Question : We have a working VIA configuration that currently changes user roles based on the credentials that it is passed from Clearpass – all as expected. We are currently in the process right now of integrating OnGuard into this mix in order to integrate the user's Posture status into the VIA VPN. Clearpass was not able to do a successful Radius CoA / [Aruba Terminate Session] to the VIA VPN after integration. I know that the RFC3576 server is working as I have OnGuard working and doing posture assessments and CoAs against the wireless network on the same controller that terminates the VIA VPN.
Environment Information : This article strictly applies to CPPM 6.2 and Aruba AOS 6.3.1.1 and greater.
Symptoms
Below is the message which we would see when trying to test COA from Access Tracker.
Cause : RADIUS CoA to change the user role of the VIA client after the health check with the AOS version 6.3.1.1.
Resolution :
Only from the Aruba OS version 6.3.1.1(Still in Early Availability), we have option to map RFC 3576 server under theConfiguration-> Authentication-> L3 Authentication-> VIA Authentication -> Select the Authentication Profile and map CPPM as RFC 3576 server.And on the ClearPass Server, we would edit the Enforcement Profile as shown below.Please navigate to "Configuration » Enforcement » Policies" and edit the Enforcement policy which is mapped to our Posture serviceWhere "Aruba VPN Healthy Role" has the below configuration.Ideally each of the above Actions in the Policy has two conditions mapped to it.1: Posture status2: User Role
© Copyright 2024 Hewlett Packard Enterprise Development LPAll Rights Reserved.