Security

Reply
Occasional Contributor II

Clearpass Onguard Roles Assignment

I am pretty new to clearpass and this is my 1st time deploying.

What I want to achieve is 802.1x and mac authenticated with onguard.

 

802.1x and mac authentication is working fine now. in my WLC, guest role is assigned mac authentication is passed and authenticated role is assigned after 802.1x authentication. I have also install onguard agent on my client and tried to put the client into guest role when quarantined. The client got into the guest enforcement profile which is correct, but the role is never changed in WLC. Attached are some of the screenshot, would appreciate if someone could advise what is wrong or missing from my config? Thanks

Re: Clearpass Onguard Roles Assignment

Can you please share the Agent Enforcement Profile Config ?

 

You might be missing the bounce user but you can also have the same results using the CoA as your Enforcement Profiles so it can then the device will return and hit the 802.1X service and gets the right access

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Guru Elite

Re: Clearpass Onguard Roles Assignment

Do you have radius CoA enabled on your controller and in ClearPass?

Did you configure your OnGuard web auth service to terminate the session after a successful posture check?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: Clearpass Onguard Roles Assignment

hey i am offsite now, will provide more info when I am onsite next monday. thanks! =)

Occasional Contributor II

Re: Clearpass Onguard Roles Assignment

yup, as you can see in the attached a5.png, i have termination. I am not too sure if Radius CoA is enabled in CPPM, will double check, but if default is unchecked, high chance it's not checked. will verifiy next monday, thanks for the reply! 

Guru Elite

Re: Clearpass Onguard Roles Assignment

You can verify CoA by choosing a connected client in Access Tracker and using the change status button.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: Clearpass Onguard Roles Assignment

hey base on the a2.png, can you conclude anything? other than enabling Radius CoA which I am not sure it has been enabled or not, what could be the other possible reason? i do have other screenshot which I capture previously, not sure if you could conclude anything from htere. thanks

Re: Clearpass Onguard Roles Assignment

Add the ClearPass Controller as the RFC 3576 server and make sure that both key match

2014-11-21 10_17_20-ClearPass Policy Manager - Aruba Networks.png

 

Enable it on CPPM

2014-11-21 10_23_16-ClearPass Policy Manager - Aruba Networks.png

 

You need two Services:

1- The onguard health will receive all the Onguard Posture Information 

2- And the 802.1X will determine what type of access either by sending a VLAN or a Role back to the controller

2014-11-21 10_21_36-ClearPass Policy Manager - Aruba Networks.png

2014-11-21 10_23_16-ClearPass Policy Manager - Aruba Networks.png

 

If you are using the persistant agent you can do the following :

2014-11-21 10_17_20-ClearPass Policy Manager - Aruba Networks.png

2014-11-21 10_21_57-ClearPass Policy Manager - Aruba Networks.png

 

 

 

Then 

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor II

Re: Clearpass Onguard Roles Assignment

hey thanks for the reply. 

1) RFC3576 has already been added

2) yup i already have 2 services as mentioned by you. each time i click on the agent to reverify, it shown up in the access tracker, just somehow role won't change.

 

i haven't really configure anything in the wlc for onguard, all the configurations such as rfc3576, etc were configured for 802.1x and mac address authentication; and both of them are working fine. is there anything else I need to configure in the wlc? do I need to put the 'nap ip'? is there any option to enable CoA in wlc? 

Re: Clearpass Onguard Roles Assignment

So in the controller you have added the RFC3576 ?
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: