AAA, NAC, Guest Access & BYOD

Aruba VIA integrated CPPM Onguard agent fails to do a successful Radius CoA / [Aruba Terminate Session] to the VIA VPN

Aruba Employee

Question : We have a working VIA configuration that currently changes user roles based on the credentials that it is passed from Clearpass – all as expected.

We are currently in the process right now of integrating OnGuard into this mix in order to integrate the user's Posture status into the VIA VPN. Clearpass was not able to do a successful Radius CoA / [Aruba Terminate Session] to the VIA VPN after integration.


I know that the RFC3576 server is working as I have OnGuard working and doing posture assessments and CoAs against the wireless network on the same controller that terminates the VIA VPN.

 

Environment Information : This article strictly applies to CPPM 6.2 and Aruba AOS 6.3.1.1 and greater.

 

Symptoms

 

Below is the message which we would see when trying to test COA from Access Tracker.


1.png

 

Cause : RADIUS CoA to change the user role of the VIA client after the health check with the AOS version 6.3.1.1.

 

Resolution :

 

Only from the Aruba OS version 6.3.1.1(Still in Early Availability), we have option to map RFC 3576 server under the
Configuration-> Authentication-> L3 Authentication-> VIA Authentication -> Select the Authentication Profile and map CPPM as RFC 3576 server.




2.png


And on the ClearPass Server, we would edit the Enforcement Profile as shown below.

Please navigate to "Configuration » Enforcement » Policies" and edit the Enforcement policy which is mapped to our Posture service





3.png



Where "Aruba VPN Healthy Role" has the below configuration.

4.png


Ideally each of the above Actions in the Policy has two conditions mapped to it.

1: Posture status
2: User Role




Version history
Revision #:
2 of 2
Last update:
‎09-07-2014 10:56 AM
Updated by:
 
Labels (1)
Comments
rajo7

Images are not loading. Images URLs require login to force.com

Would you please make this available on Arubapedia or as PDF?

 

 

Thanks.

 Hello rajo7, thank you for pointing this out--will look into this asap.

 

 Julia Ostrowski

Aruba Networks, Customer Advocacy

Hi rajo7, can you please refresh and verify you can see the images?  I believe I've sorted out the issue with the images.

 

Thank you!

 

 Julia Ostrowski

Aruba Networks, Customer Advocacy

rajo7

Hi, images are fine now. Thank you!

 

I tried it but CoA is still not working, can you please give me the details of the enforcement policy used in the health check service?

 

ArubaOS 6.3.1.10

CPPM 6.4 

 

Thanks

Hi rajo7,

 

When you create the Enforcement profile, please select the template as "Radius Change of Authorization(CoA)".

 

temp.png

 

Under the Attributes tab, Select RADIUS CoA Templeate as "Aruba-Change-VPN-User-Role" and set the Filter-Id to whatever the user role that you want to assign after the health check.

 

coa 4.png

 

Note: The above enforcement profile should be applied in the WEBAUTH service.

 

Thanks,

Saravanan

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.