Security

Is there a way to send from ClearPass RADIUS_CoA dACL to Cisco ASA VPN ?
For example the OnGuard Agent finished the NAC health checks when the user connected to the VPN,
and I want to send the ClearPass a RADIUS_CoA dACL to Cisco ASA, if the health check result is quarantine or allow all.

 

Thanks,

Balazs

What version of code are you running on the ASA?

Sent from Nine

Hi Tim,

 

Cisco Adaptive Security Appliance Software Version 9.3(3)2
Device Manager Version 7.4(3)

 

Thanks,

Balazs

 

So, if I send a generic Cisco Coa Reauthenticate session or generic Cisco Coa Terminate session nothing happens. I sent a RADIUS:Cisco Cisco-IP-Downloadable-ACL deny ip any any nothing happens.

So, my question is what attributes should to be send by the clearpass to the Cisco ASA in coa message if we want to change a user ACL list after a NAC check.

 

what do you mean to trigger the reauthentication?

You need to trigger a reauthentication for the user to get the new dACL.

Bounce or reauth ?

CoA. Can you post your enforcement policy?

I send only dACL in CoA:

 

 

Thanks,

Balazs

 

And the enforcement policy:

HEALTY - is a Post Authentication enforcement profile. Not relevant.

Cisco_coa_dACL_test contains:

RADIUS:Cisco Cisco-IP-Downloadable-ACL deny ip any any

 

Thanks,

Balazs

 

Try sending a generic Cisco CoA for the healthy enforcement and then use a dACL in your VPN authentication service.

I don't know the terminology.

 

My workaround is:

1.) Client open a VPN session (Cisco IPSec)

2.) ASA send the authentication to the ClearPass (802.1x Wired service RADIUS)

3.) Client authenticated

4.) The OnGuard agent collect and send an information to the ClearPass (WEBAUTH)

5.) ClearPass send the RADIUS CoA action to the ASA depends on the user is healthy or not healthy

 

where can I insert the reauth ?

 

Thanks,

Balazs

 

This is the CP generic Cisco Coa Reauth session action:

If the Clearpass send this message after the webauth nothing happens.

 

Thanks,

Balazs

Any idea?

We are currently trying to do the same thing with no luck.  We are on the phone with Cisco and Aruba TAC.  I will post if they find a solution.

In my side the dACL works between the ASA and ClearPass.

Correct.  We can get the Dacl to work as well.  However, it requires us bouncing the client.  So basicially we got it working but the workflow would be like this.

 

User VPN's in.  We authenticate with a redirct to the website (we don't know health yet) then the client checks health.  If healthy (we would like to coa and get a Dacl allow all) however we got it to work with a bounce of the client and then they would reauthenticate come in with a healthy tag and get the allow all Dacl.

 

This was a little too End-User intensive and also on the recheck of the client if they became unhealthy we had no way to COA them back to the web page.

 

TAC couldn't figure it out either and now it is in the development team.  We followed the white paper on Arubapedia exactly with no luck..

Thanks for your feedback, it is so disappointing.

If I use native onguard agent I can use CoA message. But there is not redirection.

I'm trying to figure out the dissolvable agent workflow too with coa, but I haven't any success.

Cool.  I just got updated by TAC with a Clearpass Bug ID and they are working on a patch.  I will give an update once I get the patch and I test it to verify that it works.

Thanks for your feedback!

Can you provide me the ClearPass Bug ID?
Thanks,

 

Balazs

TAC has determined the Clearpass problem and assigned it bug #31475.   I am currently working with the product manager to get a patch built.  Will keep you posted.

 

Hello John,

 

I have read the new ClearPass 6.6.0 Release notes, but this document does not contain this Bug ID. Have you any information for it? 

Hello guys

John and Balazs - did you figure this out eventually? I'm unable to find this bug-id in any of the 6.6 patches or the 6.5.x patches. I'm assuming then that the bug is still in effect.

 

Is there other ways to do this without the need for a bounce to trigger the CoA correctly?

6.6.0 introduced some new features in relation to Cisco ASA. Did this help this issue in any way?

 

ClearPass 6.6 is now able to extract the auth-session-id from CiscoAVPair VSA to use in Change of Authorization (CoA). The username value is now used as the key when creating or querying a session in a multi-master session cache. This makes it possible to send a CoA when the Calling-Station-ID value includes the IP address format. To use this feature, in Policy Manager go to Configuration > Enforcement > Profiles, copy the default [Cisco - Terminate Session] profile, and modify it to include the Cisco-AVPair attribute. For more information on configuration, testing, and troubleshooting, refer to the Policy Manager 6.6 User Guide. (#17812)

*	Cisco ASA requires the audit Session ID in the RADIUS Change of Authorization (CoA) message. ClearPass extracts the audit-session-id from the VPN RADIUS authentication message. There are new properties to cache the Cisco-AVPair with the value that contains the audit-session-id. These properties can be used to cache any custom attribute that contains the particular value. (#24403)

 

Hi John,

 

I'am using Radius:IETF:Filter-Id and It works fine for me. You can see below my Enforcement profile:

 

 

What does your "Filter-ID" reference?  A "named" ACL on the VPN?  Was there any luck getting a dACL working?  This article doesn't clarify that.  Thanks.

Yes, the "office" Filter-Id reference is a named access-list on the ASA.

 

For example:

access-list office extended permit ip any any

This way works for me only. The dACL doesn't work in CoA.

The filterID is the name of the ACL. You can do dACL, but only in the RADIUS reply - not in the Radius COA. I'm not sure why, but I think it's just a limitation of the input field. Try it and you'll see what I mean.. In Radius CoA the input field is just dropdown, but in Radius it's a text input.