Adris,
Glad that got you started. I suggest you reachout via your Aruba Partner/Aruba SE to raise a feature request for this, I'm no longer @ Aruba, just providing my knowledge here to help you all as a passionate ex Aruba CPPM Product Manager :-)
Under Android, the issue could be that changes made in the past couple of years to protect the h/w mac-address, same as in iOS which manifested itself as this obfuscation of mac-address last year. As you know this feature has been in Windows for 3+ years but made the most news with iOS14 last year, Google added an option to Android also a few years back, my guess is this might be linked to the issue you have with Android. Some VPN vendors use the virt-mac for all devices {they think who cares as its L3}... some allow you to configure one {not very often} some just don't pass it.... its a jungle.
HTH
------------------------------
Danny Jump
"Passionate about CPPM"
------------------------------
Original Message:
Sent: Mar 02, 2021 01:09 PM
From: Andris Dreimanis
Subject: Session Notification Enforcement not working for ASA Anyconnect
Oh, nice one, completely missed that option, thanks!
As far as Windows goes, that is working as expected, but there seems to be one caveat with this on the Android - AVPair attribute that is being parsed by CP is "device-public-mac", but in case of AnyConnect for Android that AVPair is not present, instead there is only "device-mac" being sent, so that means we're getting this in the logs:
INFO RadiusServer.Radius - rlm_service: device-public-mac= value not present in any of Cisco-AVPairs
Don't know about Mac, will be tested.
Tbh, this is not the first time this AnyConnect behavior is causing an issue as there is at least one MDM solution that requires "device-public-mac" to be present, but as AnyConnect is not passing that, it is causing an issue, but as far as I know - that is not something we can adjust.
Have you considered to give ability adjust which AVPair value is taken into account?
------------------------------
Andris
Original Message:
Sent: Mar 02, 2021 12:37 PM
From: Danny Jump
Subject: Session Notification Enforcement not working for ASA Anyconnect
In later versions {Note this was added this about ~2 years back} of anyconnect the mac-address is sent as a AV-Pair, back in a release in 6.8.x code train we added a feature to parse this and use it to help trigger situation like post-auth. Ensure this is enabled on your CPPM under..... Admin>Server manager>Server Config <chose your node/publisher> > Service Parameters > <choose Radius Server> > then scroll down to you see "Parse Cisco-AVPair to get device mac"
HTH
------------------------------
Danny Jump
"Passionate about CPPM"
Original Message:
Sent: Mar 02, 2021 06:30 AM
From: Andris Dreimanis
Subject: Session Notification Enforcement not working for ASA Anyconnect
Hi,
Did you manage to get this working?
Based on my research, the issue is that AnyConnect is not sending Calling Station ID as MAC address which is expected by ClearPass to trigger the update process. This was confirmed in one of my previous TAC cases - endpoint database is source of truth and MAC address is stored there. Instead AnyConnect is using IP address in Calling Station ID and that messes up the behavior. I don't think there is a way to change it on the AnyConnect/ASA side, but that is still being researched.
------------------------------
Andris
Original Message:
Sent: Sep 27, 2020 05:39 PM
From: Ricardo Duarte
Subject: Session Notification Enforcement not working for ASA Anyconnect
Hi there,
I just setup a service to authenticate Cisco Anyconnect clients.
Everything is working well except the "Session Notification Enforcement" I need.
I want to call an external API when users connect and disconnect. I set the Session Notification Enforcement with the correct Context Server Actions, but ClearPass never seems to call those actions.
Any idea what can be the problem?
Thanks