Security

Reply
Contributor I
Posts: 34
Registered: ‎03-19-2015

Re: ClearPass sends to Cisco ASA dACL RADIUS CoA

Thanks for your feedback!

Thanks,
Balazs
Contributor I
Posts: 34
Registered: ‎03-19-2015

Re: ClearPass sends to Cisco ASA dACL RADIUS CoA

Can you provide me the ClearPass Bug ID?
Thanks,

 

Balazs

Thanks,
Balazs
Contributor II
Posts: 56
Registered: ‎04-13-2009

Re: ClearPass sends to Cisco ASA dACL RADIUS CoA

TAC has determined the Clearpass problem and assigned it bug #31475.   I am currently working with the product manager to get a patch built.  Will keep you posted.

 

New Contributor
Posts: 1
Registered: ‎12-09-2013

Re: ClearPass sends to Cisco ASA dACL RADIUS CoA

Hello John,

 

I have read the new ClearPass 6.6.0 Release notes, but this document does not contain this Bug ID. Have you any information for it? 


Thanks,
Balazs
MVP
Posts: 510
Registered: ‎05-11-2011

Re: ClearPass sends to Cisco ASA dACL RADIUS CoA

Hello guys

John and Balazs - did you figure this out eventually? I'm unable to find this bug-id in any of the 6.6 patches or the 6.5.x patches. I'm assuming then that the bug is still in effect.

 

Is there other ways to do this without the need for a bounce to trigger the CoA correctly?

6.6.0 introduced some new features in relation to Cisco ASA. Did this help this issue in any way?

 

ClearPass 6.6 is now able to extract the auth-session-id from CiscoAVPair VSA to use in Change of Authorization (CoA). The username value is now used as the key when creating or querying a session in a multi-master session cache. This makes it possible to send a CoA when the Calling-Station-ID value includes the IP address format. To use this feature, in Policy Manager go to Configuration > Enforcement > Profiles, copy the default [Cisco - Terminate Session] profile, and modify it to include the Cisco-AVPair attribute. For more information on configuration, testing, and troubleshooting, refer to the Policy Manager 6.6 User Guide. (#17812)

*	Cisco ASA requires the audit Session ID in the RADIUS Change of Authorization (CoA) message. ClearPass extracts the audit-session-id from the VPN RADIUS authentication message. There are new properties to cache the Cisco-AVPair with the value that contains the audit-session-id. These properties can be used to cache any custom attribute that contains the particular value. (#24403)

 


Regards
John Solberg

-ACMX #316 :: ACCP-
Intelecom - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Contributor I
Posts: 34
Registered: ‎03-19-2015

Re: ClearPass sends to Cisco ASA dACL RADIUS CoA

Hi John,

 

I'am using Radius:IETF:Filter-Id and It works fine for me. You can see below my Enforcement profile:

asa_coa_community.png

 

 

Thanks,
Balazs
MCR
Occasional Contributor I
Posts: 8
Registered: ‎03-19-2013

Re: ClearPass sends to Cisco ASA dACL RADIUS CoA

What does your "Filter-ID" reference?  A "named" ACL on the VPN?  Was there any luck getting a dACL working?  This article doesn't clarify that.  Thanks.

Contributor I
Posts: 34
Registered: ‎03-19-2015

Re: ClearPass sends to Cisco ASA dACL RADIUS CoA

Yes, the "office" Filter-Id reference is a named access-list on the ASA.

 

For example:

access-list office extended permit ip any any

This way works for me only. The dACL doesn't work in CoA.

Thanks,
Balazs
MVP
Posts: 510
Registered: ‎05-11-2011

Re: ClearPass sends to Cisco ASA dACL RADIUS CoA

The filterID is the name of the ACL. You can do dACL, but only in the RADIUS reply - not in the Radius COA. I'm not sure why, but I think it's just a limitation of the input field. Try it and you'll see what I mean.. In Radius CoA the input field is just dropdown, but in Radius it's a text input.

Regards
John Solberg

-ACMX #316 :: ACCP-
Intelecom - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Search Airheads
Showing results for 
Search instead for 
Did you mean: