Security

Hi,

First of all, sorry for the long post. The wall of text is just needed to explain what I need, and why Im facing issues in this setup.

I'm replacing a Cisco ASA setup including AnyConnect and SMSPasscode MFA with a HPE 7010 Branch gateway setup with SDWAN and VIA VPN Client.

The reason Im writing here is im having a difficult time setting up the HPE controller and VIA client with the same security as the customer had on the AnyConnect.
I have been in touch with HPE support on multiple occasions, because the config I needed seemed impossible to do, and sadly they are yet to come up
with a design that solves it.

First let me expalin what we have on the AnyConnect setup and then I move on to the proposed design solution from HPE support, and why those are not working.
I hope someone have some experience with this equipment, and are willing to share how they solved these issues.

Users are validated against a MS NPS which has a SMSPasscode integration (DLL) and therefore user will be prompted first for user and password (AD creds),
then SMSPasscode will send a textmessage to the users cellphone with a OTP which the user has to input into AnyConnect, using the Challenge/Response feature of radius.
Additionally AnyConnect will check that the connecting workstations have a valid certificate from the Enterprise certificate server. This is done to ensure the workstation
is joined to the AD, and not a unsecured device that just happen to have AnyConnect installed.
Depending on AD group membership, the user is assigned appropirate ACLs.

Now the Cisco ASA is replaced by a SDWAN setup with Aruba 7010 controllers in the datacenter. These will act as the VPN concentrators for users working at home or from other remote locations.

Problem is the above config have proven to be practically impossible to setup in the HPE Aruba equipment.

VIA Client does not seem to support an option to check both the username/password combo AND the presense of a certificate like AnyConnect.
EAP-TEAP would solve this problem, and it has just been implemented into Clearpass, but unfortunately theres no support in VIA Client and no info when it will be supported. TAC does not know :(

So the HPE Aruba technicians suggested to use Clearpass with OnGuard to check the machine state and thus make sure the workstation is domain joined before allowing access to internal services through VIA.

I have set this up but faced multiple problems.
First, since OnGuard is a Clearpass feature, Clearpass needs to "see" the radius request to be able to act on OnGuard stuff and send CoA to the controllers. Its not enoght that the Clearpass sees the OnGuard requests.
Thus I had to proxy the radius request through Clearpass and then to NPS to make sure it sees the request. I cannot use only Clearpass because of the SMSPasscode MFA software on NPS.
Here we found a bug in the controllers. Proxying the requests through Clearpass would cause the Aruba controllers to mess up the Challenge/Responce part of the traffic and no validation could
happen. Have a open case on this, and engg is looking into this (slooow)

Ok, while I wait I disabled MFA and only use Clearpass as a proxy to NPS.
This is working ok. Now I can set a initial role (ACL) on a user when he connects to VIA Client.

The initial role would allow DNS and OnGuard traffic only.

Now next problem is that Clearpass seems to be unable to return CoA based on OnGuard state. I need the controller to change the users role from initial-role to full-role. This should only happen
if the workstation is checked by OnGuard and deemed domain joined.

OnGuard is working and informing Clearpass that the PC is domain joined, but Clearpass is unable to connect the dots and change the role on the VIA user using a CoA.

Now Im stuck because TAC is telling me that they don't think OnGuard/Clearpass can even change the role on the connected user without disconnecting him, caching his posture, and waiting for a new connection.
Essentially this is the functionality that is used on wifi networks, but I cannot use this approach as it require the user to login twice.
Also the claim that user-role cannot be cahnged on the fly is very strange to me because 1. Clearpass has a Wizard to setup services and enforcement profiles that does exactly what I want. It describes my exact scenario and guides me to input the initial role and the final role so why would there be a wizard if it does not work?
And 2. Why would the designers even suggest this config in the first place if its not supported?

Just for additional info, I tried using only Clearpass as a radius, not as proxy just to verify if OnGuard and CoA would work then. and it still doesnt. So the proxy part is not causing the problem.

Clearpass will validate the user just fine. But when OnGuard changes posture to Domain joined PC, it reports that it is unable to link the OnGuard user to a RADIUS request (the one from VIA)
and thus fails to change the role on the controller.

TL:DR
Does anyone have VIA Client running with onguard, where they are changing the role on the fly based on the posture state of the workstation?

We are controlling the controllers from Aruba Central if that makes any difference.

