Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Posturing of VPN users with Cisco ASA

This thread has been viewed 2 times

  • 1.  Posturing of VPN users with Cisco ASA

    Posted Jul 19, 2015 01:50 PM

    Dear Community,

     

    I have a customer to whom I have to give Aruba WLAN and BYOD (onboard, onguard and guest) solution. He want posturing for his VPN users as well and the VPN termination point is Cisco ASA 5540 with OS version pre-9.2.

    In one of the technical documents I found that posturing of VPN users can be performed by using Aruba VIA (virtual intranet agent) with PEFV license enablement on Aruba controller for pre-9.2 OS version of Cisco ASA as this firewall version cannot support CoA. Can someone confirm this statement?

    Another thing I want to ask is that can I use onguard agent instead of VIA and in this way can I skip the requirement of PEFV license on Aruba controller?

    Your appropriate response will be highly appreciated.

    Thanks.



  • 2.  RE: Posturing of VPN users with Cisco ASA
    Best Answer

    EMPLOYEE
    Posted Jul 20, 2015 08:58 AM

    This *may* work without a controller and VIA. It all depends if you can keep the client IP address after the Agent Bounce (persistent agent will be required). IIRC, we use the IP address to track the health token from Health Check back to the next VPN auth.

     

    Now, the problem you might get into is if the client doesn't have the OnGuard persistent agent. Can that version of ASA do a RADIUS based captive portal redirect? Then you might be ok. For health UNKNOWN just redirect them to a page to install the persistent agent.