Hi
I have not worked with this combination, but my guess is that you may need to install the proper Radius dictionary for Pulse to be able to send the correct dynamic authorization (CoA) back to Pulse for the termination.
Normal operation for Onguard is an authentication with unknown posture status first, Onguard sending the posture status followed by a CoA. Finally a new 802.1x authentication now with cached posture status.
In the 802.1x Service you must have the checkbox for "Use Cached Results" checked (I assume you already have this):
In the service for Onguard you should use the Pulse CoA.
If both of these are in place I have no good idea. The client will be terminated at any time after the authentication if you have the persistent client running. If you are running the non-persistent Onguard client the check will only be done on first connection.
Screenshots of your configuration and from Access Tracker records may help in troubleshooting, if you can send this type of information.
------------------------------
Best Regards
Jonas Hammarbäck
MVP 2023, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACDP , ACEP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution
------------------------------
Original Message:
Sent: Jun 02, 2023 05:57 AM
From: bbdip100
Subject: CPPM radius authentications and Onguard posture for Pulse Secure VPN
Hello,
Our wireless network is currently using CPMM for 802.1x radius authentications and Onguard for Posture checks. We are now trying to achieve the same for Pulse Secure VPN clients. We have been able to get CPPM radius PAP authentication & Onguard posture checking working SEPARATE:LY for VPN clients, but now need to "link" them.
The radius authentication happens before the posture check and then I can't seem to send any kind of termination of the radius session with a non-compliant posture check.
thank you in advance