Bonus info: Any other idea to solve the requiment outlined is appreciated.

Thanks in advance.

------------------------------
Martin Thinggaard Madsen
------------------------------

This should work. When you are using VIA and OnGuard, the OnGuard needs to be configured to use the VPN adapter and the VPN user credentials must be the same as the OnGuard credential because we are then going to map the information based on the username rather than the MAC addresses that are used.  Depending on the intended configuration, this may be easiest to accomplish by using the "SSO Authentication" option with OnGuard to use the same username/password from the computer.

As long as these two things are aligned the CPPM will track the request as a VPN user and issue the CoA to the VPN concentrator rather than attempt to track based on the MAC address in use.

------------------------------
Anish Pansare
------------------------------

Original Message:
Sent: Nov 23, 2020 02:28 PM
From: Martin Thinggaard Madsen
Subject: How to make sure VIA client workstation is domain joined? (OnGuard or cert)

Hi,

First of all, sorry for the long post. The wall of text is just needed to explain what I need, and why Im facing issues in this setup.

I'm replacing a Cisco ASA setup including AnyConnect and SMSPasscode MFA with a HPE 7010 Branch gateway setup with SDWAN and VIA VPN Client.

The reason Im writing here is im having a difficult time setting up the HPE controller and VIA client with the same security as the customer had on the AnyConnect.
I have been in touch with HPE support on multiple occasions, because the config I needed seemed impossible to do, and sadly they are yet to come up
with a design that solves it.

First let me expalin what we have on the AnyConnect setup and then I move on to the proposed design solution from HPE support, and why those are not working.
I hope someone have some experience with this equipment, and are willing to share how they solved these issues.

Users are validated against a MS NPS which has a SMSPasscode integration (DLL) and therefore user will be prompted first for user and password (AD creds),
then SMSPasscode will send a textmessage to the users cellphone with a OTP which the user has to input into AnyConnect, using the Challenge/Response feature of radius.
Additionally AnyConnect will check that the connecting workstations have a valid certificate from the Enterprise certificate server. This is done to ensure the workstation
is joined to the AD, and not a unsecured device that just happen to have AnyConnect installed.
Depending on AD group membership, the user is assigned appropirate ACLs.

Now the Cisco ASA is replaced by a SDWAN setup with Aruba 7010 controllers in the datacenter. These will act as the VPN concentrators for users working at home or from other remote locations.

Problem is the above config have proven to be practically impossible to setup in the HPE Aruba equipment.

VIA Client does not seem to support an option to check both the username/password combo AND the presense of a certificate like AnyConnect.
EAP-TEAP would solve this problem, and it has just been implemented into Clearpass, but unfortunately theres no support in VIA Client and no info when it will be supported. TAC does not know :(

So the HPE Aruba technicians suggested to use Clearpass with OnGuard to check the machine state and thus make sure the workstation is domain joined before allowing access to internal services through VIA.

I have set this up but faced multiple problems.
First, since OnGuard is a Clearpass feature, Clearpass needs to "see" the radius request to be able to act on OnGuard stuff and send CoA to the controllers. Its not enoght that the Clearpass sees the OnGuard requests.
Thus I had to proxy the radius request through Clearpass and then to NPS to make sure it sees the request. I cannot use only Clearpass because of the SMSPasscode MFA software on NPS.
Here we found a bug in the controllers. Proxying the requests through Clearpass would cause the Aruba controllers to mess up the Challenge/Responce part of the traffic and no validation could
happen. Have a open case on this, and engg is looking into this (slooow)

Ok, while I wait I disabled MFA and only use Clearpass as a proxy to NPS.
This is working ok. Now I can set a initial role (ACL) on a user when he connects to VIA Client.

The initial role would allow DNS and OnGuard traffic only.

Now next problem is that Clearpass seems to be unable to return CoA based on OnGuard state. I need the controller to change the users role from initial-role to full-role. This should only happen
if the workstation is checked by OnGuard and deemed domain joined.

OnGuard is working and informing Clearpass that the PC is domain joined, but Clearpass is unable to connect the dots and change the role on the VIA user using a CoA.

Now Im stuck because TAC is telling me that they don't think OnGuard/Clearpass can even change the role on the connected user without disconnecting him, caching his posture, and waiting for a new connection.
Essentially this is the functionality that is used on wifi networks, but I cannot use this approach as it require the user to login twice.
Also the claim that user-role cannot be cahnged on the fly is very strange to me because 1. Clearpass has a Wizard to setup services and enforcement profiles that does exactly what I want. It describes my exact scenario and guides me to input the initial role and the final role so why would there be a wizard if it does not work?
And 2. Why would the designers even suggest this config in the first place if its not supported?

Just for additional info, I tried using only Clearpass as a radius, not as proxy just to verify if OnGuard and CoA would work then. and it still doesnt. So the proxy part is not causing the problem.

Clearpass will validate the user just fine. But when OnGuard changes posture to Domain joined PC, it reports that it is unable to link the OnGuard user to a RADIUS request (the one from VIA)
and thus fails to change the role on the controller.

TL:DR
Does anyone have VIA Client running with onguard, where they are changing the role on the fly based on the posture state of the workstation?

We are controlling the controllers from Aruba Central if that makes any difference.

Bonus info: Any other idea to solve the requiment outlined is appreciated.

Thanks in advance.

------------------------------
Martin Thinggaard Madsen
------------------------------

Hi Anish,

Thank you for taking the time to read and understand the issue I face.

What we setup now, was for OnGuard and Clearpass to link the RADIUS to the HTTP service request based on MAC address.
This did not work, and I have spend a fair amount of time with TAC trying to figure out why. The MAC address presented by OnGuard, is somehow a fake one, where it takes the real MAC of a interface on the PC and increments the first octet by one or two.
When we look into the logs of Clearpass we saw this difference, and thought that was the reason RADIUS and HTTP reg could not be linked.

So you telling me that we need OnGuard to present the username/password combo instead is very interesting, and we haven't tried that. I actually asked TAC if that could be a viable way to solve the problem, but they declined that it was the way to go. They wanted to work on the MAC addresses that was somehow not alligning.

Anyway thank you for pointing me in this direction I will proceed and setup it up, and see if that hopefully is what is missing for setup to fully work.

Thanks.

------------------------------
Martin Thinggaard Madsen
------------------------------

Original Message:
Sent: Nov 24, 2020 12:17 PM
From: Anish Pansare
Subject: How to make sure VIA client workstation is domain joined? (OnGuard or cert)

This should work. When you are using VIA and OnGuard, the OnGuard needs to be configured to use the VPN adapter and the VPN user credentials must be the same as the OnGuard credential because we are then going to map the information based on the username rather than the MAC addresses that are used.  Depending on the intended configuration, this may be easiest to accomplish by using the "SSO Authentication" option with OnGuard to use the same username/password from the computer.

As long as these two things are aligned the CPPM will track the request as a VPN user and issue the CoA to the VPN concentrator rather than attempt to track based on the MAC address in use.

------------------------------
Anish Pansare

Original Message:
Sent: Nov 23, 2020 02:28 PM
From: Martin Thinggaard Madsen
Subject: How to make sure VIA client workstation is domain joined? (OnGuard or cert)

Hi,

First of all, sorry for the long post. The wall of text is just needed to explain what I need, and why Im facing issues in this setup.

I'm replacing a Cisco ASA setup including AnyConnect and SMSPasscode MFA with a HPE 7010 Branch gateway setup with SDWAN and VIA VPN Client.

The reason Im writing here is im having a difficult time setting up the HPE controller and VIA client with the same security as the customer had on the AnyConnect.
I have been in touch with HPE support on multiple occasions, because the config I needed seemed impossible to do, and sadly they are yet to come up
with a design that solves it.

First let me expalin what we have on the AnyConnect setup and then I move on to the proposed design solution from HPE support, and why those are not working.
I hope someone have some experience with this equipment, and are willing to share how they solved these issues.

Users are validated against a MS NPS which has a SMSPasscode integration (DLL) and therefore user will be prompted first for user and password (AD creds),
then SMSPasscode will send a textmessage to the users cellphone with a OTP which the user has to input into AnyConnect, using the Challenge/Response feature of radius.
Additionally AnyConnect will check that the connecting workstations have a valid certificate from the Enterprise certificate server. This is done to ensure the workstation
is joined to the AD, and not a unsecured device that just happen to have AnyConnect installed.
Depending on AD group membership, the user is assigned appropirate ACLs.

Now the Cisco ASA is replaced by a SDWAN setup with Aruba 7010 controllers in the datacenter. These will act as the VPN concentrators for users working at home or from other remote locations.

Problem is the above config have proven to be practically impossible to setup in the HPE Aruba equipment.

VIA Client does not seem to support an option to check both the username/password combo AND the presense of a certificate like AnyConnect.
EAP-TEAP would solve this problem, and it has just been implemented into Clearpass, but unfortunately theres no support in VIA Client and no info when it will be supported. TAC does not know :(

So the HPE Aruba technicians suggested to use Clearpass with OnGuard to check the machine state and thus make sure the workstation is domain joined before allowing access to internal services through VIA.

I have set this up but faced multiple problems.
First, since OnGuard is a Clearpass feature, Clearpass needs to "see" the radius request to be able to act on OnGuard stuff and send CoA to the controllers. Its not enoght that the Clearpass sees the OnGuard requests.
Thus I had to proxy the radius request through Clearpass and then to NPS to make sure it sees the request. I cannot use only Clearpass because of the SMSPasscode MFA software on NPS.
Here we found a bug in the controllers. Proxying the requests through Clearpass would cause the Aruba controllers to mess up the Challenge/Responce part of the traffic and no validation could
happen. Have a open case on this, and engg is looking into this (slooow)

Ok, while I wait I disabled MFA and only use Clearpass as a proxy to NPS.
This is working ok. Now I can set a initial role (ACL) on a user when he connects to VIA Client.

The initial role would allow DNS and OnGuard traffic only.

Now next problem is that Clearpass seems to be unable to return CoA based on OnGuard state. I need the controller to change the users role from initial-role to full-role. This should only happen
if the workstation is checked by OnGuard and deemed domain joined.

OnGuard is working and informing Clearpass that the PC is domain joined, but Clearpass is unable to connect the dots and change the role on the VIA user using a CoA.

Now Im stuck because TAC is telling me that they don't think OnGuard/Clearpass can even change the role on the connected user without disconnecting him, caching his posture, and waiting for a new connection.
Essentially this is the functionality that is used on wifi networks, but I cannot use this approach as it require the user to login twice.
Also the claim that user-role cannot be cahnged on the fly is very strange to me because 1. Clearpass has a Wizard to setup services and enforcement profiles that does exactly what I want. It describes my exact scenario and guides me to input the initial role and the final role so why would there be a wizard if it does not work?
And 2. Why would the designers even suggest this config in the first place if its not supported?

Just for additional info, I tried using only Clearpass as a radius, not as proxy just to verify if OnGuard and CoA would work then. and it still doesnt. So the proxy part is not causing the problem.

Clearpass will validate the user just fine. But when OnGuard changes posture to Domain joined PC, it reports that it is unable to link the OnGuard user to a RADIUS request (the one from VIA)
and thus fails to change the role on the controller.

TL:DR
Does anyone have VIA Client running with onguard, where they are changing the role on the fly based on the posture state of the workstation?

We are controlling the controllers from Aruba Central if that makes any difference.

Bonus info: Any other idea to solve the requiment outlined is appreciated.

Thanks in advance.

------------------------------
Martin Thinggaard Madsen
------------------------------

Hi there, did you ever get to the figure this out. We are trying to offer a similar solution ?

------------------------------
Andrew Byrne
------------------------------

Original Message:
Sent: Nov 25, 2020 02:19 AM
From: Martin Thinggaard Madsen
Subject: How to make sure VIA client workstation is domain joined? (OnGuard or cert)

Hi Anish,

Thank you for taking the time to read and understand the issue I face.

What we setup now, was for OnGuard and Clearpass to link the RADIUS to the HTTP service request based on MAC address.
This did not work, and I have spend a fair amount of time with TAC trying to figure out why. The MAC address presented by OnGuard, is somehow a fake one, where it takes the real MAC of a interface on the PC and increments the first octet by one or two.
When we look into the logs of Clearpass we saw this difference, and thought that was the reason RADIUS and HTTP reg could not be linked.

So you telling me that we need OnGuard to present the username/password combo instead is very interesting, and we haven't tried that. I actually asked TAC if that could be a viable way to solve the problem, but they declined that it was the way to go. They wanted to work on the MAC addresses that was somehow not alligning.

Anyway thank you for pointing me in this direction I will proceed and setup it up, and see if that hopefully is what is missing for setup to fully work.

Thanks.

