03-09-2016 01:58 AM
i have created 2 services for VPN users accesing over Cisco ASA.
Service #1 is WEBAUTH type (Web based health Check only). Here we check firewall status and as a result we get HEALTHY or QUARANTINE posture token. In general, this works fine because the token is updated when we enable/disable firewall.
Service #2 is RADIUS type (RADIUS enforcement Generic). Our intention is to apply certain policy depending on the posture token we created in service #1.
Our problem is that we always get token status UNKNOWN for service #2.
We have maneged to set up similar setup with Aruba Instant AP and when i compare Access tracker Output i see that the one for Instant AP has Radius Response attibute Radius:IETF:Calling-Station-Id with the MAC address of the client for a value.
So my questions are:
1) Is Radius:IETF:Calling-Station-Id key attribute in order to reuse Token in service #2 ?
2) Is there any tech note for Clearpass and ASA VPN integration?
05-01-2016 12:58 PM
we have tried that , but its not working well , the COA dont work well , its do the health check but dont take the user to the next step its keep check over and over.
the partner engineer to us at the end is issue from cisco side , i mean the cisco partner.
if you have success working steps , please provide me with it , i will be very glad to have it.
with cisco side config.
10-17-2016 11:10 PM
Muhammed - did you get any further with this?
From my research this seems to only work with Cisco ISE. Reason being that Clearpass expects Client-MAC-address to be present for any Radius CoA to be triggered - or so that is what I've found.
There are a number of guides detailing Cisco ASA VPN/Anyconnect Posture assessment with Cisco ISE, and that this was possible with Radius CoA just in the past year (from ISE 1.2 patch 5 and ASA 9.2.1 / ASDM 7.2(1) or later).
Also - in the WEBAUTH there is no Connection:NAD-IP-Address (Error on Log) which might mean that Clearpass is lacking some other parameters needed for this process to go correctly.
-ACMX #316 :: ACCP-
Intelecom - Norway
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
03-29-2017 12:31 PM - edited 03-29-2017 12:34 PM
Does this mean that the issue still has not been resolved but Aruba/HPE is not pursuing it any further?
What I've noticed is that when I've tried to get this working for several customers that are wanting an OnGuard posture check for "unmanaged/non-corporate" devices, the WebAuth portion works for OnGuard and records the virtual MAC address from the WebAuth attempt. They can then successfully auth to the VPN but the MAC recorded is the physical MAC of the port on the device connecting to the VPN. So both individual services are successful but the posture response from the VPN service is listed as "unknown" because the MACs are different between what was recorded for the devices WebAuth attempt from OnGuard and the VPN auth attempt. Therefore the cached information for the user's device exists but doesn't line up and is not applied to the VPN auth service attempt. These customers don't want to have to auth the OnGuard client which is the only other mechanism that I can find to match the identity of the WebAuth attempt and the VPN Auth attempt. We've also tried putting the desired enforcement responses on the WebAuth instead of the VPN auth (RADIUS) but the ASA doesn't receive them unless it's coming from the RADIUS based service. It won't work with the OnGuard's WebAuth based service from what we can tell from Cisco debugs on the ASA, etc.
A solution to this would be nice. If it's not difinitively possible at this time, it would also be good to know so that I can help our sales teams not oversell capabilities that aren't there without very specific constraints. If these use cases were in fully manged environments we may have some other options to correct the OnGuard agent's behavior but I haven't found anything that applies to the unmanaged/Guest/BYOD use cases for OnGuard and Cisco ASA VPNs to date.