Security

i have been looking at the posture policies and especially the OnGuard agent (persistent and dissolvable) and it looks quite interesting. creating a posture policy seems reasonable straight forward.

 

but when i configure it and try to apply it to a service it doesn't show up, did i do something wrong or?

 

the documentation says it should be possible in my opinion.

 

Note that ClearPass OnGuard Agent - both persistent and dissolvable forms it -
can be used in the following scenarios:
• An environment that does not support 802.1X based authentication (legacy
Windows Operating Systems, or legacy devices in the network)
• An OS that supports 802.1X natively, but does not have a built-in health
agent. For example, MAC OS X.

 

Currently the OnGuard agent cannot be used with 802.1x. It can only be used with a web auth service. Try creating a Web-based Authentication service.

thanks zjennings, sorry to hear that, what are the plans for making the onguard agent work with 802.1x?

 

what are my options for posture with 802.1x then, only the NAP agent i guess? or is there a way to do something once the client is connected via 802.1x?

 

because i believe the NAP agent doesn't work with MacOS devices, and the text from the clearpass userguide seems to indidacte that 802.1x and MacOS is possible.

 

a web authentication service would mean having the authenticator (the 802.1x term) do captive portal instead of 802.1x towards the ClearPass?

---

@boneyard wrote:

thanks zjennings, sorry to hear that, what are the plans for making the onguard agent work with 802.1x?

 

what are my options for posture with 802.1x then, only the NAP agent i guess? or is there a way to do something once the client is connected via 802.1x?

 

because i believe the NAP agent doesn't work with MacOS devices, and the text from the clearpass userguide seems to indidacte that 802.1x and MacOS is possible.

 

a web authentication service would mean having the authenticator (the 802.1x term) do captive portal instead of 802.1x towards the ClearPass?

---

Correct, MacOS does not support the NAP agents. Yes, the authenticator needs to support a web captive portal, if you want to do web auth. There are many switches that support this. Look for information on your switches. It may be called something like Guest Access. What model and brand of switches are you working with?

Juniper EX series switches. according to the documentation they support captive portal*, but only towards a configured radius server for authentication, is that enough?

 

*) http://www.juniper.net/techpubs/en_US/junos11.3/topics/example/authentication-captive-portal.html

 

 

Has this changed?Does on-guard support 802.1x (non-webauth) How does nap agent communicate with CPPM?

i don't believe it has changed. NAP does communicate during the radius authentication i believe, but seeing how it is about the only one doing this is might be quite difficult to get it working or cause unwanted side effects.

 

could always ask your SE if there is anything coming up in the pipeline.

Ok thanks. I guess the OnGuard license includes the ability to use NAP also. Any OnGuard users that have macs? What are the options? Complete webauth every couple days?

 

I want to use posture with an 802.1x service but it's not clear to me how I can get the ClearPass posture agent installed on client devices? I know theres a URL hosted on the CPPM server where the package resides.

 

Is there a way to automate the installation of the OnGuuard posture client andsubsequent Health check before hitting 802.1x service the second time around?

 

Here's what Im thinking:

 

Clients associate to an 802.1x ssid and In the 802.1x enforcement policy clients with an "unknown" token get dumped into a role on the controller  and a COA is performed. The role on the controller is associated to a Captive Portal that points to the package on CPPM "http://cp_server/agent/installer/windows/ClearPassOnGuardInstall.exe"

 

Clients would then need to install the package, but I'm not sure how to get the client to reconnect and pass WEBAUTH service health check and then ultimately using cached roles and posture pass a healthy token to the 802.1x service 

 

 

Any help would be greatly appreciated;

 

 

Thats exactly what you would do. The only way to automate the install would be if you have group policy control over the devices and can put out software.

So if I understand correctly,  after the client hits the portal and installs the agent will the client then do the health check against the "Web Health Check" service and then finally another COA  to get back to 802.1x service?

That's correct you can either use Aruba terminate session or Agent bounce and at that point the device will go thru the 1X service again and be place in the right role/Access based on the return posture received after the health check

Thanks for your response Cappalli !

Thjis is a real irritant.  It is not in the documentation.  I have been using clearpass for 2 years and am trying to get OnGuard setup and it just won't have any of it.  Now I see it's because I am using  Aruba 802.1X Wireless as my Type. 

 

This is from having an Aruba Certified Engineer set it up originally.  So now I find out I cannot use the full functionality of this device because he set it up wrong.  WONDERFUL!!!!

Can you provide a bit more information? What would you like help with?

 

From what you wrote, I'm assuming you are not currently using OnGuard but would like to set it up or is it already setup and not working correctly?

I would like to turn on Posture Policies.  I followed the documentation, it was simple.  I created 2 policies, one for Student Windows the other for Student Mac BYOD.  When I saved them and went back to Service they were not there. 

That is only step 1 for setting up posture checks. Do you use an Aruba partner? Onguard can be complex to setup if you have not used it before.

 

At a high level:

 

- You need to create a WEBAUTH service with posture enabled that returns certain actions based on TIPS:Posture results

- You need to allow cached posture results in your authentication service(s)

- You need to write enforcement rules that check TIPS:Posture status and return the appropriate role and/or restrictions.

Hello, I have 2 questions:

1.A customer has legacy infrastructure that doesn’t support 802.1x protocol and he wants to implement clearpass in his network to secure the access; what is your offer to him?

2.Which protocol is used by the clearpass Onguard permanent agent to communicate with the policy manager?

your help is appreciated!

 

Please create new threads for new topics in the future.

 

1) ClearPass supports a wide range of authentication technologies including MAC authentication, web authentication and SNMP-based enforcement (OnConnect)

2) It's a proprietary protocol that uses TCP port 6658

Okey, thank you for your response!