------------------------------
Martin Thinggaard Madsen

Original Message:
Sent: Nov 24, 2020 12:17 PM
From: Anish Pansare
Subject: How to make sure VIA client workstation is domain joined? (OnGuard or cert)

This should work. When you are using VIA and OnGuard, the OnGuard needs to be configured to use the VPN adapter and the VPN user credentials must be the same as the OnGuard credential because we are then going to map the information based on the username rather than the MAC addresses that are used.  Depending on the intended configuration, this may be easiest to accomplish by using the "SSO Authentication" option with OnGuard to use the same username/password from the computer.

As long as these two things are aligned the CPPM will track the request as a VPN user and issue the CoA to the VPN concentrator rather than attempt to track based on the MAC address in use.

------------------------------
Anish Pansare

Original Message:
Sent: Nov 23, 2020 02:28 PM
From: Martin Thinggaard Madsen
Subject: How to make sure VIA client workstation is domain joined? (OnGuard or cert)

Hi,

First of all, sorry for the long post. The wall of text is just needed to explain what I need, and why Im facing issues in this setup.

I'm replacing a Cisco ASA setup including AnyConnect and SMSPasscode MFA with a HPE 7010 Branch gateway setup with SDWAN and VIA VPN Client.

The reason Im writing here is im having a difficult time setting up the HPE controller and VIA client with the same security as the customer had on the AnyConnect.
I have been in touch with HPE support on multiple occasions, because the config I needed seemed impossible to do, and sadly they are yet to come up
with a design that solves it.

First let me expalin what we have on the AnyConnect setup and then I move on to the proposed design solution from HPE support, and why those are not working.
I hope someone have some experience with this equipment, and are willing to share how they solved these issues.

Users are validated against a MS NPS which has a SMSPasscode integration (DLL) and therefore user will be prompted first for user and password (AD creds),
then SMSPasscode will send a textmessage to the users cellphone with a OTP which the user has to input into AnyConnect, using the Challenge/Response feature of radius.
Additionally AnyConnect will check that the connecting workstations have a valid certificate from the Enterprise certificate server. This is done to ensure the workstation
is joined to the AD, and not a unsecured device that just happen to have AnyConnect installed.
Depending on AD group membership, the user is assigned appropirate ACLs.

Now the Cisco ASA is replaced by a SDWAN setup with Aruba 7010 controllers in the datacenter. These will act as the VPN concentrators for users working at home or from other remote locations.

Problem is the above config have proven to be practically impossible to setup in the HPE Aruba equipment.

VIA Client does not seem to support an option to check both the username/password combo AND the presense of a certificate like AnyConnect.
EAP-TEAP would solve this problem, and it has just been implemented into Clearpass, but unfortunately theres no support in VIA Client and no info when it will be supported. TAC does not know :(

So the HPE Aruba technicians suggested to use Clearpass with OnGuard to check the machine state and thus make sure the workstation is domain joined before allowing access to internal services through VIA.

I have set this up but faced multiple problems.
First, since OnGuard is a Clearpass feature, Clearpass needs to "see" the radius request to be able to act on OnGuard stuff and send CoA to the controllers. Its not enoght that the Clearpass sees the OnGuard requests.
Thus I had to proxy the radius request through Clearpass and then to NPS to make sure it sees the request. I cannot use only Clearpass because of the SMSPasscode MFA software on NPS.
Here we found a bug in the controllers. Proxying the requests through Clearpass would cause the Aruba controllers to mess up the Challenge/Responce part of the traffic and no validation could
happen. Have a open case on this, and engg is looking into this (slooow)

Ok, while I wait I disabled MFA and only use Clearpass as a proxy to NPS.
This is working ok. Now I can set a initial role (ACL) on a user when he connects to VIA Client.

The initial role would allow DNS and OnGuard traffic only.

Now next problem is that Clearpass seems to be unable to return CoA based on OnGuard state. I need the controller to change the users role from initial-role to full-role. This should only happen
if the workstation is checked by OnGuard and deemed domain joined.

OnGuard is working and informing Clearpass that the PC is domain joined, but Clearpass is unable to connect the dots and change the role on the VIA user using a CoA.

Now Im stuck because TAC is telling me that they don't think OnGuard/Clearpass can even change the role on the connected user without disconnecting him, caching his posture, and waiting for a new connection.
Essentially this is the functionality that is used on wifi networks, but I cannot use this approach as it require the user to login twice.
Also the claim that user-role cannot be cahnged on the fly is very strange to me because 1. Clearpass has a Wizard to setup services and enforcement profiles that does exactly what I want. It describes my exact scenario and guides me to input the initial role and the final role so why would there be a wizard if it does not work?
And 2. Why would the designers even suggest this config in the first place if its not supported?

