11/25/22, 6:23 PM How To: Cisco ISE Captive Portals with Aruba Wireless - Cisco Community Cisco Community > > Technology and Support > Security > Security Knowledge Base How To: Cisco ISE Captive Portals with Aruba Wireless How To: Cisco ISE Captive Portals with Aruba Wireless ahollifield Rising star on 06-22-2022 06:23 PM - edited on 06-22-2022 06:50 PM by bradjohnson How To: Cisco ISE Captive Portals with Aruba Wireless Authors: Adam Hollifield, Brad Johnson Introduction Prerequisites Minimum Requirements Components Used Configuration Aruba Wireless Controller WLAN Creation Authentication Configuration Role & Policy Configuration Cisco ISE Aruba RADIUS Dictionary Addition Aruba Network Device Profile Aruba Authorization Profiles Authentication Allowed Protocols Configuration Policy Set Configuration Verification ISE RADIUS Live Logs Aruba Mobility Controller Introduction https://community.cisco.com/t5/tkb/articleprintpage/tkb-id/4561-docs-security/article-id/7568 1/38 11/25/22, 6:23 PM How To: Cisco ISE Captive Portals with Aruba Wireless - Cisco Community Previous configurations for integrating Cisco ISE portals and Aruba Wireless used a static external captive portal URL to redirect clients to an ISE portal. This required the use of multiple authorization profiles and authorization rules per PSN. Aruba AOS 8.4 added support for the Aruba-Captive-Portal-URL Vendor Specific Attribute (VSA) which allows for dynamic URL redirection similar to what we see when configuring portal rules with Cisco network access devices (NADs). This will enable additional scale, posture flows, and ease of configuration when integrating Aruba wireless with Cisco Identity Services Engine. Prerequisites Minimum Requirements The minimum software requirements for this configuration: Aruba AOS 8.4 or later Cisco ISE 2.4 or later Components Used The information in this document is based on these software versions: Aruba Wireless Controller with AOS 8.10.0.1 Cisco ISE 3.1 with Patch 3 Configuration Aruba Wireless Controller WLAN Creation https://community.cisco.com/t5/tkb/articleprintpage/tkb-id/4561-docs-security/article-id/7568 2/38 11/25/22, 6:23 PM How To: Cisco ISE Captive Portals with Aruba Wireless - Cisco Community 1. Navigate to Configuration > Tasks > Create a new WLAN. 2. Fill in the SSID and select Guest as Primary usage. Select AP groups and Forwarding mode as required by the wireless deployment. Click Next. NOTE: it is best practice to broadcast WLANs only on specified AP groups and not use the default group. https://community.cisco.com/t5/tkb/articleprintpage/tkb-id/4561-docs-security/article-id/7568 3/38 11/25/22, 6:23 PM How To: Cisco ISE Captive Portals with Aruba Wireless - Cisco Community 3. Select the VLAN and click Next. 4. Set Security to Internal Captive Portal, no auth or registration and click Next. The Internal Captive Portal will not be used here and will be overridden by the captive portal URL supplied by ISE through the Aruba-Captive-Portal-URL VSA. However, the Aruba Mobility Controller requires some form of Captive Portal to be enabled on the WLAN to successfully redirect clients. 5. Click Next and Finish. 6. Click Pending Changes in the top right and click Deploy changes to deploy the configuration to the Mobility Controller. https://community.cisco.com/t5/tkb/articleprintpage/tkb-id/4561-docs-security/article-id/7568 4/38 11/25/22, 6:23 PM How To: Cisco ISE Captive Portals with Aruba Wireless - Cisco Community Authentication Configuration 1. Navigate to Configuration > Authentication > Auth Servers. Click the + button under All Servers. Fill in name, select type as RADIUS, and fill in the IP address/hostname of the ISE PSN. Click Submit. Repeat for each of the ISE PSNs. 2. Select the newly created RADIUS Server definition. Enter the Shared Key and click Submit. Repeat for each of the ISE PSN RADIUS Server definitions. https://community.cisco.com/t5/tkb/articleprintpage/tkb-id/4561-docs-security/article-id/7568 5/38 11/25/22, 6:23 PM How To: Cisco ISE Captive Portals with Aruba Wireless - Cisco Community 3. Click the + button under All Servers. Change type to Dynamic Authorization and enter the IP address of the ISE PSN. Click Submit. Repeat for each of the ISE PSNs. 4. Select the newly created RFC 3576 definition and enter the Key. Click Submit. Repeat for each of the ISE PSN RFC 3576 definitions. https://community.cisco.com/t5/tkb/articleprintpage/tkb-id/4561-docs-security/article-id/7568 6/38 11/25/22, 6:23 PM How To: Cisco ISE Captive Portals with Aruba Wireless - Cisco Community 5. Click the + button under Server Groups. Enter a name. Click Submit. 6. Select the newly created Server Group and click the + button. Choose Add existing server and select the ISE PSN RADIUS Server definition. Click Submit. Repeat for the rest of the ISE PSN RADIUS Server definitions. https://community.cisco.com/t5/tkb/articleprintpage/tkb-id/4561-docs-security/article-id/7568 7/38 11/25/22, 6:23 PM How To: Cisco ISE Captive Portals with Aruba Wireless - Cisco Community 7. Navigate to Configuration > Authentication > AAA Profiles. Select the AAA profile for the newly created WLAN, [SSID]_aaa_prof. Enable RADIUS Interim Accounting. Click Submit. https://community.cisco.com/t5/tkb/articleprintpage/tkb-id/4561-docs-security/article-id/7568 8/38 11/25/22, 6:23 PM How To: Cisco ISE Captive Portals with Aruba Wireless - Cisco Community 8. Select MAC Authentication. Change MAC Authentication Profile to Default. Click Submit. 9. Select MAC Authentication Server Group. Change Server Group to the ISE Server Group created previously. Click Submit. 0. Select RADIUS Accounting Server Group. Change Server Group to the ISE Server Group created previously. Click Submit. https://community.cisco.com/t5/tkb/articleprintpage/tkb-id/4561-docs-security/article-id/7568 9/38 11/25/22, 6:23 PM How To: Cisco ISE Captive Portals with Aruba Wireless - Cisco Community 1. Select RFC 3576 Server. Click the + button and select the ISE PSN from the drop down. Click Submit. Repeat for each of the ISE PSN RFC 3576 server definitions. 2. Click Pending Changes in the top right and click Deploy changes to deploy the configuration to the Mobility Controller. https://community.cisco.com/t5/tkb/articleprintpage/tkb-id/4561-docs-security/article-id/7568 10/38 11/25/22, 6:23 PM How To: Cisco ISE Captive Portals with Aruba Wireless - Cisco Community Role & Policy Configuration 1. Navigate to Configuration > Roles & Policies > Policies and click the + button. 2. Set Policy Type to Session, enter a Policy Name, and an optional description. Click Submit. 3. Select the newly created policy and click the + button. Select Access Control and click OK. Create a new forwarding rule allowing captive portal traffic to the ISE PSNs. Click Submit. https://community.cisco.com/t5/tkb/articleprintpage/tkb-id/4561-docs-security/article-id/7568 11/38 11/25/22, 6:23 PM How To: Cisco ISE Captive Portals with Aruba Wireless - Cisco Community NOTE: This Policy enforces what traffic from the guest WLAN will be allowed BEFORE the guest authenticates to the portal. This Policy can and should be customized for the individual network environment and security requirements. At a minimum, the captive portal ports (typically 8443) must be allowed from the guest users to the ISE PSNs during the redirect phase. 4. Navigate to Configuration > Roles & Policies > Roles and click the + button to create a new role. Give the Role a Name and click Submit. https://community.cisco.com/t5/tkb/articleprintpage/tkb-id/4561-docs-security/article-id/7568 12/38 11/25/22, 6:23 PM How To: Cisco ISE Captive Portals with Aruba Wireless - Cisco Community 5. Select the newly created Role from the list. Click Show Advanced View. 6. Click the + button within Policies. Select Add an existing policy. Select type Session and select the policy created in the previous step. Click Submit. https://community.cisco.com/t5/tkb/articleprintpage/tkb-id/4561-docs-security/article-id/7568 13/38 11/25/22, 6:23 PM How To: Cisco ISE Captive Portals with Aruba Wireless - Cisco Community 7. Repeat this procedure again adding the logon-control and captiveportal Policies to this Role. 8. Re-order the policies so that the Policy created previously is listed between logon-control and captiveportal. https://community.cisco.com/t5/tkb/articleprintpage/tkb-id/4561-docs-security/article-id/7568 14/38 11/25/22, 6:23 PM How To: Cisco ISE Captive Portals with Aruba Wireless - Cisco Community 9. Select the Captive Portal tab. Move slider to Internal Captive Portal, no auth or registration. The Internal Captive Portal will not be used here and will be overridden by the captive portal URL supplied by ISE through the Aruba-Captive-Portal-URL VSA. However, the Aruba Mobility Controller requires some form of Captive Portal to be enabled on the Role to successfully redirect clients. 0. Click Submit. 1. Click Pending Changes in the top right and click Deploy changes to deploy the configuration to the Mobility Controller. You may also wish to create a custom role for the guest users once the user successfully authenticates to the Captive Portal. In this example, the Aruba default guest Role is used for this purpose. Cisco ISE Aruba RADIUS Dictionary Addition https://community.cisco.com/t5/tkb/articleprintpage/tkb-id/4561-docs-security/article-id/7568 15/38 11/25/22, 6:23 PM How To: Cisco ISE Captive Portals with Aruba Wireless - Cisco Community The default Aruba RADIUS dictionary in Cisco ISE does not contain the RADIUS VSA Aruba-Captive-Portal-URL. This must be manually created before configuring the network device profile. 1. Navigate to Policy > Policy Elements > Dictionaries. 2. Expand System > RADIUS > RADIUS Vendors and click on the Aruba entry. 3. Click Dictionary Attributes and then Add. 4. Fill in the information as follows: Attribute Name: Aruba-Captive-Portal-URL https://community.cisco.com/t5/tkb/articleprintpage/tkb-id/4561-docs-security/article-id/7568 16/38 11/25/22, 6:23 PM How To: Cisco ISE Captive Portals with Aruba Wireless - Cisco Community Description: [optional] Data Type: STRING ID: 43 5. Click Submit and verify the new attribute shows up under the Dictionary Attributes menu. Aruba Network Device Profile The default Aruba Network Device Profile in Cisco ISE does not support URL redirection via RADIUS VSA. A custom Network Device Profile for Aruba AOS controllers has been created and is attached to this article. 1. Navigate to Administration > Network Resources > Network Device Profiles. Click the Import button. Browse the Aruba_AOS.xml file and click Import. https://community.cisco.com/t5/tkb/articleprintpage/tkb-id/4561-docs-security/article-id/7568 17/38 11/25/22, 6:23 PM How To: Cisco ISE Captive Portals with Aruba Wireless - Cisco Community 2. Navigate to Administration > Network Resources > Network Devices and click the +Add button. 3. Add an entry for the Aruba Mobility Controller ensuring to select the custom Aruba_AOS Network Device Profile imported in the previous step. Specify the IP Address of the Mobility Controller and the RADIUS Shared Secret. https://community.cisco.com/t5/tkb/articleprintpage/tkb-id/4561-docs-security/article-id/7568 18/38 11/25/22, 6:23 PM How To: Cisco ISE Captive Portals with Aruba Wireless - Cisco Community 4. Click Save. Aruba Authorization Profiles 1. Navigate to Policy > Policy Elements > Results > Authorization > Authorization Profiles. 2. Click the +Add button. This authorization (authz) profile will be for redirecting the unknown guest user. https://community.cisco.com/t5/tkb/articleprintpage/tkb-id/4561-docs-security/article-id/7568 19/38 11/25/22, 6:23 PM How To: Cisco ISE Captive Portals with Aruba Wireless - Cisco Community 3. Give the authz profile a name, select Aruba_AOS as the Network Device Profile. 4. Within Common Tasks click the checkbox for ACL and specify the name of the Role created for the redirect on the Aruba Mobility Controller. NOTE: these names much match exactly. 5. Check the box for Web Redirection and specify the corresponding portal type and portal. Click Save. This guide does not cover the creation of a portal on ISE. For this example, the Default Hostspot Guest Portal is used. 6. Click the +Add button again. This authorization profile is for the authenticated guest. https://community.cisco.com/t5/tkb/articleprintpage/tkb-id/4561-docs-security/article-id/7568 20/38 11/25/22, 6:23 PM How To: Cisco ISE Captive Portals with Aruba Wireless - Cisco Community 7. Give the authz profile a name, select Aruba_AOS as the Network Device Profile. 8. Within Common Tasks click the checkbox for ACL and specify the name of the Role for the guest users on the Aruba Mobility Controller. NOTE: these names much match exactly. You may also wish to create a custom role for the guest users once the user successfully authenticates to the Captive Portal. In this example, the Aruba default guest role is used for this purpose. Authentication Allowed Protocols Configuration 1. Navigate to Policy > Policy Elements > Results > Authentication > Allowed Protocols. Click the +Add button to create a new Allowed Protocols Service. 2. Give the Allowed Protocols Service a name and optional description. Disable all other protocols except for Process Host Lookup and PAP/ASCII. Click Save. https://community.cisco.com/t5/tkb/articleprintpage/tkb-id/4561-docs-security/article-id/7568 21/38 11/25/22, 6:23 PM How To: Cisco ISE Captive Portals with Aruba Wireless - Cisco Community Policy Set Configuration 1. Navigate to Policy > Policy Sets and click the + button to create a new policy set. 2. Give the policy set a name and within conditions, specify Aruba-Aruba-Essid-Name CONTAINS [SSID]. Replace [SSID] with the name of the SSID configured on the Mobility Controller. 3. For Allowed Protocols/Server Sequence, select the MAB allowed protocols created in the previous section. 4. Click Save and then click the greater than sign (>) on the far right of the policy set to open the new Policy Set. https://community.cisco.com/t5/tkb/articleprintpage/tkb-id/4561-docs-security/article-id/7568 22/38 11/25/22, 6:23 PM How To: Cisco ISE Captive Portals with Aruba Wireless - Cisco Community 5. Expand Authentication Policy and specify Internal Endpoints in the Use column of the Default authc policy. 6. Change If User not found within Options to Continue. 7. Expand Authorization Policy and click the plus (+) button to create a new authz policy. 8. Specify a name for the policy and for Conditions specify IdentityGroup-Name EQUALS Endpoint Identity Groups:GuestEndpoints. This guide is using the Remember Me guest flow so if the endpoint MAC address exists in the specified endpoint group they will automatically be granted guest access. 9. Specify the Aruba Guest Permit authorization profile in the Results column. 0. Specify the Aruba Guest Redirect authorization profile in the Results column for the Default authz policy. 1. Click Save. Verification ISE RADIUS Live Logs Navigate to Operations > RADIUS > Live Logs. From bottom to top in the screenshot below, the Live Logs should first show the Aruba Guest Redirect authz profile. Followed by the Change of Authorization (CoA) once the user logs into the captive portal. Finally, https://community.cisco.com/t5/tkb/articleprintpage/tkb-id/4561-docs-security/article-id/7568 23/38 11/25/22, 6:23 PM How To: Cisco ISE Captive Portals with Aruba Wireless - Cisco Community the endpoint re-authenticating to the wireless network and receiving the Aruba Guest Permit authz profile. The endpoint should also be a member of the GuestEndpoints Group within Context Visibility > Endpoints after logging into the captive portal. Aruba Mobility Controller https://community.cisco.com/t5/tkb/articleprintpage/tkb-id/4561-docs-security/article-id/7568 24/38 11/25/22, 6:23 PM How To: Cisco ISE Captive Portals with Aruba Wireless - Cisco Community Navigate to Dashboard > Overview and click on the clients view. Before authentication to the captive portal, the client should be assigned the guest-redirect role. After authentication to the captive portal, the client should be assigned the guest role. AAA Identity Services Engine (ISE) aruba ise portal wireless Aruba_AOS.zip 10 Helpful Share Comments Leo Laohoo VIP Community Legend 06-22-2022 06:26 PM @ahollifield, Do you have this in PDF form, please? https://community.cisco.com/t5/tkb/articleprintpage/tkb-id/4561-docs-security/article-id/7568 25/38 11/25/22, 6:23 PM How To: Cisco ISE Captive Portals with Aruba Wireless - Cisco Community bradjohnson Cisco Employee 06-22-2022 06:38 PM You can generate a printer friendly version by going to the top-right of the page, click Options > Printer Friendly Page. From there you can print to PDF. Leo Laohoo VIP Community Legend 06-22-2022 07:00 PM Thanks, @bradjohnson. https://community.cisco.com/t5/tkb/articleprintpage/tkb-id/4561-docs-security/article-id/7568 26/38 11/25/22, 6:23 PM How To: Cisco ISE Captive Portals with Aruba Wireless - Cisco Community rrrsseta Beginner 06-29-2022 07:14 AM Hi, Is it possibile to make setup like this but using built-in "Guest_Flow" condition instead of relying on GuestEndpoints group? Will ISE recognize "Guest_Flow" for third party NAD like Aruba? Magret Beginner 07-19-2022 04:37 AM Dear, May I know where to download "Aruba_AOS.XML" file? bradjohnson Cisco Employee 07-19-2022 04:40 AM @Magret It is at the bottom of the article. https://community.cisco.com/t5/tkb/articleprintpage/tkb-id/4561-docs-security/article-id/7568 27/38 11/25/22, 6:23 PM How To: Cisco ISE Captive Portals with Aruba Wireless - Cisco Community Magret Beginner 07-19-2022 07:18 PM Thanks @bradjohnson tonyang Beginner 08-13-2022 08:33 AM Hi, First, thank you for the sharing. But I have a quesiton for you. For the "initial role" and "mac authentication defaul role" in "guest_aaa_prof", it's "guestguest-logon".But the user role defined is "guest-redirect". May I confirm with you if the "initial role" and "mac authentication defaul role" is "guest-redirect" in "guest_aaa_prof" ? Looking forward to your early reply. https://community.cisco.com/t5/tkb/articleprintpage/tkb-id/4561-docs-security/article-id/7568 28/38 11/25/22, 6:23 PM How To: Cisco ISE Captive Portals with Aruba Wireless - Cisco Community ahollifield Rising star 08-13-2022 08:54 AM The initial role and mac-auth-default roles actually do not matter since we are overriding the role value from the RADIUS response from ISE using the Aruba-User-Role VSA. They can technically be set to anything since they will never be used in this flow. For the example and How To doc, I just left them at the Aruba default values. tonyang Beginner 08-14-2022 01:39 AM Thanks for your reply. May I know whether the defined user role "guest-redirect" will be associated with aaa profile ? ahollifield Rising star 08-14-2022 10:11 AM It does not. The role just must be defined on the controller and the name must match EXACTLY with what is pushed in the VSA from ISE. tonyang Beginner 08-16-2022 08:26 AM https://community.cisco.com/t5/tkb/articleprintpage/tkb-id/4561-docs-security/article-id/7568 29/38 11/25/22, 6:23 PM How To: Cisco ISE Captive Portals with Aruba Wireless - Cisco Community Thank you. I completed the configuratin and met the issue that the redirect URL didn't work on the client side. From the tcpdump packet, the attribute "Aruba-Captive-Portal-URL" was shown unknon attribute in the radius. Do you have any idea of this ? ahollifield Rising star 08-16-2022 10:13 AM Did you import the XML Network Device Profile into your ISE deployment? Did you assign that Network Device Profile to the definition for your Mobility Controller? What version of AOS? tonyang Beginner 08-16-2022 06:43 PM Yes, the XML was imported and associated to network devices (Aruba Controllers). The AOS is version 8.6.0.9. I am not sure if the XLM file can support AOS 8.6.0.9 ? I saw the testing environment is running on AOS 8.10.0.1. https://community.cisco.com/t5/tkb/articleprintpage/tkb-id/4561-docs-security/article-id/7568 30/38 11/25/22, 6:23 PM How To: Cisco ISE Captive Portals with Aruba Wireless - Cisco Community bradjohnson Cisco Employee 08-16-2022 06:50 PM That shouldn't matter as the RADIUS VSA Aruba-Captive-Portal-URL was added to ArubaOS 8.4. That's why we noted in the XML that it was for ArubaOS 8.4+. On your wireless controller, is it showing the VSA as unknown and rejected or rejecting because it contains invalid information? tonyang Beginner 08-16-2022 07:00 PM Hi Bradjohnson, Thanks for your reply on this. Actually, I haven't collected packet capture on this. But I've collected the tcpdump on ISE side. The attribute "Aruba-Captive-Portal-URL" was shown unknown attribute in the packet which it was sent from ISE to controller. https://community.cisco.com/t5/tkb/articleprintpage/tkb-id/4561-docs-security/article-id/7568 31/38 11/25/22, 6:23 PM How To: Cisco ISE Captive Portals with Aruba Wireless - Cisco Community bradjohnson Cisco Employee 08-16-2022 07:15 PM Did you create the Aruba-Captive-Portal-URL dictionary entry in the Aruba RADIUS attributes within ISE? tonyang Beginner 08-16-2022 07:32 PM Yes, it's done. tonyang Beginner 08-27-2022 08:46 AM Hi, Is it possible to add another attribute to authorization profile to change VLAN assignment of guest after completing self registeration ? If yes, any additional change in Aruba WLC ? Thank you. Aruba Attribute: Aruba-User-Vlan Authorization Profile: Access Type = ACCESS_ACCEPT Aruba-User-Role = XXX Aruba-User-Vlan = XXX https://community.cisco.com/t5/tkb/articleprintpage/tkb-id/4561-docs-security/article-id/7568 32/38 11/25/22, 6:23 PM How To: Cisco ISE Captive Portals with Aruba Wireless - Cisco Community bradjohnson Cisco Employee 08-27-2022 09:01 AM You should be able to utilize VLAN under Common Tasks. If not, simply create a custom attribute under Advanced Attribute Settings. Nothing needs to change on the network device profile since the profile also uses the Aruba dictionary. Here's the problem, though. How will the endpoint know the VLAN changed, therefore pulling a new IP, after they authenticate? Endpoints don't see a VLAN change on the backend without a connection bounce (disconnect and reconnect). It would be better to change the VLAN on the initial connection and keep them there through the process and post authentication. tonyang Beginner 08-27-2022 09:22 AM https://community.cisco.com/t5/tkb/articleprintpage/tkb-id/4561-docs-security/article-id/7568 33/38 11/25/22, 6:23 PM How To: Cisco ISE Captive Portals with Aruba Wireless - Cisco Community Thanks for your reply, bradjohnson After configuring the VLAN under common task and advanced attributes settings, some unknown attributes was added as well. May I know what's these unknon attributes ? Additionally, that's my question of how the endpoints know the VLAN changed after completing COA. I will validate and post the result in next week. Access Type = ACCESS_ACCEPT Tunnel-Private-Group-ID = 1:2022 (Unknow attribute) Tunnel-Type = 1:13 (Unknow attribute) Tunnel-Medium-Type = 1:6 (Unknow attribute) Aruba-User-Role = XXX Aruba-User-Vlan = 2022 ahollifield Rising star 08-27-2022 09:36 AM You could also specify the VLAN as part of the Role itself on the MC. tonyang Beginner 08-31-2022 07:43 AM Thank you, ahollifield. After many attempts, it takes long time to change the VLAN information of endpoints (suppose COA has completed, I can see the result in Radius Livelog) after inputting the configuraiton in the "Authorization Profile". Do you have any idea of how to address this https://community.cisco.com/t5/tkb/articleprintpage/tkb-id/4561-docs-security/article-id/7568 34/38 11/25/22, 6:23 PM How To: Cisco ISE Captive Portals with Aruba Wireless - Cisco Community issue ? Access Type = ACCESS_ACCEPT Tunnel-Private-Group-ID = 1:2022 (Unknow attribute) Tunnel-Type = 1:13 (Unknow attribute) Tunnel-Medium-Type = 1:6 (Unknow attribute) Aruba-User-Role = XXX Aruba-User-Vlan = 2022 ahollifield Rising star 09-01-2022 04:03 AM That is precisely why you should put the VLAN within the Aruba User Role on the controller rather than relying on CoA and additional RADIUS attributes. Any reason why you are not putting VLAN 2022 as an attribute within the XXX role itself on the Mobility Controller configuration? tonyang Beginner 09-05-2022 01:56 AM Both "Authorization Profile" and "User Role" are set to VLAN 2022. But it's randomly failed to change the attribute of VLAN. https://community.cisco.com/t5/tkb/articleprintpage/tkb-id/4561-docs-security/article-id/7568 35/38 11/25/22, 6:23 PM How To: Cisco ISE Captive Portals with Aruba Wireless - Cisco Community ahollifield Rising star 09-05-2022 06:07 AM You should only be assigning the VLAN in one of those places, not both. I would remove the VLAN assignment from ISE and only leave the VLAN tag within the role. https://community.cisco.com/t5/tkb/articleprintpage/tkb-id/4561-docs-security/article-id/7568 36/38 11/25/22, 6:23 PM How To: Cisco ISE Captive Portals with Aruba Wireless - Cisco Community tonyang Beginner 09-05-2022 06:23 AM Thank you, ahollifield. But it's failed to change the attribute of VLAN for the endpoint if I only leave the VLAN tag within the user role. The endpoint just got the invalid IP "169.254.x.x". ahollifield Rising star 09-05-2022 07:30 AM Are you sure the VLAN is trunked correctly to the controller? What mode are the SSID/APs running in? As a test, what if you place that same VLAN on a different SSID just with a PSK? Do you get a valid IP? tonyang Beginner 09-05-2022 08:32 AM Yes, the VLAN is trunked to the controllers. The SSID is running in "Tunnel" node. The same VLAN on a different SSID with PSK is working fine without captive portal. Possibly, I fogot to assign the DHCP policy to the user role. Let me modify the user role and test again. https://community.cisco.com/t5/tkb/articleprintpage/tkb-id/4561-docs-security/article-id/7568 37/38 11/25/22, 6:23 PM How To: Cisco ISE Captive Portals with Aruba Wireless - Cisco Community https://community.cisco.com/t5/tkb/articleprintpage/tkb-id/4561-docs-security/article-id/7568 38/38