Security

Reply
Highlighted
Regular Contributor I

Re: OnGuard -CoA with Cisco ASA and AnyConnect

Sorry to reply to an old topic, but I'm unable to make this work.

My Onguard is not updating the posture of the Endpoint. Also, I can only see s strange mac address as username and the IP address within the webauth session. How will Onguard know what Endpoint to update with only this info?

And how does it get the info to fill the CoA? Without matchin info inside Onguard, I can't see how it can find the IETF Calling Station Id.

Radius:Cisco | Cisco-AVPair | %{Radius:Cisco:Cisco-AVPair}
Radius:IETF | Calling-Station-Id | %{Radius:IETF:Calling-Station-Id}
Radius:IETF | 	Filter-Id | 	allowall-ACL

  ps.: I do not have access to Arubapedia

Highlighted
Regular Contributor I

Re: OnGuard -CoA with Cisco ASA and AnyConnect

Was able to get access to the document.

 

I can use the VPN Connection IP that is received from OnGuard to get the audit-session-id and the VPN connection username from the database. But then, CoA does not work.

Does anyone know the "magic" that ClearPass does to know where to send a CoA when it is generated by OnGuard?

Highlighted
Occasional Contributor II

Re: OnGuard -CoA with Cisco ASA and AnyConnect

Hi, for the CoA to work you need to configure the onguard settings as health check and Authenticate, configure the webauth to authenticate the user and then you need to use the same credentials in the radius authentication(VPN) as well as in the onguard agent.

 

You can use the enforcements and configurations posted in thread because they do work.

 

If you need any help please let me know and i think i can help you.

Highlighted
Regular Contributor I

Re: OnGuard -CoA with Cisco ASA and AnyConnect

Yes. That works.

But I do not want my users to authenticate twice (anyconnect + onguard).

I was able to get the SessionId AVP using the assigned IP address, but am unable to send a CoA even with those values. ClearPass seems to only user username to match the session. Could use IP and it would work perfectly for this case... 

 

Is there any way to do this without auth on onguard? Or, alternativelly, send a CoA to a particular NAS, that I define (ex: I add the IP address of the NAS to the CoA enforcement and send it with Onguard with the proper vsa)?

 

To make this clear:

- I know the address of the NAS / Asa

- I know all the vsa values that I must send (session avp, username, etc)

- How to send the CoA from the OnGuard webauth service?

Highlighted
Moderator

Re: OnGuard -CoA with Cisco ASA and AnyConnect

To minimize the OnGuard sign in, have you investigated the OnGuard SSO option, not applicable for every desktop OS but Yes for Windows. It allows OnGuard to take the Windows sign-in as the OnGuard credentials.


Best Regards
-d

ClearPass Product Manager

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Highlighted
Regular Contributor I

Re: OnGuard -CoA with Cisco ASA and AnyConnect

Hi Danny,

 

Every solution you give relies on computers being joined to a domain, managed, having software pushed by admins, and so on.

The world has moved from that. BYOD devices, AzureAD, Linux, macOS. Nothing will work with that solution.

If computers are managed, there is no need to use OnGuard. The admin already knows the state of the computers...

 

I can get all the information to put on the CoA without ever relying on username. Without any login on OnGuard. It would work just fine if I could just send a CoA to the ASA with the info I already have (that, by the way, is contained inside the ClearPass database). I can only assume you, ClearPass, can also get the same info and just use it to send the CoA without relying on usernames.

 

So, is there any way for me to send a CoA to a particular device, from OnGuard webauth and bypass that login-twice or join-domain nonsense?

 

Regards.

Highlighted
Occasional Contributor II

Re: OnGuard -CoA with Cisco ASA and AnyConnect

Hi, i don't think there is one yet but maybe you can try the following and see if it works.

 

Since the radius auth gives you the session-id needed to send a CoA to the Cisco ASA, you can probably save it as an attribute of the endpoint that is actually a mac-address. Later, when you are in the webauth service you can use the attribute of that endpoint to construct the CoA with the session-id. Something like this (probably not the correct sintax but you can get the idea)

 

Radius:Cisco | Cisco-AVPair | %{Endopint:attribute}

 

Regards

Highlighted
Regular Contributor I

Re: OnGuard -CoA with Cisco ASA and AnyConnect

I'm a bit smarted than that, and get the audit-session-id directly from the ClearPass database, inside the OnGuard webauth service (authorization source).

 

The problem is that OnGuard webauth will not send the CoA. OnGuard sends "dummy" mac address, and the webauth service does not match the radius connection. So, Onguard does not know the NAS where the client is connected and will not send the CoA, even tho all details are there: audit-session-id, mac address, username.

These are all details that match the RADIUS authentication session, but ClearPass refuses to send the CoA to the ASA from OnGuard webauth service.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: