Hi Greg

Thanks for your reply :) As for your suggestion, if I access the portal without "URL redirection", it all works fine, include download anyconnect and temporal agent etc.

However, I also re-run some debugging from ISE, capture the client trying to access the portal with URL redirection. It looks like my ISE is able to recreate Cisco Session ID, find out the corresponding session on ISE and continue with BYOD (or any other configured) flow as this document mention(https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200270-ISE-2-0-3rd-Party-integration-with-Aruba.html) , but no available step after "current state is ACTIVE and current step is BYOD_INSTALL".

If all required conditions are matching for ISE, but the result is not correct, do you think it might a new "BUG" from ISE 2.6 with patch 6?

debugging log from ISE:

2020-05-12 04:02:01,617 DEBUG  [https-jsse-nio-192.168.1.100-8440-exec-9][] cisco.ise.portalwebaction.controller.PortalStepController -::35726950-2425-4381-b17e-cc35cc4e5da5::lab\user1:- ++++ updatePortalState: PortalSession (35726950-2425-4381-b17e-cc35cc4e5da5) current state is INITIATED and current step is BYOD_WELCOME

2020-05-12 04:02:01,619 DEBUG  [SyslogListenerThread][] cisco.profiler.probes.radius.SyslogDefragmenter -:::::- parseHeader inBuffer=<181>May 12 04:02:01 isesvr1 CISE_Passed_Authentications 0000000033 1 0 2020-05-12 04:02:01.615 +08:00 0000005772 5231 NOTICE Guest: Guest Authentication Passed, ConfigVersionId=87, AuthenticationMethod=PAP_ASCII, NAS-IP-Address=192.168.1.198, Framed-IP-Address=192.168.1.14, Calling-Station-ID=00-0C-29-9B-CB-B0, UserType=NON_GUEST, UserName=lab\\user1, MacAddress=00:0C:29:9B:CB:B0, IpAddress=192.168.1.14, AuthenticationIdentityStore=WIN2012R2_01, PortalName=Self-Registered Guest Portal (default)_copy1, IdentityGroup=S-1-5-21-4009555869-1812077336-1138570266-513, PsnHostName=isesvr1.lab.local, GuestUserName=lab\\user1, EPMacAddress=00:0C:29:9B:CB:B0, NADAddress=192.168.1.198, AuditSessionId=c0a801646AnW8L/LM18W5KODyN8ZCzD88FG2Niuq_xgAhFxNGXs, ResponseTime=439, cisco-av-pair=audit-session-id=c0a801646AnW8L/LM18W5KODyN8ZCzD88FG2Niuq_xgAhFxNGXs, Step=5231,

2020-05-12 04:02:08,005 DEBUG  [https-jsse-nio-192.168.1.100-8440-exec-10][] cisco.cpm.prrt.impl.PrRTLoggerImpl -::35726950-2425-4381-b17e-cc35cc4e5da5::lab\user1:- AcsLogs,DEBUG,0x7f48efdcf700,cntx=0000010498,CallingStationID=00-0C-29-9B-CB-B0,FramedIPAddress=192.168.1.14,Log_Message=[2020-05-12 04:02:08.001 +08:00 0000005773 88010 INFO  MyDevices: Successfully registered/provisioned the device (endpoint), ConfigVersionId=87, UserName=lab\\user1, MacAddress=00:0C:29:9B:CB:B0, IpAddress=192.168.1.14, AuthenticationIdentityStore=WIN2012R2_01, PortalName=Self-Registered Guest Portal (default)_copy1, IdentityGroup=S-1-5-21-4009555869-1812077336-1138570266-513, PsnHostName=isesvr1.lab.local, GuestUserName=lab\\user1, EPMacAddress=00:0C:29:9B:CB:B0, EPIdentityGroup=RegisteredDevices, Staticassignment=true, EndPointProfiler=isesvr1.lab.local, EndPointPolicy=Unknown, NADAddress=192.168.1.198, DeviceName=win10, DeviceRegistrationStatus=Pending, AuditSessionId=c0a801646AnW8L/LM18W5KODyN8ZCzD88FG2Niuq_xgAhFxNGXs, ResponseTime=439, cisco-av-pair=audit-session-id=c0a801646AnW8L/LM18W5KODyN8ZCzD88FG2Niuq_xgAhFxNGXs, ],MessageFormatter.cpp:107

2020-05-12 04:02:08,203 DEBUG  [https-jsse-nio-192.168.1.100-8440-exec-10][] cisco.ise.portalwebaction.controller.PortalStepController -::35726950-2425-4381-b17e-cc35cc4e5da5::lab\user1:- ++++ updatePortalState: PortalSession (35726950-2425-4381-b17e-cc35cc4e5da5) current state is ACTIVE and current step is BYOD_INSTALL

no further log relate with BYOD ....

Most of the examples I've seen with Aruba are related to the Wireless infrastructure, for which ISE has a built-in Network Device Profile. The Aruba switches appear to use different VSAs for web redirection as per the WEB REDIRECTION WITH CISCO ISE  document on Aruba's site.

The document is focused on the Guest flow, but should be used as a guide for creating the Network Device Profile for the Aruba switch in ISE.

If you have already done this and it does not make a different in the URL redirect flow, I would suggest opening a case with TAC to investigate further. They will likely also want to get a packet capture from the client to see what is happening with the redirection.

Hi Greg

Good day, thanks for your reply again. The user-role is another style for Aruba switch + ISE to do URL redirection. This kind of configuring, actually not very met the "real network" from my perspective. It will ask the network admin to pre-config the different role and ACL on the Aruba switches, you might imagine if the customer has over 50's Aruba switches XD. 

If using another style URL redirection that is cisco like as my testing now, it's assigned VLAN and DACL dynamically, it more flexibility, and that why I'm trying this. The guest flow for my test is ok, if not use user-role style, BTW.

I've checked and compare Aruba switch and cisco switch, they are no different process or logs after got the BYOD_Install step from the log file. In other words, only Posture and NSP(NSA) download has a problem with Aruba switch. 

Per your comment...

"If using another style URL redirection that is cisco like as my testing now, it's assigned VLAN and DACL dynamically"

... it sounds like you're trying to apply the URL Redirect ACL by dynamically pushing it from ISE. I'm not sure how this works on the Aruba switches, but this is NOT possible with Cisco switches.

With Cisco switches, the Redirect ACL must be configured locally on the switch. The Authorization Profile is configured in ISE with the necessary redirect (CWA, CPP, etc) and the name of the ACL that was configured on the switch. I would expect the behaviour of the Aruba would likely be the same.

The Downloadable ACL configured in ISE only controls the traffic allowed from the client at ingress to the switchport. It cannot be used as a URL Redirect ACL.