Security

last person joined: 17 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Clearpass Onguard - Different Posture Checks for different domain groups

This thread has been viewed 5 times

  • 1.  Clearpass Onguard - Different Posture Checks for different domain groups

    Posted Mar 22, 2018 06:15 AM

    I am having a scenario where there are two sets of users, staff and students. The end devices used by the staff are company provided while the students use their own devices. There are two groups made in AD for these two sets of users.

     

    Is it possible to have two different WebAuth Service for posture checking wherein:

     

    1. First WebAuth Service will be for the Staff where the posture check will pass only if the devices are having the Antivirus software and Patch Management software provided by the company and these are up to date.

     

    2. Second WebAuth Service will be for the Students wherein the posture check will pass if the end device have any Antivirus software and any Patch Management software and these are up to date.

     

    I am unable to find any conditions in the Service Rule for WebAuth wherein I can match the Service Rule based on the Domain Group.

     

     

    Is there a way around to configure two different Posture check for these two set of users.



  • 2.  RE: Clearpass Onguard - Different Posture Checks for different domain groups

    Posted Mar 22, 2018 06:31 AM

    Perhaps you could assign the users a different role based on the domain group and then use the role (previously assigned) in the enforment policy/profile.

     

    HTH

    Kevin



  • 3.  RE: Clearpass Onguard - Different Posture Checks for different domain groups
    Best Answer

    EMPLOYEE
    Posted Mar 22, 2018 07:08 AM

    I can suggest the following Options.

    Option 1 - If you want to use two differernt WebAuth services for staff and student.

    Update an endpoint attribute during Layer2 authenticaiton for staff devices and try that attribute in the service rule.

     

    For ex:

    Update an endpoint attribute like Staff_Device = true during the user authentication. 

    And use that attribute in the service rule for WebAuth.

    1.HostCheckTypeMATCHES_ALLHealth
    2.EndpointStaff_DeviceEQUALStrue

    Option 2 - If you decide to use a single Web Auth service.

    Do update the endpoint attribute as discussed above and use two different posture policies under a single WebAuth service. Keep the staff policy in the top position and map the student policy below the staff policy. This way the student devices will fail over to the second policy and evaluated for health check.

    You will have challenge when the staff device is not complaint with the staff policy and follow the one for students. But this can be addressed with few additional conditions in the enforcement policy like below.

    (Tips:Posture  EQUALS  HEALTHY (0))
    AND  (Posture:Applied Policy  EQUALS  Staff_Policy)
    AND  (Endpoint:Staff_Device  EQUALS  true)    		Healthy Agent Bounce

    The above options are well suited for the WebAuth service with "Health Check Only".

    If you have Authentication + Health Checks enabled for OnGuard agent, then you can skip the endpoint update and just perform the checks for user group from AD and Applied policy.

    Like:

    (Tips:Posture  EQUALS  HEALTHY (0)) 
    AND  (Posture:Applied Policy  EQUALS  Staff_Policy) 
    AND  (Authorization:AD Groups  EQUALS  Staff)    		Healthy Agent Bounce