Question : We have a working VIA configuration that currently changes user roles based on the credentials that it is passed from Clearpass – all as expected.
We are currently in the process right now of integrating OnGuard into this mix in order to integrate the user's Posture status into the VIA VPN. Clearpass was not able to do a successful Radius CoA / [Aruba Terminate Session] to the VIA VPN after integration.
I know that the RFC3576 server is working as I have OnGuard working and doing posture assessments and CoAs against the wireless network on the same controller that terminates the VIA VPN.
Environment Information : This article strictly applies to CPPM 6.2 and Aruba AOS 188.8.131.52 and greater.
Below is the message which we would see when trying to test COA from Access Tracker.
Cause : RADIUS CoA to change the user role of the VIA client after the health check with the AOS version 184.108.40.206.
Only from the Aruba OS version 220.127.116.11(Still in Early Availability), we have option to map RFC 3576 server under the
Configuration-> Authentication-> L3 Authentication-> VIA Authentication -> Select the Authentication Profile and map CPPM as RFC 3576 server.
And on the ClearPass Server, we would edit the Enforcement Profile as shown below.
Please navigate to "Configuration » Enforcement » Policies" and edit the Enforcement policy which is mapped to our Posture service
Where "Aruba VPN Healthy Role" has the below configuration.
Ideally each of the above Actions in the Policy has two conditions mapped to it.
1: Posture status
2: User Role