Security

Reply
Highlighted
MVP

Re: OnGuard -CoA with Cisco ASA and AnyConnect

Ok, I'm running 6.6.2 and wouldn't recommend trying this on anything below that ;) It might still work, but then you still don't have any reference to a place it DOES work - like mine :)

Regards
John Solberg

-ACMX #316 :: ACCX #902 :: ACSA
Aruba Partner Ambassador
Intelecom/NetNordic - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Highlighted
Regular Contributor II

Re: OnGuard -CoA with Cisco ASA and AnyConnect

I upgraded to 6.6.2 last night and viola, its working! I did make an  interesting discovery which now makes me question if it may have worked with 6.5 (not that I should ever need to do that)...

 

My test laptop is not domain joined. When connecting AnyConnect, I was authing with my Domain credentials. The OnGuard client, by default, was Authing with computer\user credentials. Previosly, I had configured a local user account in CP to match the credentials for this to work. I have found that if the AnyConnect credentials dont match the OnGuard credentials, the CoA does not work. I assumed it matched on SessionID since that is what the ENF was looking at. So I guess it looks at SessionID AND Username. 

 

With credentials synced, everything works. CoA, DACL, FilterID, URL Redirect.

 

Without your tips on the Device = Cisco, and Cisco-AVPair, I would never have gotten this to work. Thanks a bunch!


AMFX/ACEX #69
Aruba Partner Ambassador

View solution in original post

Highlighted
MVP

Re: OnGuard -CoA with Cisco ASA and AnyConnect

Glad to hear have helped - it was an interresting scenario :)


Regards
John Solberg

-ACMX #316 :: ACCX #902 :: ACSA
Aruba Partner Ambassador
Intelecom/NetNordic - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Highlighted
Regular Contributor II

Re: OnGuard -CoA with Cisco ASA and AnyConnect

How are you handling the initial VPN Connection and Health check? The Agent has Not Known health status upon initial connection. 

 

The canned service configuration will send URL Redirect to download the agent. This makes sense for a new client but not for a client that already has it installed. 

 

Each time a VPN client connects, they get browser pop and redirected.. the Agent will eventually check in, report good health and send the (now worksing :-) CoA to place the correct ACL. So they will have the correct access but an annoying browser pop. 

 

I could shut this off but what happens if a client does fail posture check? Now we DO want to kick them and redirect to a page and inform them.

 

The little red OnGaurd icon for bad health isnt that noticable and the user may not know this is something to check. I could pop a message but it only displays for a few seconds. 

 


AMFX/ACEX #69
Aruba Partner Ambassador
Highlighted
New Contributor

Re: OnGuard -CoA with Cisco ASA and AnyConnect

Dear Sir:  I'm unable to access the referenced arubapedia link - is that web article still available?

 

https://arubapedia.arubanetworks.com/afp/index.php/Cisco_VPN_Health

 

Thank you!

David

 

Highlighted
Moderator

Re: OnGuard -CoA with Cisco ASA and AnyConnect

Are you an Aruba partner?


If this response is more than 1 year old, it may no longer be accurate. Please consult official Aruba documentation, TAC or your Aruba SE.

| Aruba Alumni | @timcappalli | timcappalli.me |

Highlighted
MVP

Re: OnGuard -CoA with Cisco ASA and AnyConnect

Me? Yes, we talked on the phone a week ago about this topic ;)

Regards
John Solberg

-ACMX #316 :: ACCX #902 :: ACSA
Aruba Partner Ambassador
Intelecom/NetNordic - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Highlighted
New Contributor

Re: OnGuard -CoA with Cisco ASA and AnyConnect

I'm an Aruba customer not a partner.  Our company has purchased the Aruba Clearpass NAC solution to replace Cisco Clean Access and we are working to integrate it with our Cisco ASA firewalls which provide SSL VPN remote access using Cisco AnyConnect VPN clients.

Highlighted
Moderator

Re: OnGuard -CoA with Cisco ASA and AnyConnect

You can reach out to your Aruba ClearPass partner if you need access
assistance with this configuration.



Please feel free to ask any questions in this forum (please create a new
thread).


If this response is more than 1 year old, it may no longer be accurate. Please consult official Aruba documentation, TAC or your Aruba SE.

| Aruba Alumni | @timcappalli | timcappalli.me |

Highlighted
New Contributor

Re: OnGuard -CoA with Cisco ASA and AnyConnect

Hi, airhead1234

 

Did you find a way to get the AnyConnect VPN to work the way you described?

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: