Security

Reply

ClearPass and posture policy

i have been looking at the posture policies and especially the OnGuard agent (persistent and dissolvable) and it looks quite interesting. creating a posture policy seems reasonable straight forward.

 

but when i configure it and try to apply it to a service it doesn't show up, did i do something wrong or?

 

the documentation says it should be possible in my opinion.

 

Note that ClearPass OnGuard Agent - both persistent and dissolvable forms it -
can be used in the following scenarios:
• An environment that does not support 802.1X based authentication (legacy
Windows Operating Systems, or legacy devices in the network)
• An OS that supports 802.1X natively, but does not have a built-in health
agent. For example, MAC OS X.

 

Aruba Employee

Re: ClearPass and posture policy

Currently the OnGuard agent cannot be used with 802.1x. It can only be used with a web auth service. Try creating a Web-based Authentication service.

Thanks,

Zach Jennings

Re: ClearPass and posture policy

thanks zjennings, sorry to hear that, what are the plans for making the onguard agent work with 802.1x?

 

what are my options for posture with 802.1x then, only the NAP agent i guess? or is there a way to do something once the client is connected via 802.1x?

 

because i believe the NAP agent doesn't work with MacOS devices, and the text from the clearpass userguide seems to indidacte that 802.1x and MacOS is possible.

 

a web authentication service would mean having the authenticator (the 802.1x term) do captive portal instead of 802.1x towards the ClearPass?

Aruba Employee

Re: ClearPass and posture policy


boneyard wrote:

thanks zjennings, sorry to hear that, what are the plans for making the onguard agent work with 802.1x?

 

what are my options for posture with 802.1x then, only the NAP agent i guess? or is there a way to do something once the client is connected via 802.1x?

 

because i believe the NAP agent doesn't work with MacOS devices, and the text from the clearpass userguide seems to indidacte that 802.1x and MacOS is possible.

 

a web authentication service would mean having the authenticator (the 802.1x term) do captive portal instead of 802.1x towards the ClearPass?


Correct, MacOS does not support the NAP agents. Yes, the authenticator needs to support a web captive portal, if you want to do web auth. There are many switches that support this. Look for information on your switches. It may be called something like Guest Access. What model and brand of switches are you working with?

Thanks,

Zach Jennings

Re: ClearPass and posture policy

Juniper EX series switches. according to the documentation they support captive portal*, but only towards a configured radius server for authentication, is that enough?

 

*) http://www.juniper.net/techpubs/en_US/junos11.3/topics/example/authentication-captive-portal.html

 

 

Frequent Contributor II

Re: ClearPass and posture policy

Has this changed?Does on-guard support 802.1x (non-webauth) How does nap agent communicate with CPPM?

Re: ClearPass and posture policy

i don't believe it has changed. NAP does communicate during the radius authentication i believe, but seeing how it is about the only one doing this is might be quite difficult to get it working or cause unwanted side effects.

 

could always ask your SE if there is anything coming up in the pipeline.

Frequent Contributor II

Re: ClearPass and posture policy

Ok thanks. I guess the OnGuard license includes the ability to use NAP also. Any OnGuard users that have macs? What are the options? Complete webauth every couple days?
Occasional Contributor I

Re: ClearPass and posture policy

 

I want to use posture with an 802.1x service but it's not clear to me how I can get the ClearPass posture agent installed on client devices? I know theres a URL hosted on the CPPM server where the package resides.

 

Is there a way to automate the installation of the OnGuuard posture client andsubsequent Health check before hitting 802.1x service the second time around?

 

Here's what Im thinking:

 

Clients associate to an 802.1x ssid and In the 802.1x enforcement policy clients with an "unknown" token get dumped into a role on the controller  and a COA is performed. The role on the controller is associated to a Captive Portal that points to the package on CPPM "http://cp_server/agent/installer/windows/ClearPassOnGuardInstall.exe"

 

Clients would then need to install the package, but I'm not sure how to get the client to reconnect and pass WEBAUTH service health check and then ultimately using cached roles and posture pass a healthy token to the 802.1x service 

 

 

Any help would be greatly appreciated;

 

 

Guru Elite

Re: ClearPass and posture policy

Thats exactly what you would do. The only way to automate the install would be if you have group policy control over the devices and can put out software.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: