Network Management

Reply
New Contributor
Posts: 7
Registered: ‎03-09-2016

Cisco ASA VPN with OnGuard posture checks

Hi,

 

i have created 2 services for VPN users accesing over Cisco ASA.

 

Service #1 is WEBAUTH type (Web based health Check only). Here we check firewall status and as a result we get HEALTHY or QUARANTINE posture token. In general, this works fine because the token is updated when we enable/disable firewall.

 

Service #2 is RADIUS type (RADIUS enforcement Generic). Our intention is to apply certain policy depending on the posture token we created in service #1.

 

Our problem is that we always get token status UNKNOWN for service #2.

 

We have maneged to set up similar setup with Aruba Instant AP and when i compare Access tracker Output i see that the one for Instant AP has Radius Response attibute Radius:IETF:Calling-Station-Id with the MAC address of the client for a value.

 

So my questions are:

1) Is Radius:IETF:Calling-Station-Id key attribute in order to reuse Token in service #2 ?

2) Is there any tech note for Clearpass and ASA VPN integration?

 

Thanks

 

 

 

 

Occasional Contributor I
Posts: 7
Registered: ‎10-19-2015

Re: Cisco ASA VPN with OnGuard posture checks

its related to cisco , cisco support ISE for this task not any else vendor
MCR
Occasional Contributor I
Posts: 5
Registered: ‎03-19-2013

Re: Cisco ASA VPN with OnGuard posture checks

So you're saying that Cisco ASAs won't support a RADIUS response for enforcement from a posture check from CPPM?

Guru Elite
Posts: 7,869
Registered: ‎09-08-2010

Re: Cisco ASA VPN with OnGuard posture checks

You would use a change of authorization after the successful posture check. 

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Occasional Contributor I
Posts: 7
Registered: ‎10-19-2015

Re: Cisco ASA VPN with OnGuard posture checks

we have tried that , but its not working well , the COA  dont work well , its do the health check but dont take the user to the next step its keep check over and over.


the partner engineer to us at the end is issue from cisco side , i mean  the cisco partner.

 

if you have success working steps , please provide me with it , i will be very glad to have it.

 

with cisco side config.

MVP
Posts: 470
Registered: ‎05-11-2011

Re: Cisco ASA VPN with OnGuard posture checks

Muhammed - did you get any further with this?

 

From my research this seems to only work with Cisco ISE. Reason being that Clearpass expects Client-MAC-address to be present for any Radius CoA to be triggered - or so that is what I've found. 

 

There are a number of guides detailing Cisco ASA VPN/Anyconnect Posture assessment with Cisco ISE, and that this was possible with Radius CoA just in the past year (from ISE 1.2 patch 5 and ASA 9.2.1 / ASDM 7.2(1) or later).

 

Also - in the WEBAUTH there is no Connection:NAD-IP-Address (Error on Log) which might mean that Clearpass is lacking some other parameters needed for this process to go correctly.

Regards
John Solberg

-ACMX #316 :: ACCP-
Intelecom - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Occasional Contributor I
Posts: 7
Registered: ‎10-19-2015

Re: Cisco ASA VPN with OnGuard posture checks

long time ago we got the same result, and the case is closed for us now.
thank you for the response :)

Search Airheads
Showing results for 
Search instead for 
Did you mean: