Ok more findings.
You will need to set Cisco ASA as “Cisco” device type. Adding "Cisco-ASA" device-type will prevent CoA from working. Yea I know - wtf?
Use CoA port 3799 on CP - make sure that is configured on the ASA as well - since default is 1700.
aaa-server clearpass protocol radius
accounting-mode simultaneous
interim-accounting-update periodic 1
dynamic-authorization port 3799
For your initial EnfProfile you can use either Downloadable-ACL or target an ACL. This doesn't need to be for redirect, but can be an ACL that permits access to Clearpass. Example ASA ACL which you should tune to your needs:
access-list quarantineCP extended permit udp any any eq domain
access-list quarantineCP extended permit ip any host 172.20.6.15
access-list quarantineCP extended deny ip any any
Then your Radius EnfProfile will simply be:
Radius:IETF | Filter-Id | quarantineCP-ACL
For the Webauth CoA enfProfile you will need to write it EXACTLY as below. If you try to use Downloadable-ACL then the CoA isn't sendt from Clearpass.
Radius:Cisco | Cisco-AVPair | %{Radius:Cisco:Cisco-AVPair}
Radius:IETF | Calling-Station-Id | %{Radius:IETF:Calling-Station-Id}
Radius:IETF | Filter-Id | allowall-ACL
On ASA use this command to debug:
debug radius dyn-auth
show vpn-sessiondb detail remote
* Verify the "Filter Name" is the ACL or DACL you want applied after the intial Radius and after the CoA is triggered.