Security

 View Only
last person joined: 3 days ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Radius CoA failing to ASA firewall

Jump to Best Answer
This thread has been viewed 41 times
  • 1.  Radius CoA failing to ASA firewall

    Posted Apr 01, 2021 05:20 PM
    I am having a hard time getting my Cisco ASA sslvpn working with Clearpass for authorization. The users can connect and authenticate via my radius service and a radius response is received with attribute filtet-id to assign the user to restrictive ACL only allowing access to DNS and clearpass server. They then do a posture assessment via OnGuard. The WEBAUTH policy is successful but the radius response is not reaching the firewall. Here are the attributes I was trying to send via the WEBAUTH service:

    Radius:Cisco | Cisco-AVPair | %{Radius:Cisco:Cisco-AVPair}
    Radius:IETF | Calling-Station-Id | %{Radius:IETF:Calling-Station-Id}
    Radius:IETF | Filter-Id | allowall-ACL

    I first I was not seeing any dynamic-authentication messages on the firewall until I change the device type from Cisco top Cisco-ASA. Once this was changed I started seeing this message:

    coa_process_radius_data: vPifnum:0x6, vcid:0, old_vcid:0
    Received RAD_DISCONNECT_REQUEST
    No audit-session-id
    CoA message from 10.10.201.61 is malformed or cannot be validated.
    coa_process_radius_data: vPifnum:0x6, vcid:0, old_vcid:0
    Received RAD_DISCONNECT_REQUEST
    No audit-session-id
    CoA message from 10.10.201.61 is malformed or cannot be validated.
    coa_process_radius_data: vPifnum:0x6, vcid:0, old_vcid:0


    When I look into the access tracker I cannot manual do a CoA:


    But for some reason if I look for an older session I can issue a CoA but it does not disconnect successfully:
    28lbasa01(config-tunnel-general)# coa_process_radius_data: vPifnum:0x6, vcid:0, old_vcid:0
    Received RAD_DISCONNECT_REQUEST

    RADIUS packet decode (Disconnect-Request)

    --------------------------------------
    Raw packet data (length = 92).....
    28 ac 00 5c 9f b6 61 1b 86 74 ad 3d 51 8e 69 1d | (..\..a..t.=Q.i.
    7a 4d 21 92 1a 31 00 00 00 09 01 2b 61 75 64 69 | zM!..1.....+audi
    74 2d 73 65 73 73 69 6f 6e 2d 69 64 3d 30 61 30 | t-session-id=0a0
    61 30 31 30 64 30 30 30 34 34 30 30 30 36 30 36 | a010d00044000606
    36 33 35 39 39 06 06 00 00 00 01 1f 11 31 37 34 | 63599........174
    2e 31 39 37 2e 31 34 35 2e 32 33 30 | .197.145.230

    Parsed packet data.....
    Radius: Code = 40 (0x28)
    Radius: Identifier = 172 (0xAC)
    Radius: Length = 92 (0x005C)
    Radius: Vector: 9FB6611B8674AD3D518E691D7A4D2192
    Radius: Type = 26 (0x1A) Vendor-Specific
    Radius: Length = 49 (0x31)
    Radius: Vendor ID = 9 (0x00000009)
    Radius: Type = 1 (0x01) Cisco-AV-pair
    Radius: Length = 43 (0x2B)
    Radius: Value (String) =
    61 75 64 69 74 2d 73 65 73 73 69 6f 6e 2d 69 64 | audit-session-id
    3d 30 61 30 61 30 31 30 64 30 30 30 34 34 30 30 | =0a0a010d0004400
    30 36 30 36 36 33 35 39 39 | 060663599
    Radius: Type = 6 (0x06) Service-Type
    Radius: Length = 6 (0x06)
    Radius: Value (Hex) = 0x1
    Radius: Type = 31 (0x1F) Calling-Station-Id
    Radius: Length = 17 (0x11)
    Radius: Value (String) =
    31 37 34 2e 31 39 37 2e 31 34 35 2e 32 33 30 | 174.197.145.230
    The source of CoA packet does not match tunnel-group config.
    CoA message from 10.10.201.61 for session 0a0a010d0004400060663599 is inconsistent with the application configuration.
    Failed to find aaa-server for CoA Request
    coa_process_radius_data: vPifnum:0x6, vcid:0, old_vcid:0

    Its obvious to me why this does not work because the session Id is not the same but why would I be able to try to Change Status on an older session and not the current session? What does it mean when it says No advertised access control capabilities for this MAC Address? Has anyone been able to get this working successfully?

    ------------------------------
    abraham
    ------------------------------


  • 2.  RE: Radius CoA failing to ASA firewall

    MVP
    Posted Apr 02, 2021 01:58 PM
    So a couple of things....

    It looks like from some of the logs your sending a RADIUS DM, not a Dynamic Authorization {aka CoA} when you perform a manual action.


    What version of ASA/CPPM are you running?
    There should be in your CPPM an ASA Default CoA Template
    I also think that you have to send the SessionId to ASA as part of the CoA request in addition to what you've noted above... I need to check into that...


    ------------------------------
    Danny Jump
    "Passionate about CPPM"
    ------------------------------



  • 3.  RE: Radius CoA failing to ASA firewall

    Posted Apr 02, 2021 02:31 PM

    Good afternoon,

     

    I just got off the phone with Aruba technician and though this is still not working he was able to determine why I was not seeing the dynamic-auth debug. Apparently the Enforcement Policy was created using Aerohive – Terminate Session. I created an new profile using the Cisco – Terminate Session and now I am seeing these messages:

     

    coa_process_radius_data: vPifnum:0x6, vcid:0, old_vcid:0

    Received RAD_DISCONNECT_REQUEST

    The source of CoA packet does not match tunnel-group config.

    CoA message from 10.10.201.61 for session 0a0a010d0005500060675fea is inconsistent with the application configuration.

    Failed to find aaa-server for CoA Request

    coa_process_radius_data: vPifnum:0x6, vcid:0, old_vcid:0

    Received RAD_DISCONNECT_REQUEST

    The source of CoA packet does not match tunnel-group config.

    CoA message from 10.10.201.61 for session 0a0a010d0005500060675fea is inconsistent with the application configuration.

    Failed to find aaa-server for CoA Request

    coa_process_radius_data: vPifnum:0x6, vcid:0, old_vcid:0

    Received RAD_DISCONNECT_REQUEST

    The source of CoA packet does not match tunnel-group config.

    CoA message from 10.10.201.61 for session 0a0a010d0005500060675fea is inconsistent with the application configuration.

    Failed to find aaa-server for CoA Request

     

     

    I am running ASA version 9.14.4(2) and Clearpass version 6.8.8.120770.

     

    Ajamu Abraham

    Senior Network Engineer

    Dotdash.com

    28 Liberty

    7th Floor

    New York, NY 10005

    Cell #: 646.257.0453

    "l'argent comptant règne tout autour de moi"

     

     






  • 4.  RE: Radius CoA failing to ASA firewall

    Posted Apr 02, 2021 03:12 PM
    I just upgraded to the newest version of ASA code in the 9.12 train:

    28lbasa01# sh version | in asa
    System image file is "disk0:/asa9-12-4-18-smp-k8.bin"


    The session id is actually pulled by this attribute:
    Radius:Cisco Cisco-AVPair = %{Radius:Cisco:Cisco-AVPair}

    When I run a manual CoA you can see the session id as audit-session-id

    On the firewall I see these messages:
    coa_process_radius_data: vPifnum:0x6, vcid:0, old_vcid:0
    Received RAD_DISCONNECT_REQUEST
    No audit-session-id
    CoA message from 10.10.201.61 is malformed or cannot be validated.
    coa_process_radius_data: vPifnum:0x6, vcid:0, old_vcid:0
    Received RAD_DISCONNECT_REQUEST
    No audit-session-id
    CoA message from 10.10.201.61 is malformed or cannot be validated.
    coa_process_radius_data: vPifnum:0x6, vcid:0, old_vcid:0
    Received RAD_DISCONNECT_REQUEST
    No audit-session-id
    CoA message from 10.10.201.61 is malformed or cannot be validated.

    This is the session ID from the tunnel on the firewall:

    28lbasa01# sh vpn-sessiondb anyconnect | in Sess ID

    Audt Sess ID : 0a0a010d0000100060676978



    ------------------------------
    abraham
    ------------------------------



  • 5.  RE: Radius CoA failing to ASA firewall

    MVP
    Posted Apr 04, 2021 10:46 AM

    When we have added the ASA-FW on Cpass, we have used:

    Service is triggered with:


    Everything works fine, we can Terminate sessions, send dACL, etc.

