Occasional Contributor I

Posturing of VPN users with Cisco ASA

Dear Community,


I have a customer to whom I have to give Aruba WLAN and BYOD (onboard, onguard and guest) solution. He want posturing for his VPN users as well and the VPN termination point is Cisco ASA 5540 with OS version pre-9.2.

In one of the technical documents I found that posturing of VPN users can be performed by using Aruba VIA (virtual intranet agent) with PEFV license enablement on Aruba controller for pre-9.2 OS version of Cisco ASA as this firewall version cannot support CoA. Can someone confirm this statement?

Another thing I want to ask is that can I use onguard agent instead of VIA and in this way can I skip the requirement of PEFV license on Aruba controller?

Your appropriate response will be highly appreciated.


Aruba Employee

Re: Posturing of VPN users with Cisco ASA

This *may* work without a controller and VIA. It all depends if you can keep the client IP address after the Agent Bounce (persistent agent will be required). IIRC, we use the IP address to track the health token from Health Check back to the next VPN auth.


Now, the problem you might get into is if the client doesn't have the OnGuard persistent agent. Can that version of ASA do a RADIUS based captive portal redirect? Then you might be ok. For health UNKNOWN just redirect them to a page to install the persistent agent.


Zach Jennings
Search Airheads
Showing results for 
Search instead for 
Did you mean: