Security

Release notes from 6.6 states the following:

 ClearPass 6.6 is now able to extract the auth-session-id from CiscoAVPair VSA to use in Change of
Authorization (CoA). The username value is now used as the key when creating or querying a session in a
multi-master session cache. This makes it possible to send a CoA when the Calling-Station-ID value includes
the IP address format. To use this feature, in Policy Manager go to Configuration > Enforcement
> Profiles, copy the default [Cisco - Terminate Session] profile, and modify it to include the Cisco-AVPair
attribute. For more information on configuration, testing, and troubleshooting, refer to the Policy Manager
6.6 User Guide. (#17812)

l Cisco ASA requires the audit Session ID in the RADIUS Change of Authorization (CoA) message. ClearPass
extracts the audit-session-id from the VPN RADIUS authentication message. There are new properties to
cache the Cisco-AVPair with the value that contains the audit-session-id. These properties can be used to
cache any custom attribute that contains the particular value. (#24403)

There is nothing in the user guide or more explanation in the release notes on how to use/access these properties. I'm working on a Cisco ASA - Clearpass implementation these days and would like ot utilize the features mentioned in the "teaser" ;)..

While that might be true, nothing in the Access Tracker or ASA Radius debug suggests that it sends the session-id during a plain [Cisco Terminate Session].

The notes states that you need to modify the default profile if you want the include the auth-session-id (spelled wrong and should be audit-session-id??). I did that just include an expression in a Radius:COA profile like this:

Radius:Cisco - Cisco-AVPair - %{Radius:Cisco:Cisco-AVPair}

The profile was triggered during OnGuard WEBAUTH and contained the cached audit-session-id from the previous Radius record. Tho - I'm not sure if that was just because it was the first value out of three Cisco-AVPairs that the ASA returned or if some mechanic behind the scenes collected exactly that value..

Furthermore - the release notes says 

These properties can be used to cache any custom attribute that contains the particular value.

Can be used. Well.. I'd like to use them specifically and be sure I'm not saving a different value returned from the Radius-message.

Tim,

I re-read your statement and see that you say "the Cisco VPN CoA should work without issue". Well - there is a [Cisco Disconnect], but not [Cisco VPN Disconnect].. ;)

What I'm doing is "Cisco ASA VPN client Authentication with Posture Assesment using Clearpass and Onguard persistant agent". I'm not alone in trying to get this to work as well as it does with Cisco ISE..

I've configured the Cisco ASA as a Cisco ASA Device. No Radius/Radius CoA is received on the Cisco ASA during the WEBAUTH, even tho the Access Tracker clearly states that it trigges the CoA policy. 

The process is very similar to regular MAB. First the initial Radius that authenticates the VPN connection, then OnGuard triggers the WEBAUTH - which should trigger the Radius CoA. You should then find a Radius CoA tab on the Radius entry, but this doesn't happen.

It seems that either Clearpass doesn't know which Radius session to do the Radius CoA on, or it lacks some value (the client-mac-address?) and thus never triggers the CoA even tho access tracker on the WEBAUTH has the right Output entries.

I'm trying to work around this by doing a Onguard Bounce, but then the HEALTHY token is reset for the next Radius Authentication session so it just loops.

I'll be working with ACE on this, but if you have any sucessfull hands on experience using CP 6.6.2 I would be more than happy to be pointed in the right direction.

Can you try the attached enforcement profile? Password is aruba123

Attachment(s)

EnforcementProfile_Cisco-ASA-Term-Session.zip   1 KB 1 version

Tim, unfortunately this didn't solve it.

In the WEBAUTH request - it's missing the NAD-ip address, but has the client-mac-address

In the RADIUS request - it's missing the mac-address as it's neither in Radius:Calling-station-id or username, but has most other information.

Also - after disconnecting or bouncing the VPN client using either session-timout in the Radius or Agent:Bounce in the WEBAUTH, the following Radius has no pointer of cached session to use for Posture status.

This from access tracker

WEBAUTH

[RequestHandler-1-0x7fc4909e4700 r=psauto-1476688476-2799 h=135 r=W00000022-01-58086c76] WARN Common.TagDefinitionCacheTable - Failed to build TagDefinitionMap. Unknown NadClient for Id=0

Radius debug log

2016-10-20 09:03:46,949	[RequestHandler-1-0x7fc4909e4700 r=psauto-1476688476-2796 h=135 r=R00000546-01-58086c52] WARN Common.MacAddrAttrProvider - HostMac missing, not populating different mac representations
2016-10-20 09:03:46,950	[RequestHandler-1-0x7fc4909e4700 h=25022 c=R00000546-01-58086c52] WARN REC.EvaluatorCtx - Prerequisites set is empty, not populating the Request Map
2016-10-20 09:03:46,953	[RequestHandler-1-0x7fc4909e4700 r=R00000546-01-58086c52 h=25025 c=R00000546-01-58086c52] ERROR Core.PETaskPolicyResult - handleHttpResponseEv: All policy result cache lookups failed
2016-10-20 09:03:46,954	[RequestHandler-1-0x7fc4909e4700 h=25031 c=R00000546-01-58086c52] WARN Core.PETaskPostAuthEnfProfileBuilder - No client macaddress found in the request
2016-10-20 09:03:46,954	[RequestHandler-1-0x7fc4909e4700 h=25031 c=R00000546-01-58086c52] WARN Core.PETaskPostAuthEnfProfileBuilder - startHandler: Failed to fetch NAutz attributes

  So... If not with Cisco ASA - have you done this successfully through other VPN gateways? As in "Authentication with Posture assessment on xxx VPN client using xxx VPN gateway with Clearpass and Onguard" ?