    Can you share which Radius Dictionary you are using and what elements you are using to trigger the service?



    ------------------------------
    Shpat
    ------------------------------



  • 6.  RE: Radius CoA failing to ASA firewall

    Posted Apr 05, 2021 01:08 PM
    Thank you for the reply. I spent the entire day on Friday working with both Cisco and Aruba trying to figure this out. For some reason the firewall is seeing the dynamic authorization being sent after the client posture check is completed but it is unable to associate it with the tunnel-group:

    Received RAD_DISCONNECT_REQUEST
    The source of CoA packet does not match tunnel-group config.
    CoA message from 10.10.201.61 for session 0a0a010d000180006067a71a is inconsistent with the application configuration.
    Failed to find aaa-server for CoA Request
    coa_process_radius_data: vPifnum:0x6, vcid:0, old_vcid:0
    Received RAD_DISCONNECT_REQUEST
    The source of CoA packet does not match tunnel-group config.
    CoA message from 10.10.201.61 for session 0a0a010d000180006067a71a is inconsistent with the application configuration.
    Failed to find aaa-server for CoA Request

    VPN service:

    Device:

    Enforcement Profile for WEBAUTH:


    Now I have tried using the all sorts of attributes including the tunnel-group name and it still cannot match the incoming CoA with the correct user tunnel. If by RADIUS Dictionary you mean which type of device I am using for the ASA, I am using Cisco and not the device type Cisco-ASA.

    There is one thing I need to point out. For sometime I was having issues getting the correct MAC address consistently on the Radius and webauth service as seen in access tracker. While on the phone with Cisco I found Parse Cisco-AVpair to get device mac set to default value NO.


    When I changed this to yes I stopped seeing the MAC unavailability errors. It feels to me like I might be hitting some sort of bug on the Cisco side so I upgrade to the newest code in the 9.12 code train. I am going to open a separate ticket with the Cisco AAA group instead of the VPN group because i do not think they can help me anymore. Could you tell me which version code you are running?




    ------------------------------
    abraham
    ------------------------------



  • 7.  RE: Radius CoA failing to ASA firewall
    Best Answer

    Posted Apr 09, 2021 04:09 PM
    I was finally able to get this working correctly. I turns out that there was two problems:
    1. WEBUTH could not send the CoA message back to the firewall with the correct session ID
    2. Enforcement Profiles template used

    The main problem seems to be that the WEBUTH could not send the CoA message back to the firewall with the correct session ID. Turns out changing the radius server Service Parameters for Parse Cisco-AVpair to get device mac set to  YES made the WEBAUTH to keep reusing the session-id from prior sessions and there buy creating these error messages:

    The source of CoA packet does not match tunnel-group config.

    CoA message from 10.10.201.61 for session 0a0a010d0001f00060707d74 is inconsistent with the application configuration.

    Failed to find aaa-server for CoA Request

    When I reconnected and got issues a new session-id the WEBAUTH would try to use the same one every time. I wish Aruba could have some documentation on when to use this setting but I have not found anything.

    The second problem seemed to be the enforcement profiles I was using. The WEBAUTH enforcement profile template being used was RADIUS Dynamic Authorization but the RADIUS Dynamic Authorization template needed to be set to IETF Generic Change of Authority. I think I had it set to Cisco-bounce and edited the Attributes manually to pass the Filter-ID. I think it is best to use the IETF CoA template and just add the necessary attributes. There must be something extra that is going on in the profile that is not being displayed, It would be helpful to be able to see which template you are using for the configured profiles. Anyway it is working now. 



    ------------------------------
    abraham
    ------------------------------



  • 8.  RE: Radius CoA failing to ASA firewall

    Posted Apr 28, 2022 02:41 PM
    I've been trying to get this working for several days now. I can get the initial Radius request to send back a dACL, but when the webauth occurs, the filter-id is not sending a COA. I'm running 6.7.14 code and I don't see the option for Parse Cisco-AVpair in my radius service parameters. Am I required to upgrade to 6.8 or higher to get this working?

    ------------------------------
    Mitchell Griffin
    ------------------------------