- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
Clearpass Onguard Roles Assignment
Clearpass Onguard Roles Assignment
11-21-2014 06:43 AM
I am pretty new to clearpass and this is my 1st time deploying.
What I want to achieve is 802.1x and mac authenticated with onguard.
802.1x and mac authentication is working fine now. in my WLC, guest role is assigned mac authentication is passed and authenticated role is assigned after 802.1x authentication. I have also install onguard agent on my client and tried to put the client into guest role when quarantined. The client got into the guest enforcement profile which is correct, but the role is never changed in WLC. Attached are some of the screenshot, would appreciate if someone could advise what is wrong or missing from my config? Thanks
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: Clearpass Onguard Roles Assignment
Re: Clearpass Onguard Roles Assignment
11-21-2014 06:50 AM
Can you please share the Agent Enforcement Profile Config ?
You might be missing the bounce user but you can also have the same results using the CoA as your Enforcement Profiles so it can then the device will return and hit the 802.1X service and gets the right access
Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: Clearpass Onguard Roles Assignment
Re: Clearpass Onguard Roles Assignment
11-21-2014 06:52 AM
Did you configure your OnGuard web auth service to terminate the session after a successful posture check?
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: Clearpass Onguard Roles Assignment
Re: Clearpass Onguard Roles Assignment
11-21-2014 06:59 AM
hey i am offsite now, will provide more info when I am onsite next monday. thanks! =)
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: Clearpass Onguard Roles Assignment
Re: Clearpass Onguard Roles Assignment
11-21-2014 07:01 AM
yup, as you can see in the attached a5.png, i have termination. I am not too sure if Radius CoA is enabled in CPPM, will double check, but if default is unchecked, high chance it's not checked. will verifiy next monday, thanks for the reply!
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: Clearpass Onguard Roles Assignment
Re: Clearpass Onguard Roles Assignment
11-21-2014 07:03 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: Clearpass Onguard Roles Assignment
Re: Clearpass Onguard Roles Assignment
11-21-2014 07:14 AM
hey base on the a2.png, can you conclude anything? other than enabling Radius CoA which I am not sure it has been enabled or not, what could be the other possible reason? i do have other screenshot which I capture previously, not sure if you could conclude anything from htere. thanks
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: Clearpass Onguard Roles Assignment
Re: Clearpass Onguard Roles Assignment
11-21-2014 07:29 AM
Add the ClearPass Controller as the RFC 3576 server and make sure that both key match
Enable it on CPPM
You need two Services:
1- The onguard health will receive all the Onguard Posture Information
2- And the 802.1X will determine what type of access either by sending a VLAN or a Role back to the controller
If you are using the persistant agent you can do the following :
Then
Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: Clearpass Onguard Roles Assignment
Re: Clearpass Onguard Roles Assignment
11-21-2014 07:39 AM
hey thanks for the reply.
1) RFC3576 has already been added
2) yup i already have 2 services as mentioned by you. each time i click on the agent to reverify, it shown up in the access tracker, just somehow role won't change.
i haven't really configure anything in the wlc for onguard, all the configurations such as rfc3576, etc were configured for 802.1x and mac address authentication; and both of them are working fine. is there anything else I need to configure in the wlc? do I need to put the 'nap ip'? is there any option to enable CoA in wlc?
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: Clearpass Onguard Roles Assignment
Re: Clearpass Onguard Roles Assignment
11-21-2014 07:44 AM
Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator