03-09-2016 01:58 AM
i have created 2 services for VPN users accesing over Cisco ASA.
Service #1 is WEBAUTH type (Web based health Check only). Here we check firewall status and as a result we get HEALTHY or QUARANTINE posture token. In general, this works fine because the token is updated when we enable/disable firewall.
Service #2 is RADIUS type (RADIUS enforcement Generic). Our intention is to apply certain policy depending on the posture token we created in service #1.
Our problem is that we always get token status UNKNOWN for service #2.
We have maneged to set up similar setup with Aruba Instant AP and when i compare Access tracker Output i see that the one for Instant AP has Radius Response attibute Radius:IETF:Calling-Station-Id with the MAC address of the client for a value.
So my questions are:
1) Is Radius:IETF:Calling-Station-Id key attribute in order to reuse Token in service #2 ?
2) Is there any tech note for Clearpass and ASA VPN integration?
05-01-2016 12:58 PM
we have tried that , but its not working well , the COA dont work well , its do the health check but dont take the user to the next step its keep check over and over.
the partner engineer to us at the end is issue from cisco side , i mean the cisco partner.
if you have success working steps , please provide me with it , i will be very glad to have it.
with cisco side config.
10-17-2016 11:10 PM
Muhammed - did you get any further with this?
From my research this seems to only work with Cisco ISE. Reason being that Clearpass expects Client-MAC-address to be present for any Radius CoA to be triggered - or so that is what I've found.
There are a number of guides detailing Cisco ASA VPN/Anyconnect Posture assessment with Cisco ISE, and that this was possible with Radius CoA just in the past year (from ISE 1.2 patch 5 and ASA 9.2.1 / ASDM 7.2(1) or later).
Also - in the WEBAUTH there is no Connection:NAD-IP-Address (Error on Log) which might mean that Clearpass is lacking some other parameters needed for this process to go correctly.
-ACMX #316 :: ACCP-
Intelecom - Norway
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!