09-10-2015 11:56 PM
I have to configure a service to check the health of the VPN users coming on the ASA firewall. I have created the posture services to check the health of the users, post checking the health, I want to terminate the user and give the desired role healthy or quarantine. So which kind of service do I need to create and what kind of terminate session do I need to send to ASA firewall to give the desired role.
09-13-2015 08:32 AM
have you any experience with doing this on other devices? i.e. aruba controllers or such? might be a daunting task if this is your first ClearPass deployment. do you have an Aruba partner that can help out?
this document from Cisco points out how to setup the terminating (based on Radius CoA) in combination with their ClearPass like solution, ISE. if you understand ClearPass well enough it should be possible to build something similar.
09-14-2015 12:25 AM
Thanks for your reply.
To make it clear we are having VPN in cisco ASA using Anyconnect module. In normally scenario i.e in intranetwork while client is connect to any network wired or wireless I have configured for dot1x authentication so the network devices will pass the query to CPPM so in CPPM I have created a service for wired and wireless differently to check machine and user authentication. In the meantime there is one more posture policy will be running to check my endpoint health conditions. So while this process is happening I will be in quarantine Vlan after passing my posture policy, CPPM will send a healthy bounce to on guard agent on endpoint so the agent will automatically disconnect and connects me back to full access Vlan. So I want the same scenario for VPN user connect from internet.
09-14-2015 01:43 AM
have you read the info at the link in my previous post? it explains how to do the ASA side, for the rest you are just doing things similar to wireless / wired, only using different enforcement.
09-15-2015 05:32 AM
Thanks for your document it is really helpful.
But I am unable to select web-redirection in CPPM, If I select that option I am not getting option to select my DACL’s I can only bounce or terminate the session. And if I select Radius CoA I am having option to select my DACL’s, so it will be really help if you guide me how to send CoA in webauth to ASA firewall.
09-15-2015 09:16 AM
yeah that makes sense, you can't do a RADIUS CoA from a web auth, they are different services.
but why do you want to do a web redirection? you asked about terminating a session and now this web redirection comes up, i don't see where.
can't you do the CoA on the RADIUS requests from the ASA? that is how they do it on that Cisco document and that is how I do it with similar deployments. with onguard you combine RADIUS and web auth on the whole.