Hi,
First of all, sorry for the long post. The wall of text is just needed to explain what I need, and why Im facing issues in this setup.
I'm replacing a Cisco ASA setup including AnyConnect and SMSPasscode MFA with a HPE 7010 Branch gateway setup with SDWAN and VIA VPN Client.
The reason Im writing here is im having a difficult time setting up the HPE controller and VIA client with the same security as the customer had on the AnyConnect.
I have been in touch with HPE support on multiple occasions, because the config I needed seemed impossible to do, and sadly they are yet to come up
with a design that solves it.
First let me expalin what we have on the AnyConnect setup and then I move on to the proposed design solution from HPE support, and why those are not working.
I hope someone have some experience with this equipment, and are willing to share how they solved these issues.
Users are validated against a MS NPS which has a SMSPasscode integration (DLL) and therefore user will be prompted first for user and password (AD creds),
then SMSPasscode will send a textmessage to the users cellphone with a OTP which the user has to input into AnyConnect, using the Challenge/Response feature of radius.
Additionally AnyConnect will check that the connecting workstations have a valid certificate from the Enterprise certificate server. This is done to ensure the workstation
is joined to the AD, and not a unsecured device that just happen to have AnyConnect installed.
Depending on AD group membership, the user is assigned appropirate ACLs.
Now the Cisco ASA is replaced by a SDWAN setup with Aruba 7010 controllers in the datacenter. These will act as the VPN concentrators for users working at home or from other remote locations.
Problem is the above config have proven to be practically impossible to setup in the HPE Aruba equipment.
VIA Client does not seem to support an option to check both the username/password combo AND the presense of a certificate like AnyConnect.
EAP-TEAP would solve this problem, and it has just been implemented into Clearpass, but unfortunately theres no support in VIA Client and no info when it will be supported. TAC does not know :(
So the HPE Aruba technicians suggested to use Clearpass with OnGuard to check the machine state and thus make sure the workstation is domain joined before allowing access to internal services through VIA.
I have set this up but faced multiple problems.
First, since OnGuard is a Clearpass feature, Clearpass needs to "see" the radius request to be able to act on OnGuard stuff and send CoA to the controllers. Its not enoght that the Clearpass sees the OnGuard requests.
Thus I had to proxy the radius request through Clearpass and then to NPS to make sure it sees the request. I cannot use only Clearpass because of the SMSPasscode MFA software on NPS.
Here we found a bug in the controllers. Proxying the requests through Clearpass would cause the Aruba controllers to mess up the Challenge/Responce part of the traffic and no validation could
happen. Have a open case on this, and engg is looking into this (slooow)
Ok, while I wait I disabled MFA and only use Clearpass as a proxy to NPS.
This is working ok. Now I can set a initial role (ACL) on a user when he connects to VIA Client.
The initial role would allow DNS and OnGuard traffic only.
Now next problem is that Clearpass seems to be unable to return CoA based on OnGuard state. I need the controller to change the users role from initial-role to full-role. This should only happen
if the workstation is checked by OnGuard and deemed domain joined.
OnGuard is working and informing Clearpass that the PC is domain joined, but Clearpass is unable to connect the dots and change the role on the VIA user using a CoA.
Now Im stuck because TAC is telling me that they don't think OnGuard/Clearpass can even change the role on the connected user without disconnecting him, caching his posture, and waiting for a new connection.
Essentially this is the functionality that is used on wifi networks, but I cannot use this approach as it require the user to login twice.
Also the claim that user-role cannot be cahnged on the fly is very strange to me because 1. Clearpass has a Wizard to setup services and enforcement profiles that does exactly what I want. It describes my exact scenario and guides me to input the initial role and the final role so why would there be a wizard if it does not work?
And 2. Why would the designers even suggest this config in the first place if its not supported?
Just for additional info, I tried using only Clearpass as a radius, not as proxy just to verify if OnGuard and CoA would work then. and it still doesnt. So the proxy part is not causing the problem.
Clearpass will validate the user just fine. But when OnGuard changes posture to Domain joined PC, it reports that it is unable to link the OnGuard user to a RADIUS request (the one from VIA)
and thus fails to change the role on the controller.
TL:DR
Does anyone have VIA Client running with onguard, where they are changing the role on the fly based on the posture state of the workstation?
We are controlling the controllers from Aruba Central if that makes any difference.
Bonus info: Any other idea to solve the requiment outlined is appreciated.
Thanks in advance.
------------------------------
Martin Thinggaard Madsen
------------------------------