Security

Reply
Contributor I
Posts: 34
Registered: ‎03-19-2015

Re: ClearPass sends to Cisco ASA dACL RADIUS CoA

And the enforcement policy:

enf_policy.jpg

HEALTY - is a Post Authentication enforcement profile. Not relevant.

Cisco_coa_dACL_test contains:

RADIUS:Cisco Cisco-IP-Downloadable-ACL deny ip any any

 

Thanks,

Balazs

 

Thanks,
Balazs
Guru Elite
Posts: 8,178
Registered: ‎09-08-2010

Re: ClearPass sends to Cisco ASA dACL RADIUS CoA

Try sending a generic Cisco CoA for the healthy enforcement and then use a dACL in your VPN authentication service.

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Contributor I
Posts: 34
Registered: ‎03-19-2015

Re: ClearPass sends to Cisco ASA dACL RADIUS CoA

I don't know the terminology.

 

My workaround is:

1.) Client open a VPN session (Cisco IPSec)

2.) ASA send the authentication to the ClearPass (802.1x Wired service RADIUS)

3.) Client authenticated

4.) The OnGuard agent collect and send an information to the ClearPass (WEBAUTH)

5.) ClearPass send the RADIUS CoA action to the ASA depends on the user is healthy or not healthy

 

where can I insert the reauth ?

 

Thanks,

Balazs

 

Thanks,
Balazs
Contributor I
Posts: 34
Registered: ‎03-19-2015

Re: ClearPass sends to Cisco ASA dACL RADIUS CoA

This is the CP generic Cisco Coa Reauth session action:

generic_cisco_coa.jpg

If the Clearpass send this message after the webauth nothing happens.

 

Thanks,

Balazs

Thanks,
Balazs
Contributor I
Posts: 34
Registered: ‎03-19-2015

Re: ClearPass sends to Cisco ASA dACL RADIUS CoA

Any idea?

Thanks,
Balazs
Contributor II
Posts: 56
Registered: ‎04-13-2009

Re: ClearPass sends to Cisco ASA dACL RADIUS CoA

We are currently trying to do the same thing with no luck.  We are on the phone with Cisco and Aruba TAC.  I will post if they find a solution.

Contributor I
Posts: 34
Registered: ‎03-19-2015

Re: ClearPass sends to Cisco ASA dACL RADIUS CoA

In my side the dACL works between the ASA and ClearPass.

Thanks,
Balazs
Contributor II
Posts: 56
Registered: ‎04-13-2009

Re: ClearPass sends to Cisco ASA dACL RADIUS CoA

Correct.  We can get the Dacl to work as well.  However, it requires us bouncing the client.  So basicially we got it working but the workflow would be like this.

 

User VPN's in.  We authenticate with a redirct to the website (we don't know health yet) then the client checks health.  If healthy (we would like to coa and get a Dacl allow all) however we got it to work with a bounce of the client and then they would reauthenticate come in with a healthy tag and get the allow all Dacl.

 

This was a little too End-User intensive and also on the recheck of the client if they became unhealthy we had no way to COA them back to the web page.

 

TAC couldn't figure it out either and now it is in the development team.  We followed the white paper on Arubapedia exactly with no luck..

Contributor I
Posts: 34
Registered: ‎03-19-2015

Re: ClearPass sends to Cisco ASA dACL RADIUS CoA

Thanks for your feedback, it is so disappointing.

If I use native onguard agent I can use CoA message. But there is not redirection.

I'm trying to figure out the dissolvable agent workflow too with coa, but I haven't any success.

Thanks,
Balazs
Contributor II
Posts: 56
Registered: ‎04-13-2009

Re: ClearPass sends to Cisco ASA dACL RADIUS CoA

Cool.  I just got updated by TAC with a Clearpass Bug ID and they are working on a patch.  I will give an update once I get the patch and I test it to verify that it works.

Search Airheads
Showing results for 
Search instead for 
Did you mean: