That's why we noted in the XML that it was for ArubaOS 8.4+. On your
wireless controller, is it showing the VSA as unknown and rejected or rejecting because it
contains invalid information?
tonyang
Beginner

‎08-16-2022 07:00 PM
Hi Bradjohnson,
Thanks for your reply on this. Actually, I haven't collected packet capture on this. But I've
collected the tcpdump on ISE side. The attribute "Aruba-Captive-Portal-URL" was shown
unknown attribute in the packet which it was sent from ISE to controller.
https://community.cisco.com/t5/tkb/articleprintpage/tkb-id/4561-docs-security/article-id/7568
31/38
11/25/22, 6:23 PM
How To: Cisco ISE Captive Portals with Aruba Wireless - Cisco Community
bradjohnson
Cisco Employee

‎08-16-2022 07:15 PM
Did you create the Aruba-Captive-Portal-URL dictionary entry in the Aruba RADIUS
attributes within ISE?
tonyang
Beginner

‎08-16-2022 07:32 PM
Yes, it's done.
tonyang
Beginner

‎08-27-2022 08:46 AM
Hi,
Is it possible to add another attribute to authorization profile to change VLAN assignment of
guest after completing self registeration ? If yes, any additional change in Aruba WLC ?
Thank you.
Aruba Attribute: Aruba-User-Vlan
Authorization Profile:
Access Type = ACCESS_ACCEPT
Aruba-User-Role = XXX
Aruba-User-Vlan = XXX
https://community.cisco.com/t5/tkb/articleprintpage/tkb-id/4561-docs-security/article-id/7568
32/38
11/25/22, 6:23 PM
How To: Cisco ISE Captive Portals with Aruba Wireless - Cisco Community
bradjohnson
Cisco Employee

‎08-27-2022 09:01 AM
You should be able to utilize VLAN under Common Tasks. If not, simply create a custom
attribute under Advanced Attribute Settings. Nothing needs to change on the network
device profile since the profile also uses the Aruba dictionary.
Here's the problem, though. How will the endpoint know the VLAN changed, therefore
pulling a new IP, after they authenticate? Endpoints don't see a VLAN change on the
backend without a connection bounce (disconnect and reconnect). It would be better to
change the VLAN on the initial connection and keep them there through the process and
post authentication.
tonyang
Beginner

‎08-27-2022 09:22 AM
https://community.cisco.com/t5/tkb/articleprintpage/tkb-id/4561-docs-security/article-id/7568
33/38
11/25/22, 6:23 PM
How To: Cisco ISE Captive Portals with Aruba Wireless - Cisco Community
Thanks for your reply, bradjohnson
After configuring the VLAN under common task and advanced attributes settings, some
unknown attributes was added as well.
May I know what's these unknon attributes ? Additionally, that's my question of how the
endpoints know the VLAN changed after completing COA. I will validate and post the
result in next week.
Access Type = ACCESS_ACCEPT
Tunnel-Private-Group-ID = 1:2022 (Unknow attribute)
Tunnel-Type = 1:13 (Unknow attribute)
Tunnel-Medium-Type = 1:6 (Unknow attribute)
Aruba-User-Role = XXX
Aruba-User-Vlan = 2022
ahollifield
Rising star

‎08-27-2022 09:36 AM
You could also specify the VLAN as part of the Role itself on the MC.
tonyang
Beginner

‎08-31-2022 07:43 AM
Thank you, ahollifield.
After many attempts, it takes long time to change the VLAN information of endpoints
(suppose COA has completed, I can see the result in Radius Livelog) after inputting the
configuraiton in the "Authorization Profile". Do you have any idea of how to address this
https://community.cisco.com/t5/tkb/articleprintpage/tkb-id/4561-docs-security/article-id/7568
34/38
11/25/22, 6:23 PM
How To: Cisco ISE Captive Portals with Aruba Wireless - Cisco Community
issue ?
Access Type = ACCESS_ACCEPT
Tunnel-Private-Group-ID = 1:2022 (Unknow attribute)
Tunnel-Type = 1:13 (Unknow attribute)
Tunnel-Medium-Type = 1:6 (Unknow attribute)
Aruba-User-Role = XXX
Aruba-User-Vlan = 2022
ahollifield
Rising star

‎09-01-2022 04:03 AM
That is precisely why you should put the VLAN within the Aruba User Role on the controller
rather than relying on CoA and additional RADIUS attributes. Any reason why you are not
putting VLAN 2022 as an attribute within the XXX role itself on the Mobility Controller
configuration?
tonyang
Beginner

‎09-05-2022 01:56 AM
Both "Authorization Profile" and "User Role" are set to VLAN 2022. But it's randomly failed
to change the attribute of VLAN.
https://community.cisco.com/t5/tkb/articleprintpage/tkb-id/4561-docs-security/article-id/7568
35/38
11/25/22, 6:23 PM
How To: Cisco ISE Captive Portals with Aruba Wireless - Cisco Community
ahollifield
Rising star

‎09-05-2022 06:07 AM
You should only be assigning the VLAN in one of those places, not both. I would remove the VLAN
assignment from ISE and only leave the VLAN tag within the role.
https://community.cisco.com/t5/tkb/articleprintpage/tkb-id/4561-docs-security/article-id/7568
36/38
11/25/22, 6:23 PM
How To: Cisco ISE Captive Portals with Aruba Wireless - Cisco Community
tonyang
Beginner

‎09-05-2022 06:23 AM
Thank you, ahollifield.
But it's failed to change the attribute of VLAN for the endpoint if I only leave the VLAN tag
within the user role. The endpoint just got the invalid IP "169.254.x.x".
ahollifield
Rising star

‎09-05-2022 07:30 AM
Are you sure the VLAN is trunked correctly to the controller? What mode are the SSID/APs running in?
As a test, what if you place that same VLAN on a different SSID just with a PSK? Do you get a valid IP?
tonyang
Beginner

‎09-05-2022 08:32 AM
Yes, the VLAN is trunked to the controllers. The SSID is running in "Tunnel" node. The same
VLAN on a different SSID with PSK is working fine without captive portal. Possibly, I fogot
to assign the DHCP policy to the user role. Let me modify the user role and test again.
https://community.cisco.com/t5/tkb/articleprintpage/tkb-id/4561-docs-security/article-id/7568
37/38
11/25/22, 6:23 PM
How To: Cisco ISE Captive Portals with Aruba Wireless - Cisco Community
https://community.cisco.com/t5/tkb/articleprintpage/tkb-id/4561-docs-security/article-id/7568
38/38