Security

I have this partially working. The AnyConnect client will connect and have an UNKNOWN posture status. CPPM will send DACL with a restrictive ACL. This works fine. Now that it is connected, OnGuard checks-in and reports Healthy. The OnGuard WEBAUTH service is configured to send down a RADIUS:IETF/Filter-ID calling an ACL "allowall" that exists on the ASA. I see in Access Tracker that this supposedly happened. This however does appear to have really occured. The CLient remains in the Restricted state with the previous ACL still in place.  What might I be doing wrong? 

 

I checked CoA on the CPPM Device as well as the RADIUS Dynamic-Authorization Port 3799 on the ASA. Both are configured. 

 

 

I would prefer to send a DACL from the WEBAUTH service instead of the FilterID but it doesnt appear I can do this. 

 

Any help would be great. Thanks! 

Hello!!

 

Did you complete this? I'm working on the same thing, but I'm not at all familiar with Cisco ASA so it's small babysteps..

Right now I'm stuck at seeing the ASA send the client public IP as the framed-ip instead of the inner-ip. I want that changed to the IP and then combine that with session-id to return the CoA message..

It looks like you already got that dACL part going.. Any chance you can share how you did that?

Hey John,

 

Sorry for my super long delay!

 

I followed this guide which got me most the way there... I am sure you have found this by now. 

 

https://arubapedia.arubanetworks.com/afp/index.php/Cisco_VPN_Health

 

Specifically to answer your question, The CPPM Service for VPN Authentication (Generic Radius Enforcement with PAP and MSCHAP auth methods) will use a "Cisco VPN Default Access" enforcement that sends down a DACL with the settings you specify. Call this enforcement when the client health is unknown. This ACL should allow the OnGuard agent to report health... then you will be stuck where I am at! It does so and CPPM says it take action and sends the CoA to set "ALLOWALL" ACL on the ASA. This doesnt really happen. I can run a debug of dynamic authorizations on the ASA and it does not show any activity. 

 

If you get anywhere, let me know and I will do the same. 

Yep, same that happen with my solution. Working with Aruba now and I'm guessing there needs to be a change involved in CP to do CoA even when Mac-address is not a part of the Radius message..

I'll update with any positive findings ;)

Sounds good. From what I understand, it will use the ASA Clients Session ID that is sent to CP during the initial VPN Auth. I do see the SessionID (Cisco AVPair) in Access Tracker and it does match what is reported for the Client on the ASA. There is an disconnect somewhere. 

 

I might open a TAC case as well. 

Yea that was what I thought after reading the 6.6 release notes, but it's not working out of the box.. I'm working with the ACE team so hopefully we can find a solution. Doing Agent Bounce is not good enough - and doesn't really work since it's not remembering the Posture state..

So - I got Radius CoA working with ASA. Problem is - I'm not quite sure what made it work - yet :D Will retrace my steps and back-up a few to see when things stop working again. Then I can possibly write a detail of my lab excercise, as everything is still not as it should be according to OnGuard documentation... I did test after every change, but it didn't work! Then I did something else for 20 minutes, when I came back CP was doing the Radius CoA!! *smack head*

 

Parts of the linked arubapedia post is wrong for 6.6. Don't try to import the services directly, as it will fail.. Don't use the special "auth source" for Session ID, as CP fetches does that automatically now. For the Radius_CoA "allowall"-profile you replace the now redundant line (audit session log database..) with the value from Radius:Cisco:Cisco-AVPair instead. It will magically select session-id.

 

Basically the last steps I changed before it started working was:

Clearpass

  Change device type to Cisco (from Cisco-ASA)

  Change CoA port to 3799 (from 1700)

 

Cisco ASA

  aaa-server clearpass protocol radius
    dynamic-authorization port 3799

 

***************

 

Of other things to note in my config.

* We did do packet trace on Clearpass and did not that it did NOT send any CoA message when the solution was failing. Only after the last changes done did it start sending the CoA.

 

* OK to use dACL for quarantine profile, but use existing ACL on ASA for the CoA allowall ACL (or a variation of allow-this-not-that-ACL). Reason is that you can only have one line in the CoA profile for downloadable-acl... Only when using the Radius profile template "Cisco Downloadable ACL enforcement" you can you have more than one, but can't use this with CoA so..

 

All excellent tips and advice! I am glad you got yours working, that brings a lot of hope! I cannot give it a shot until next Monday but will do so then and report back. Thanks!

Ok more findings.

 

You will need to set Cisco ASA as “Cisco” device type. Adding "Cisco-ASA" device-type will prevent CoA from working. Yea I know - wtf?

 

Use CoA port 3799 on CP - make sure that is configured on the ASA as well - since default is 1700.

aaa-server clearpass protocol radius
 accounting-mode simultaneous
 interim-accounting-update periodic 1
 dynamic-authorization port 3799

 

For your initial EnfProfile you can use either Downloadable-ACL or target an ACL. This doesn't need to be for redirect, but can be an ACL that permits access to Clearpass. Example ASA ACL which you should tune to your needs:

access-list quarantineCP extended permit udp any any eq domain 
access-list quarantineCP extended permit ip any host 172.20.6.15 
access-list quarantineCP extended deny ip any any

Then your Radius EnfProfile will simply be:

Radius:IETF | 	Filter-Id | 	quarantineCP-ACL

For the Webauth CoA enfProfile you will need to write it EXACTLY as below. If you try to use Downloadable-ACL then the CoA isn't sendt from Clearpass.

 

Radius:Cisco | Cisco-AVPair | %{Radius:Cisco:Cisco-AVPair}
Radius:IETF | Calling-Station-Id | %{Radius:IETF:Calling-Station-Id}
Radius:IETF | 	Filter-Id | 	allowall-ACL

On ASA use this command to debug:

debug radius dyn-auth

show vpn-sessiondb detail remote

 * Verify the "Filter Name" is the ACL or DACL you want applied after the intial Radius and after the CoA is triggered.

 

Thanks again John. 

 

I am back in the office today to test the configurations. The two things that are different between our configs are the Device Type and the CoA Enforcment Profile Cisco-AVPair. I adjusted both to your recommendations and still a no-go for me. I also am not running 6.6 which may be the big difference. I am still at 6.5.4.  I need to get an updated Subscription and update the server. I hope that once that is done, it will work! I will post back. 

Ok, I'm running 6.6.2 and wouldn't recommend trying this on anything below that ;) It might still work, but then you still don't have any reference to a place it DOES work - like mine :)

I upgraded to 6.6.2 last night and viola, its working! I did make an  interesting discovery which now makes me question if it may have worked with 6.5 (not that I should ever need to do that)...

 

My test laptop is not domain joined. When connecting AnyConnect, I was authing with my Domain credentials. The OnGuard client, by default, was Authing with computer\user credentials. Previosly, I had configured a local user account in CP to match the credentials for this to work. I have found that if the AnyConnect credentials dont match the OnGuard credentials, the CoA does not work. I assumed it matched on SessionID since that is what the ENF was looking at. So I guess it looks at SessionID AND Username. 

 

With credentials synced, everything works. CoA, DACL, FilterID, URL Redirect.

 

Without your tips on the Device = Cisco, and Cisco-AVPair, I would never have gotten this to work. Thanks a bunch!

Glad to hear have helped - it was an interresting scenario :)

How are you handling the initial VPN Connection and Health check? The Agent has Not Known health status upon initial connection. 

 

The canned service configuration will send URL Redirect to download the agent. This makes sense for a new client but not for a client that already has it installed. 

 

Each time a VPN client connects, they get browser pop and redirected.. the Agent will eventually check in, report good health and send the (now worksing :-) CoA to place the correct ACL. So they will have the correct access but an annoying browser pop. 

 

I could shut this off but what happens if a client does fail posture check? Now we DO want to kick them and redirect to a page and inform them.

 

The little red OnGaurd icon for bad health isnt that noticable and the user may not know this is something to check. I could pop a message but it only displays for a few seconds. 

 

Hi, airhead1234

 

Did you find a way to get the AnyConnect VPN to work the way you described?

Dear Sir:  I'm unable to access the referenced arubapedia link - is that web article still available?

 

https://arubapedia.arubanetworks.com/afp/index.php/Cisco_VPN_Health

 

Thank you!

David

 

Are you an Aruba partner?

Me? Yes, we talked on the phone a week ago about this topic ;)

I'm an Aruba customer not a partner.  Our company has purchased the Aruba Clearpass NAC solution to replace Cisco Clean Access and we are working to integrate it with our Cisco ASA firewalls which provide SSL VPN remote access using Cisco AnyConnect VPN clients.

You can reach out to your Aruba ClearPass partner if you need access
assistance with this configuration.



Please feel free to ask any questions in this forum (please create a new
thread).

Sorry to reply to an old topic, but I'm unable to make this work.

My Onguard is not updating the posture of the Endpoint. Also, I can only see s strange mac address as username and the IP address within the webauth session. How will Onguard know what Endpoint to update with only this info?

And how does it get the info to fill the CoA? Without matchin info inside Onguard, I can't see how it can find the IETF Calling Station Id.

Radius:Cisco | Cisco-AVPair | %{Radius:Cisco:Cisco-AVPair}
Radius:IETF | Calling-Station-Id | %{Radius:IETF:Calling-Station-Id}
Radius:IETF | 	Filter-Id | 	allowall-ACL

  ps.: I do not have access to Arubapedia

Was able to get access to the document.

 

I can use the VPN Connection IP that is received from OnGuard to get the audit-session-id and the VPN connection username from the database. But then, CoA does not work.

Does anyone know the "magic" that ClearPass does to know where to send a CoA when it is generated by OnGuard?

Hi, for the CoA to work you need to configure the onguard settings as health check and Authenticate, configure the webauth to authenticate the user and then you need to use the same credentials in the radius authentication(VPN) as well as in the onguard agent.

 

You can use the enforcements and configurations posted in thread because they do work.

 

If you need any help please let me know and i think i can help you.

Yes. That works.

But I do not want my users to authenticate twice (anyconnect + onguard).

I was able to get the SessionId AVP using the assigned IP address, but am unable to send a CoA even with those values. ClearPass seems to only user username to match the session. Could use IP and it would work perfectly for this case... 

 

Is there any way to do this without auth on onguard? Or, alternativelly, send a CoA to a particular NAS, that I define (ex: I add the IP address of the NAS to the CoA enforcement and send it with Onguard with the proper vsa)?

 

To make this clear:

- I know the address of the NAS / Asa

- I know all the vsa values that I must send (session avp, username, etc)

- How to send the CoA from the OnGuard webauth service?

To minimize the OnGuard sign in, have you investigated the OnGuard SSO option, not applicable for every desktop OS but Yes for Windows. It allows OnGuard to take the Windows sign-in as the OnGuard credentials.

Hi Danny,

 

Every solution you give relies on computers being joined to a domain, managed, having software pushed by admins, and so on.

The world has moved from that. BYOD devices, AzureAD, Linux, macOS. Nothing will work with that solution.

If computers are managed, there is no need to use OnGuard. The admin already knows the state of the computers...

 

I can get all the information to put on the CoA without ever relying on username. Without any login on OnGuard. It would work just fine if I could just send a CoA to the ASA with the info I already have (that, by the way, is contained inside the ClearPass database). I can only assume you, ClearPass, can also get the same info and just use it to send the CoA without relying on usernames.

 

So, is there any way for me to send a CoA to a particular device, from OnGuard webauth and bypass that login-twice or join-domain nonsense?

 

Regards.

Hi, i don't think there is one yet but maybe you can try the following and see if it works.

 

Since the radius auth gives you the session-id needed to send a CoA to the Cisco ASA, you can probably save it as an attribute of the endpoint that is actually a mac-address. Later, when you are in the webauth service you can use the attribute of that endpoint to construct the CoA with the session-id. Something like this (probably not the correct sintax but you can get the idea)

 

Radius:Cisco | Cisco-AVPair | %{Endopint:attribute}

 

Regards

I'm a bit smarted than that, and get the audit-session-id directly from the ClearPass database, inside the OnGuard webauth service (authorization source).

 

The problem is that OnGuard webauth will not send the CoA. OnGuard sends "dummy" mac address, and the webauth service does not match the radius connection. So, Onguard does not know the NAS where the client is connected and will not send the CoA, even tho all details are there: audit-session-id, mac address, username.

These are all details that match the RADIUS authentication session, but ClearPass refuses to send the CoA to the ASA from OnGuard webauth service.