Just for additional info, I tried using only Clearpass as a radius, not as proxy just to verify if OnGuard and CoA would work then. and it still doesnt. So the proxy part is not causing the problem.

Clearpass will validate the user just fine. But when OnGuard changes posture to Domain joined PC, it reports that it is unable to link the OnGuard user to a RADIUS request (the one from VIA)
and thus fails to change the role on the controller.

TL:DR
Does anyone have VIA Client running with onguard, where they are changing the role on the fly based on the posture state of the workstation?

We are controlling the controllers from Aruba Central if that makes any difference.

Bonus info: Any other idea to solve the requiment outlined is appreciated.

Thanks in advance.

------------------------------
Martin Thinggaard Madsen
------------------------------

Hi,

For VPN, ClearPass always uses username as key to correlate OnGuard health check with VPN auth i.e.:
Username in VPN Auth request
Username in OnGuard WebAuth request (irrespective of OnGuard mode).

In health only mode, OnGuard Agent can send current active user name if "Use active Username in Health Only mode" option is enabled in Global Agent settings. Refer online help for more details:
https://www.arubanetworks.com/techdocs/ClearPass/6.8/PolicyManager/index.htm#CPPM_UserGuide/Admin/Global_Agent_Settings-OnGuard_Settings.html?Highlight=%22Use%20active%20Username%20in%20Health%20Only%20mode%22


if VPN user name is same as current active user name i.e. user name used to login to client. This will work on all supported OS - Windows, macOS and Linux.

Another option is to change OnGuard mode to auth + health and enable "Enable to use Windows Single-Sign On" in Global Agent settings. In this also, VPN user name should be same as current active user name and it will work only on Windows OS.

------------------------------
Nimal Varampetran
------------------------------

Original Message:
Sent: Jan 27, 2021 09:48 AM
From: Andrew Byrne
Subject: How to make sure VIA client workstation is domain joined? (OnGuard or cert)

Hi there, did you ever get to the figure this out. We are trying to offer a similar solution ?

------------------------------
Andrew Byrne

Original Message:
Sent: Nov 25, 2020 02:19 AM
From: Martin Thinggaard Madsen
Subject: How to make sure VIA client workstation is domain joined? (OnGuard or cert)

Hi Anish,

Thank you for taking the time to read and understand the issue I face.

What we setup now, was for OnGuard and Clearpass to link the RADIUS to the HTTP service request based on MAC address.
This did not work, and I have spend a fair amount of time with TAC trying to figure out why. The MAC address presented by OnGuard, is somehow a fake one, where it takes the real MAC of a interface on the PC and increments the first octet by one or two.
When we look into the logs of Clearpass we saw this difference, and thought that was the reason RADIUS and HTTP reg could not be linked.

So you telling me that we need OnGuard to present the username/password combo instead is very interesting, and we haven't tried that. I actually asked TAC if that could be a viable way to solve the problem, but they declined that it was the way to go. They wanted to work on the MAC addresses that was somehow not alligning.

Anyway thank you for pointing me in this direction I will proceed and setup it up, and see if that hopefully is what is missing for setup to fully work.

Thanks.

------------------------------
Martin Thinggaard Madsen

Original Message:
Sent: Nov 24, 2020 12:17 PM
From: Anish Pansare
Subject: How to make sure VIA client workstation is domain joined? (OnGuard or cert)

This should work. When you are using VIA and OnGuard, the OnGuard needs to be configured to use the VPN adapter and the VPN user credentials must be the same as the OnGuard credential because we are then going to map the information based on the username rather than the MAC addresses that are used.  Depending on the intended configuration, this may be easiest to accomplish by using the "SSO Authentication" option with OnGuard to use the same username/password from the computer.

As long as these two things are aligned the CPPM will track the request as a VPN user and issue the CoA to the VPN concentrator rather than attempt to track based on the MAC address in use.

------------------------------
Anish Pansare

Original Message:
Sent: Nov 23, 2020 02:28 PM
From: Martin Thinggaard Madsen
Subject: How to make sure VIA client workstation is domain joined? (OnGuard or cert)

Hi,

First of all, sorry for the long post. The wall of text is just needed to explain what I need, and why Im facing issues in this setup.

