Security

Reply
Occasional Contributor II
Posts: 25
Registered: ‎06-23-2011

Clearpass Onguard dissolvable Agent Health Check Issue

Dear Team,

 

Task Required to be Done =  802.1x Authentication and assigning the correct VLAN after posture onguard dissolvable agent.

 

My case is whenever the user will join to the "802.1 X" SSID it should be redirected to the Clearpass portal page. User will open the browser and redirected to the portal page. On the portal page the health check of the client will be done using dissolvable agent.

 

I have created three services on the CP as follow.

 

1- 802.1x Service for Auth (Authentication is working fine)

 

2- Web-Health (to get the posture health of the client and returen the healthy / unhealthy status)

 

3- Web-Auth (after the health check, the user should again authinicate with its respective correct VLAN according to the health status.)

 

My problem is: when user download the java and give the correct health check as per configured policy it will again redirect to the portal page rather than to redirect to the internet. I have seen all the logs in Access Tracker and each and every out were seems to be Ok.

 

From Controller side i am using layer2 authentication and also in layer three i enable the authentication and put the portal page to redirect the client.

 

Can anyone help, i am stuck in the looping of redirection page even my posture is correct and return vlan is also correct?

 

Regards,

 

Ali

MVP
Posts: 4,266
Registered: ‎07-20-2011

Re: Clearpass Onguard dissolvable Agent Health Check Issue

 

What version of CPPM are you using ?

 

Can you share your web portal health check  config ?

 

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Guru Elite
Posts: 8,444
Registered: ‎09-08-2010

Re: Clearpass Onguard dissolvable Agent Health Check Issue

Do you have a CoA in your WebAuth for "HEALTHY(0)"?


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II
Posts: 25
Registered: ‎06-23-2011

Re: Clearpass Onguard dissolvable Agent Health Check Issue

Dear,

 

Yes i tried with CoA in WebAuth for healthy and i can see clearly that user intiates the authientication again after the health check.

 

I just follow this document as a reference.

 

https://afp.arubanetworks.com/afp/index.php/ClearPass_6.3_OnGuard_Dissolvable_Agent_Workflow_and_Configuration

Occasional Contributor II
Posts: 25
Registered: ‎06-23-2011

Re: Clearpass Onguard dissolvable Agent Health Check Issue

MVP
Posts: 4,266
Registered: ‎07-20-2011

Re: Clearpass Onguard dissolvable Agent Health Check Issue

 

Can you please share the config on your Web Login Page ?

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor II
Posts: 25
Registered: ‎06-23-2011

Re: Clearpass Onguard dissolvable Agent Health Check Issue

I just follow the refernece link to configure the web login page, same to same.

 

https://afp.arubanetworks.com/afp/index.php/ClearPass_6.3_OnGuard_Dissolvable_Agent_Workflow_and_Con...

MVP
Posts: 4,266
Registered: ‎07-20-2011

Re: Clearpass Onguard dissolvable Agent Health Check Issue

[ Edited ]

Try using the Bounce User option under the Agent enforcement profile.

Do you added it the CPPM as RCF 3576 in your controller ?

 

2014-06-02 12_02_49-Switch General Configuration.png

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Guru Elite
Posts: 8,444
Registered: ‎09-08-2010

Re: Clearpass Onguard dissolvable Agent Health Check Issue

[ Edited ]

Can you turn up a user-debug and show the output after the user gets bounced?

 

Also, in Access Tracker in ClearPass, is the correct role being returned?


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II
Posts: 25
Registered: ‎06-23-2011

Re: Clearpass Onguard dissolvable Agent Health Check Issue

 

Actually i am using cisco controller and return the data VLAN if the user is healthy otherwise user will be in quarantian vlan.

 

In access tracker i can see that once user join 802.1x it is in quartian vlan becasue CP didnt have the current health status.

 

Then user open a browser and redirect on the page where the health check start and after that user will get the actual correct vlan.

 

Then it again come to the same page rather then to go to the internet.

 

Why we need this RFC in controller, where i can put it in cisco?

Search Airheads
Showing results for 
Search instead for 
Did you mean: