Our wireless network is currently using CPMM for 802.1x radius authentications and Onguard for Posture checks. We are now trying to achieve the same for Pulse Secure VPN clients. We have been able to get CPPM radius PAP authentication & Onguard posture checking working SEPARATE:LY for VPN clients, but now need to "link" them.
The radius authentication happens before the posture check and then I can't seem to send any kind of termination of the radius session with a non-compliant posture check.
thank you in advance
I have not worked with this combination, but my guess is that you may need to install the proper Radius dictionary for Pulse to be able to send the correct dynamic authorization (CoA) back to Pulse for the termination.
Normal operation for Onguard is an authentication with unknown posture status first, Onguard sending the posture status followed by a CoA. Finally a new 802.1x authentication now with cached posture status.
In the 802.1x Service you must have the checkbox for "Use Cached Results" checked (I assume you already have this):
In the service for Onguard you should use the Pulse CoA.
If both of these are in place I have no good idea. The client will be terminated at any time after the authentication if you have the persistent client running. If you are running the non-persistent Onguard client the check will only be done on first connection.
Screenshots of your configuration and from Access Tracker records may help in troubleshooting, if you can send this type of information.
© Copyright 2023 Hewlett Packard Enterprise Development LPAll Rights Reserved.