I'm replacing a Cisco ASA setup including AnyConnect and SMSPasscode MFA with a HPE 7010 Branch gateway setup with SDWAN and VIA VPN Client.

The reason Im writing here is im having a difficult time setting up the HPE controller and VIA client with the same security as the customer had on the AnyConnect.
I have been in touch with HPE support on multiple occasions, because the config I needed seemed impossible to do, and sadly they are yet to come up
with a design that solves it.

First let me expalin what we have on the AnyConnect setup and then I move on to the proposed design solution from HPE support, and why those are not working.
I hope someone have some experience with this equipment, and are willing to share how they solved these issues.

Users are validated against a MS NPS which has a SMSPasscode integration (DLL) and therefore user will be prompted first for user and password (AD creds),
then SMSPasscode will send a textmessage to the users cellphone with a OTP which the user has to input into AnyConnect, using the Challenge/Response feature of radius.
Additionally AnyConnect will check that the connecting workstations have a valid certificate from the Enterprise certificate server. This is done to ensure the workstation
is joined to the AD, and not a unsecured device that just happen to have AnyConnect installed.
Depending on AD group membership, the user is assigned appropirate ACLs.

Now the Cisco ASA is replaced by a SDWAN setup with Aruba 7010 controllers in the datacenter. These will act as the VPN concentrators for users working at home or from other remote locations.

Problem is the above config have proven to be practically impossible to setup in the HPE Aruba equipment.

VIA Client does not seem to support an option to check both the username/password combo AND the presense of a certificate like AnyConnect.
EAP-TEAP would solve this problem, and it has just been implemented into Clearpass, but unfortunately theres no support in VIA Client and no info when it will be supported. TAC does not know :(

So the HPE Aruba technicians suggested to use Clearpass with OnGuard to check the machine state and thus make sure the workstation is domain joined before allowing access to internal services through VIA.

I have set this up but faced multiple problems.
First, since OnGuard is a Clearpass feature, Clearpass needs to "see" the radius request to be able to act on OnGuard stuff and send CoA to the controllers. Its not enoght that the Clearpass sees the OnGuard requests.
Thus I had to proxy the radius request through Clearpass and then to NPS to make sure it sees the request. I cannot use only Clearpass because of the SMSPasscode MFA software on NPS.
Here we found a bug in the controllers. Proxying the requests through Clearpass would cause the Aruba controllers to mess up the Challenge/Responce part of the traffic and no validation could
happen. Have a open case on this, and engg is looking into this (slooow)

Ok, while I wait I disabled MFA and only use Clearpass as a proxy to NPS.
This is working ok. Now I can set a initial role (ACL) on a user when he connects to VIA Client.

The initial role would allow DNS and OnGuard traffic only.

Now next problem is that Clearpass seems to be unable to return CoA based on OnGuard state. I need the controller to change the users role from initial-role to full-role. This should only happen
if the workstation is checked by OnGuard and deemed domain joined.

OnGuard is working and informing Clearpass that the PC is domain joined, but Clearpass is unable to connect the dots and change the role on the VIA user using a CoA.

Now Im stuck because TAC is telling me that they don't think OnGuard/Clearpass can even change the role on the connected user without disconnecting him, caching his posture, and waiting for a new connection.
Essentially this is the functionality that is used on wifi networks, but I cannot use this approach as it require the user to login twice.
Also the claim that user-role cannot be cahnged on the fly is very strange to me because 1. Clearpass has a Wizard to setup services and enforcement profiles that does exactly what I want. It describes my exact scenario and guides me to input the initial role and the final role so why would there be a wizard if it does not work?
And 2. Why would the designers even suggest this config in the first place if its not supported?

Just for additional info, I tried using only Clearpass as a radius, not as proxy just to verify if OnGuard and CoA would work then. and it still doesnt. So the proxy part is not causing the problem.

Clearpass will validate the user just fine. But when OnGuard changes posture to Domain joined PC, it reports that it is unable to link the OnGuard user to a RADIUS request (the one from VIA)
and thus fails to change the role on the controller.

TL:DR
Does anyone have VIA Client running with onguard, where they are changing the role on the fly based on the posture state of the workstation?

We are controlling the controllers from Aruba Central if that makes any difference.

Bonus info: Any other idea to solve the requiment outlined is appreciated.

Thanks in advance.

------------------------------
Martin Thinggaard Madsen
------------------------------