Security

I am pretty new to clearpass and this is my 1st time deploying.

What I want to achieve is 802.1x and mac authenticated with onguard.

 

802.1x and mac authentication is working fine now. in my WLC, guest role is assigned mac authentication is passed and authenticated role is assigned after 802.1x authentication. I have also install onguard agent on my client and tried to put the client into guest role when quarantined. The client got into the guest enforcement profile which is correct, but the role is never changed in WLC. Attached are some of the screenshot, would appreciate if someone could advise what is wrong or missing from my config? Thanks

Can you please share the Agent Enforcement Profile Config ?

 

You might be missing the bounce user but you can also have the same results using the CoA as your Enforcement Profiles so it can then the device will return and hit the 802.1X service and gets the right access

hey i am offsite now, will provide more info when I am onsite next monday. thanks! =)

Do you have radius CoA enabled on your controller and in ClearPass?

Did you configure your OnGuard web auth service to terminate the session after a successful posture check?

yup, as you can see in the attached a5.png, i have termination. I am not too sure if Radius CoA is enabled in CPPM, will double check, but if default is unchecked, high chance it's not checked. will verifiy next monday, thanks for the reply! 

You can verify CoA by choosing a connected client in Access Tracker and using the change status button.

hey base on the a2.png, can you conclude anything? other than enabling Radius CoA which I am not sure it has been enabled or not, what could be the other possible reason? i do have other screenshot which I capture previously, not sure if you could conclude anything from htere. thanks

Add the ClearPass Controller as the RFC 3576 server and make sure that both key match

 

Enable it on CPPM

 

You need two Services:

1- The onguard health will receive all the Onguard Posture Information 

2- And the 802.1X will determine what type of access either by sending a VLAN or a Role back to the controller

 

If you are using the persistant agent you can do the following :

 

 

 

Then 

hey thanks for the reply. 

1) RFC3576 has already been added

2) yup i already have 2 services as mentioned by you. each time i click on the agent to reverify, it shown up in the access tracker, just somehow role won't change.

 

i haven't really configure anything in the wlc for onguard, all the configurations such as rfc3576, etc were configured for 802.1x and mac address authentication; and both of them are working fine. is there anything else I need to configure in the wlc? do I need to put the 'nap ip'? is there any option to enable CoA in wlc? 

So in the controller you have added the RFC3576 ?

yup i did

Make sure that the key in the RFC matches what you have in your CPPM

As I mentioned in one the screenshot you can enable Bounce user instead and then apply the role when the device comes back to do the 802.1X service

sure i will try the bounce user, but i think the issue is CoA. I hope i didn't enable CoA that's why it cause the problem of role not been able to assign. unfortnuately i can only check on Monday. I am pretty sure the rfc 3576 password matches. 

 

aside to this, because I am using mac address authentication as well as 802.1x. In my AAA profile, if it ok for me to assign 'guest' role for mac auth and 'authenticated' role for 802.1x when onguard is being implemented? 

 

actually i am a little unsure of the flow. please correct me if i am wrong

1) connect to ssid, upon passing mac authentication, assigned as guest role

2) key in creditial for 802.1x, and the clearpass agent will automatically run and check for health status and assign the enformcement profile.

3) if there is no agent being installed, it wil be assigned with default 802.1x role defined in the wlc

 

i am abit confused of how the agent works, as in right after i enter my creditial, what exact happen? what will trigger the clearpass agent to run?

 

sorry i am really new to clearpass posturing. hope you guys can explain and bare with me. 

I am a little bit confused about the Mac authentation piece not quite sure what are you trying to accomplish there.

If you installed the Agent ahead of time using Group Policy then the flow should be like this:
- Device connects to the 802.1X SSIDs
- It will depend on the system (Memory/CPU, etc..) and the amount of postures plugins you are checking that will determine how long its going the Agent is going to take to report back.
- In your 802.1X policy you could have a rule that send redirects the user to a portal if the posture is UNKNOWN indicating that it needs to wait while the Agent returns the health information
- Once the Agent provides that health information (Either Healthy or Unhealthy) you can bounce the agent .
- The wireless card will try to reauth and it should hit the 802.1X service again where it should be place on the right role based on the posture (Healthy or Unhealthy)

when you say redirect user to a portal, are you referring to remedy website or otherwise? do you have a sample of the redirect? and when you said bounce you meant to 'kick' the client and the client will need to reauthenticate 802.1x right? is bounce really necessary? in the agent i can see 'retry' button.

 

and what happen if lets say the client posture is healthy. for example client need to turn on windows firewall to pass the check. the agent checks and it pass. then the user close the agent and turn off the firewall. is there a way to disallow this kind of scenrio?

 

i also notice i have created 2 sets of 'identical' enformcement profile, 1 set is for 802.1x the other set is for webauth. 1 set is 'radius' and the other set is 'radius coa' because i could only use 'radius_coa' for webauth service. generally my profiles is just returning of role. Should that be the way?

 

but i guess my problem with now is unable to assign the role back to wlc with the right emforcement policy. 

 

please see attached. thanks

 

hen you say redirect user to a portal, are you referring to remedy website or otherwise? 

The remedy website could be use once you have the posture information so if its QUARANTINE then you could send the user to a remedy website 

 

do you have a sample of the redirect?

The redirect I was talking about is just a simple informational Web Login Page (Aruba user-role using a Captive Portal Profile Pointing to that Web Login)

 

and when you said bounce you meant to 'kick' the client and the client will need to reauthenticate 802.1x right?

That's correct 

 

is bounce really necessary? in the agent i can see 'retry' button.

The bounce is similar to the CoA

 

and what happen if lets say the client posture is healthy. for example client need to turn on windows firewall to pass the check. the agent checks and it pass. then the user close the agent and turn off the firewall. is there a way to disallow this kind of scenrio?

Even when you exit out or logout the Agent will be running in the backgroup and it will detect that within 5 minutes and it will force the client to do a reauth .

https://arubanetworkskb.secure.force.com/pkb/articles/Troubleshooting/Exiting-Onguard-Agent-on-Client-does-not-change-Role-as-Unhealthy

If the user disables the firewall the agent should be able to detect that within certain amount of time , please see this list

https://arubanetworkskb.secure.force.com/pkb/articles/FAQ/OnGuard-Check-Interval

You could also set a session timeout on the agent enforcement profile for force the agent to report back every certain amount of time

 

i also notice i have created 2 sets of 'identical' enformcement profile, 1 set is for 802.1x the other set is for webauth. 1 set is 'radius' and the other set is 'radius coa' because i could only use 'radius_coa' for webauth service. generally my profiles is just returning of role. Should that be the way?

You should use an agent enforcement profile in the web auth policy

And use a Radius enforcement profile in the .1X policy

 

but i guess my problem with now is unable to assign the role back to wlc with the right emforcement policy. 

hi, i checked and CoA is enabled on clearpass. I tried to do 'change status' and I got the following message. what could have went wrong?

Is accounting enabled

yup it has been enabled. please see attached. thanks.

hello guys, anymore solution? thanks

Rayoflight,

 

You need to make some changes to your flow and I think thats why you are running into issues.

 

Also what ClearPass and Controller code are you running ?

 

Use the flow I suggested before.

On the agent enforcement profile you can use the bounce agent and then

,add most of the logic to return the role in your 802.1X , there you don't need to use the CoA.

 

 

in my 802.1x service, i have an enforcement policy with 3 profiles as attached. the agent will just for 'open notepad'. I tried with my notepad opened and indeed it was placed under the guest profile, but the 'role was never returned'; i still get the default 802.1x specified in the wlc, which is authenticated.

 

one thing to confirm, the rfc 3746 ip address is the data port ip address instead of the mgmt port ipaddress right? and way i tried putting the mgmt port ip address but still no luck. 

if you have data and mgmt then you should use the data unless you have some routing in place on your CPPM server redirect the traffic in some other fashion

Can you please share the config for your guest enforcement profile ?

It should be an Aruba enforcement profile using the aruba-user-role attribute, make sure that the user-role exist in your controller.

Can you also show me the access tracker info once the device authenticates ?

Can you post the access tracker output for the successful authentication?