11-17-2015 07:05 AM
And the enforcement policy:
HEALTY - is a Post Authentication enforcement profile. Not relevant.
RADIUS:Cisco Cisco-IP-Downloadable-ACL deny ip any any
11-17-2015 07:07 AM
11-17-2015 07:22 AM
I don't know the terminology.
My workaround is:
1.) Client open a VPN session (Cisco IPSec)
2.) ASA send the authentication to the ClearPass (802.1x Wired service RADIUS)
3.) Client authenticated
4.) The OnGuard agent collect and send an information to the ClearPass (WEBAUTH)
5.) ClearPass send the RADIUS CoA action to the ASA depends on the user is healthy or not healthy
where can I insert the reauth ?
01-05-2016 04:48 AM
Correct. We can get the Dacl to work as well. However, it requires us bouncing the client. So basicially we got it working but the workflow would be like this.
User VPN's in. We authenticate with a redirct to the website (we don't know health yet) then the client checks health. If healthy (we would like to coa and get a Dacl allow all) however we got it to work with a bounce of the client and then they would reauthenticate come in with a healthy tag and get the allow all Dacl.
This was a little too End-User intensive and also on the recheck of the client if they became unhealthy we had no way to COA them back to the web page.
TAC couldn't figure it out either and now it is in the development team. We followed the white paper on Arubapedia exactly with no luck..
01-06-2016 01:40 AM
Thanks for your feedback, it is so disappointing.
If I use native onguard agent I can use CoA message. But there is not redirection.
I'm trying to figure out the dissolvable agent workflow too with coa, but I haven't any success.
01-06-2016 03:52 AM
Cool. I just got updated by TAC with a Clearpass Bug ID and they are working on a patch. I will give an update once I get the patch and I test it to verify that it works.