AAA, NAC, Guest Access & BYOD

Onguard client's behavior on a windows machine when user is switched

Question: When i switch from one user to another, no 802.1x received by ClearPass (so nothing sent by Windows machine) and new user doesn’t appear in Access Tracker. Is this the expected behavior in Windows 7? This way, even OnGuard will not authenticate the new user again and no health check for the new user.

 

Environment : This applies to all the versions of CPPM

 

Solution:

 

OnGuard Agent will authenticate and preform health checks for new user also but we do not support 'switch user' case because of the following reason:

Posture Cache is based on Mac Address so Server will store and use same Posture Result for both the users as both are connecting from same IP and Mac Address.

This means for 2nd user, Server will grant access based on health state of first user.

In this case, 2 instances of OnGaurd Agent (frontend - ClearPassOnGuard.exe) will be running, one for each user. 

 

rtaImage.png

 

 

Here Test 20 and test are two users of the same machine.

Version History
Revision #:
1 of 1
Last update:
‎06-27-2014 03:06 PM
Updated by:
 
Labels (1)
Contributors
Comments
Buzdovan

Hi,

 

We are testing two posture policies that are applied based on which security group on AD user belongs to. At first, User1 authenticates and Policy1 is applied. Next, after User1 logs off and User2 logs in we would like Policy2 to be applied for User2. For this to work, we use restrict by roles option in Posture policies. When we test this on two different machines (each for one user) this is working fine.

 

Is it possible to make this work when we use one machine? With both Log off and switch user options?

 

 

 

 

Is this possible?

 

Buzdovan

it looks i managed it to work.


I create folowing on Clearpass:
Web-Based Health check only service #1 and Posture policy #1
Web-Based Health check only service #2 and Posture policy #2
Custom endpoint attribute
Custom enforcement profile
802.1x authentication service


During authentication, we populate custom endpoint attribute with some value depending on which group on AD user belongs to.

Later, we use this attribute as a classification condition for Web-Based Health check only service.

If user belongs to group #1 on AD, we set value #1 to attribute and therefore Web-Based Health check only service #1 and Posture policy #1 are applied.
If user belongs to group #2 on AD, we set value #2 ...

To make this work, we need to enable single sign-on on network adapter so that clearpass receives authentication request each time user is changed. This will update endpoint attribute.

Drawback of this solution is that if you have many types of users and you would like to apply many different posture checks you need to create many Web-Based Health check only services with appropriate classification conditions.


I'll try once again to do the same within one Web-Based Health check only service and number of posture policies once i validate this setup.

Buzdovan

one more remark...

 

if you use switch user option, there will be two processes ClearPassOnGuardAgent.exe running on machine and once you actually switch user it will not automatically do a Health check (because process has already performed health check and now it just keeps running).

 

if you use Log off/Login Health check will be automatically performed once you login with new user because process will be started from scratch.

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.