Network Management

Hi,

i have created 2 services for VPN users accesing over Cisco ASA.

Service #1 is WEBAUTH type (Web based health Check only). Here we check firewall status and as a result we get HEALTHY or QUARANTINE posture token. In general, this works fine because the token is updated when we enable/disable firewall.

Service #2 is RADIUS type (RADIUS enforcement Generic). Our intention is to apply certain policy depending on the posture token we created in service #1.

Our problem is that we always get token status UNKNOWN for service #2.

We have maneged to set up similar setup with Aruba Instant AP and when i compare Access tracker Output i see that the one for Instant AP has Radius Response attibute Radius:IETF:Calling-Station-Id with the MAC address of the client for a value.

So my questions are:

1) Is Radius:IETF:Calling-Station-Id key attribute in order to reuse Token in service #2 ?

2) Is there any tech note for Clearpass and ASA VPN integration?

Thanks

So you're saying that Cisco ASAs won't support a RADIUS response for enforcement from a posture check from CPPM?

we have tried that , but its not working well , the COA  dont work well , its do the health check but dont take the user to the next step its keep check over and over.


the partner engineer to us at the end is issue from cisco side , i mean  the cisco partner.

if you have success working steps , please provide me with it , i will be very glad to have it.

with cisco side config.

Muhammed - did you get any further with this?

From my research this seems to only work with Cisco ISE. Reason being that Clearpass expects Client-MAC-address to be present for any Radius CoA to be triggered - or so that is what I've found. 

There are a number of guides detailing Cisco ASA VPN/Anyconnect Posture assessment with Cisco ISE, and that this was possible with Radius CoA just in the past year (from ISE 1.2 patch 5 and ASA 9.2.1 / ASDM 7.2(1) or later).

Also - in the WEBAUTH there is no Connection:NAD-IP-Address (Error on Log) which might mean that Clearpass is lacking some other parameters needed for this process to go correctly.

long time ago we got the same result, and the case is closed for us now.
thank you for the response :)

Does this mean that the issue still has not been resolved but Aruba/HPE is not pursuing it any further?

What I've noticed is that when I've tried to get this working for several customers that are wanting an OnGuard posture check for "unmanaged/non-corporate" devices, the WebAuth portion works for OnGuard and records the virtual MAC address from the WebAuth attempt.  They can then successfully auth to the VPN but the MAC recorded is the physical MAC of the port on the device connecting to the VPN.  So both individual services are successful but the posture response from the VPN service is listed as "unknown" because the MACs are different between what was recorded for the devices WebAuth attempt from OnGuard and the VPN auth attempt.  Therefore the cached information for the user's device exists but doesn't line up and is not applied to the VPN auth service attempt.  These customers don't want to have to auth the OnGuard client which is the only other mechanism that I can find to match the identity of the WebAuth attempt and the VPN Auth attempt.  We've also tried putting the desired enforcement responses on the WebAuth instead of the VPN auth (RADIUS) but the ASA doesn't receive them unless it's coming from the RADIUS based service.  It won't work with the OnGuard's WebAuth based service from what we can tell from Cisco debugs on the ASA, etc.

A solution to this would be nice.  If it's not difinitively possible at this time, it would also be good to know so that I can help our sales teams not oversell capabilities that aren't there without very specific constraints.  If these use cases were in fully manged environments we may have some other options to correct the OnGuard agent's behavior but I haven't found anything that applies to the unmanaged/Guest/BYOD use cases for OnGuard and Cisco ASA VPNs to date.

You have to use OnGuard authentication + health with Cisco ASA.