Security

Hello everyone

Im trying to configure something really simple

A captive portal, with clearpass with selft registration, with email authorization  with a simple check if the firewall is off to not let him enter the network maybe with a role which dont allow do anything until he turn on the firewall

 

Im trying to configure it with no luck (the selft registration works) the part that doesnt work is the onguard one

Im wondering if you guys can check what i have config and tell me what im missing

 

Here are my services

 

Health Validator is my service to verify the firewall if its on or off

And captive  REY is the service for captive portal

 

 Here is the

 

 

 

 

 

 

 

 

 

Here is the enforment policy im using on that service

 

 

 

 

 

 

Here is the captive portal service, the summery

 

 

 

Any other info you need just ask me, i really dont know too much about onguard so please if someone can guide me what im missing that would be great

 

Thanks

 

Cheers

Carlos

See if you have this in your registration page:

 

What version of clearpass do you have ?

In 6.3/6.4 things changed a little bit in regards to the way the page is presented

 

Hello Victor

Thats what it was missing

 

Okay another question.

that native agent it is a disolvable agent? or the only disolvable agent isthe java one?

 

i dont see that it install anywhere.   What is the native agent?

The client dont want to leave anything installed on end users guest computers.

 

Cheers

Carlos

It just means that it can run without relying upon something like Java, that's the way it used to work for all clients (Windows , Apple ,etc..)

 

Its much smoother now since you don't need to install Java.

 

This is not the case for Linux tho , you still need to install Java for linux which is a pain

in the 6.4 it was changed to run like the GoToMeeting agent would. The agent will just sit there until it is needed. You still have the ability to fall back to the old Java agent but too many people were having issues so the agent was developed.

Arnold

Can you explain me more how does this work?

It something that is installed on the client?

This client will ask me how does this work?

As he is dealing with 3rd party laptops which are not their company laptops he liked the idea of the disolvavle agent which its just there and then dissapear.

Is the disolvavle agent is the java one? or in any way the native agent is a disolvavle one?

 

As a user expirience is a way more easier the native agent.   As the Java one most of the browsers will block it, and the users wont know what to do...

 

Cheeres

Carlos

Think of it like Akamai NetSession or GoToMeeting. The application only runs when initiated from the website whereas the persistent agent runs all the time in the background.

Hello Tim

I do understand that

But if a client did ask you

Tim is there something that will install in the end users computers and wiill remain installed?

What would you asnwer to that?

 

The scenario is simple

I saw this client which is a school in which they had 2 of their tech support registering the computers, laptops of the students, they were using mac authentication and also checking if the computer had or not antivirus 

 

So i told the IT manager that there was  a way to do all that automatically with clearpass,

I did start explaning how all worked, and went i reached to the part of the onguard, he was like wait a min! there is something that will install in the end users computers and wiill remain installed? because that could be an issue, as we dont own those computers, those are personal computers.

I tell him that there were 2 types of agents the persistent agent which is the one that you install and the disolvavle agent which should not remain installed but i needed to verify

 

And thats why im asking this last question 

I want to proper asnwer him

 

Cheers

Carlos

Sorry for the delay getting back to you Carlos. 

 

Like Tim stated its just like any other app that a user has running on their PC. Skype, Weather app, Go to Meeting and many others that users all install in their PC. It only runs when a new scan is needed.

 

The new Onguard agent is installed on the PC and it runs the scan. The user can delete it when it is done and they are granted access, but if they leave it on the PC and next time they connect all they have to do is run the scan. 

 

When the guest connects and has to run the scan it will provide the user with 2 links. One for the new agent or the old java. I would like to tell eveyone there is a perfect answer, but today there are so many different devices out there and many different browsers  that isnt really an a way to scan all devices one way. We are trying to give the users options on scaning their PC and then connecting to the network. 

 

The new agent does not require admin rights since it is olny scaning the device. It does not shut down restricted services, update antivirus, etc like the Persistent agent does. 

 

Attached is some PPT slides that explain a few of the new enhacements. 

I hope this helps. Let me know if you have any other questions.

Troy thanks for the asnwer

What i bealive he is worry is that somehow it will harm the Laptop, and i guess he would prefer not installing anything on a laptop which belongs to the student.

Anyway i bealive this is designed to not do anything as it just scan.

 

Got a last question for you :)

Why is called disolvable agent if it remain installed?:)

 

Cheers

Carlos

Its mainly because it is a one time run for non returning users, but there is still the option to run it in 3 different modes.

 

1. Old Java Pre 6.4

2. New agent

3. User has the choice to run either the old java or new agent.

 

One way you can look at it is that its a browser plugin that only runs when they connect to that page to get a scan done. Otherwise the agent will not do anthing on the PC. 

So its like a plugging? i mean the native agent and also the java one as well right?

 

i did try to see more info about it on a url on the ppt but it seems its something just internal for you guys :(  thats  a great PPT thanks for sharing!

 

Now this bring me another question

What would happen if i got mac caching on for a week.   Will this prompt to scan everytime he reconnect to the school network? or it will not propmt to scan his computer to see if he has or not an antivirus?

I mean the mac catching will prevent this scan to happen? 

 

Cheers

Carlos

Correct on the Mac Cacheing. That is one of the issues with the NON-pesistant agent. :) It will not scan on its own and they will need to be forced to the login page every so often to trigger the scan. 

 

There is always a little give and take. 

 

If you dont want to force the user to the login page to be scaned then the user need to use the persistant agent, but if they dont want an admin rights program to be installed then you would set the cache setting to 24 hours so they would get scaned once a day. 

Thank  Troy!!!! for your patience in asnwering me every question!

Thanks everyone!

 

Let see i can put it in words that he does not dislike the idea of having the disolvable agent installed on students computer, but well i need to find the correct words to explain it :) 

 

Cheers

Carlos

Hey Troy!

 

Question for you; when you said:

 

"The new agent does not require admin rights since it is olny scaning the device. It does not shut down restricted services, update antivirus, etc like the Persistent agent does."

 

Does this apply to the Native Dissolvable Agent App that is in 6.5 as well?  Also, what is the expected behavior when running this file?