Security

Reply
MVP
Posts: 104
Registered: ‎01-27-2016

OnGuard -CoA with Cisco ASA and AnyConnect

I have this partially working. The AnyConnect client will connect and have an UNKNOWN posture status. CPPM will send DACL with a restrictive ACL. This works fine. Now that it is connected, OnGuard checks-in and reports Healthy. The OnGuard WEBAUTH service is configured to send down a RADIUS:IETF/Filter-ID calling an ACL "allowall" that exists on the ASA. I see in Access Tracker that this supposedly happened. This however does appear to have really occured. The CLient remains in the Restricted state with the previous ACL still in place.  What might I be doing wrong? 

 

I checked CoA on the CPPM Device as well as the RADIUS Dynamic-Authorization Port 3799 on the ASA. Both are configured. 

 

 

I would prefer to send a DACL from the WEBAUTH service instead of the FilterID but it doesnt appear I can do this. 

 

Any help would be great. Thanks! 

MVP
Posts: 505
Registered: ‎05-11-2011

Re: OnGuard -CoA with Cisco ASA and AnyConnect

Hello!!

 

Did you complete this? I'm working on the same thing, but I'm not at all familiar with Cisco ASA so it's small babysteps..

Right now I'm stuck at seeing the ASA send the client public IP as the framed-ip instead of the inner-ip. I want that changed to the IP and then combine that with session-id to return the CoA message..

It looks like you already got that dACL part going.. Any chance you can share how you did that?


Regards
John Solberg

-ACMX #316 :: ACCP-
Intelecom - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
MVP
Posts: 104
Registered: ‎01-27-2016

Re: OnGuard -CoA with Cisco ASA and AnyConnect

Hey John,

 

Sorry for my super long delay!

 

I followed this guide which got me most the way there... I am sure you have found this by now. 

 

https://arubapedia.arubanetworks.com/afp/index.php/Cisco_VPN_Health

 

Specifically to answer your question, The CPPM Service for VPN Authentication (Generic Radius Enforcement with PAP and MSCHAP auth methods) will use a "Cisco VPN Default Access" enforcement that sends down a DACL with the settings you specify. Call this enforcement when the client health is unknown. This ACL should allow the OnGuard agent to report health... then you will be stuck where I am at! It does so and CPPM says it take action and sends the CoA to set "ALLOWALL" ACL on the ASA. This doesnt really happen. I can run a debug of dynamic authorizations on the ASA and it does not show any activity. 

 

If you get anywhere, let me know and I will do the same. 

MVP
Posts: 505
Registered: ‎05-11-2011

Re: OnGuard -CoA with Cisco ASA and AnyConnect

Yep, same that happen with my solution. Working with Aruba now and I'm guessing there needs to be a change involved in CP to do CoA even when Mac-address is not a part of the Radius message..

I'll update with any positive findings ;)

Regards
John Solberg

-ACMX #316 :: ACCP-
Intelecom - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
MVP
Posts: 104
Registered: ‎01-27-2016

Re: OnGuard -CoA with Cisco ASA and AnyConnect

Sounds good. From what I understand, it will use the ASA Clients Session ID that is sent to CP during the initial VPN Auth. I do see the SessionID (Cisco AVPair) in Access Tracker and it does match what is reported for the Client on the ASA. There is an disconnect somewhere. 

 

I might open a TAC case as well. 

MVP
Posts: 505
Registered: ‎05-11-2011

Re: OnGuard -CoA with Cisco ASA and AnyConnect

Yea that was what I thought after reading the 6.6 release notes, but it's not working out of the box.. I'm working with the ACE team so hopefully we can find a solution. Doing Agent Bounce is not good enough - and doesn't really work since it's not remembering the Posture state..

Regards
John Solberg

-ACMX #316 :: ACCP-
Intelecom - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
MVP
Posts: 505
Registered: ‎05-11-2011

Re: OnGuard -CoA with Cisco ASA and AnyConnect

[ Edited ]

So - I got Radius CoA working with ASA. Problem is - I'm not quite sure what made it work - yet :D Will retrace my steps and back-up a few to see when things stop working again. Then I can possibly write a detail of my lab excercise, as everything is still not as it should be according to OnGuard documentation... I did test after every change, but it didn't work! Then I did something else for 20 minutes, when I came back CP was doing the Radius CoA!! *smack head*

 

Parts of the linked arubapedia post is wrong for 6.6. Don't try to import the services directly, as it will fail.. Don't use the special "auth source" for Session ID, as CP fetches does that automatically now. For the Radius_CoA "allowall"-profile you replace the now redundant line (audit session log database..) with the value from Radius:Cisco:Cisco-AVPair instead. It will magically select session-id.

 

Basically the last steps I changed before it started working was:

Clearpass

  Change device type to Cisco (from Cisco-ASA)

  Change CoA port to 3799 (from 1700)

 

Cisco ASA

  aaa-server clearpass protocol radius
    dynamic-authorization port 3799

 

***************

 

Of other things to note in my config.

* We did do packet trace on Clearpass and did not that it did NOT send any CoA message when the solution was failing. Only after the last changes done did it start sending the CoA.

 

* OK to use dACL for quarantine profile, but use existing ACL on ASA for the CoA allowall ACL (or a variation of allow-this-not-that-ACL). Reason is that you can only have one line in the CoA profile for downloadable-acl... Only when using the Radius profile template "Cisco Downloadable ACL enforcement" you can you have more than one, but can't use this with CoA so..

 


Regards
John Solberg

-ACMX #316 :: ACCP-
Intelecom - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
MVP
Posts: 104
Registered: ‎01-27-2016

Re: OnGuard -CoA with Cisco ASA and AnyConnect

All excellent tips and advice! I am glad you got yours working, that brings a lot of hope! I cannot give it a shot until next Monday but will do so then and report back. Thanks!
MVP
Posts: 505
Registered: ‎05-11-2011

Re: OnGuard -CoA with Cisco ASA and AnyConnect

Ok more findings.

 

You will need to set Cisco ASA as “Cisco” device type. Adding "Cisco-ASA" device-type will prevent CoA from working. Yea I know - wtf?

 

Use CoA port 3799 on CP - make sure that is configured on the ASA as well - since default is 1700.

aaa-server clearpass protocol radius
 accounting-mode simultaneous
 interim-accounting-update periodic 1
 dynamic-authorization port 3799

 

For your initial EnfProfile you can use either Downloadable-ACL or target an ACL. This doesn't need to be for redirect, but can be an ACL that permits access to Clearpass. Example ASA ACL which you should tune to your needs:

access-list quarantineCP extended permit udp any any eq domain 
access-list quarantineCP extended permit ip any host 172.20.6.15 
access-list quarantineCP extended deny ip any any

Then your Radius EnfProfile will simply be:

Radius:IETF | 	Filter-Id | 	quarantineCP-ACL

For the Webauth CoA enfProfile you will need to write it EXACTLY as below. If you try to use Downloadable-ACL then the CoA isn't sendt from Clearpass.

 

Radius:Cisco | Cisco-AVPair | %{Radius:Cisco:Cisco-AVPair}
Radius:IETF | Calling-Station-Id | %{Radius:IETF:Calling-Station-Id}
Radius:IETF | 	Filter-Id | 	allowall-ACL

On ASA use this command to debug:

debug radius dyn-auth

show vpn-sessiondb detail remote

 * Verify the "Filter Name" is the ACL or DACL you want applied after the intial Radius and after the CoA is triggered.

 


Regards
John Solberg

-ACMX #316 :: ACCP-
Intelecom - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
MVP
Posts: 104
Registered: ‎01-27-2016

Re: OnGuard -CoA with Cisco ASA and AnyConnect

Thanks again John. 

 

I am back in the office today to test the configurations. The two things that are different between our configs are the Device Type and the CoA Enforcment Profile Cisco-AVPair. I adjusted both to your recommendations and still a no-go for me. I also am not running 6.6 which may be the big difference. I am still at 6.5.4.  I need to get an updated Subscription and update the server. I hope that once that is done, it will work! I will post back. 

Search Airheads
Showing results for 
Search instead for 
Did you mean: