Security

Guys,

We have been implementing clearpass onguard feature now. Going to use 'Onguard agent' (not NAP agent). 

Already created onguard policies for windows (as in the attached doc). But not sure how to integrate/use this policy in our 'Aruba 802.1x wireless service' as it is just having option 'Only NAP agent type posture policies are applicable for this service'.

Whats the right way to use onguard with aruba WLC? Could you please help with screenshots of services and policies if possible?

Attachment(s)

APJ_Workshop_Lab-draft-20130514.pdf   6.64 MB 1 version

Yes!  I can help.  Using the persistent agent (PA), you need to create a webauth service.  There should be one in the service templates. The PA sends its health and is checked against the WEBAUTH service configured.  This derives the posture token (healthy, unhealthy, etc...).  That token is then keyed off on in the 802.1x service.  In the enforcement policy, you MUST select "Use cached roles and posture...". This tells the 802.1x service to look at context information (posture token) from other services in making enforcement policy decisions.  

If I already have a 802.1X service, do I simply add Posture checking to it or do I create a web auth service in addition to the .1X service?

• With 802.1X you can use Windows Native agent for basic health checking. There is no need for an extra service. But if you want to do more specific detailed health checks, you should use Onguard Agent. And for Onguard agent to work you should add a Webauth Service as Onguard communicates with CPPM using HTTP Protocol. In that Webauth Enforcement you can either have a ‘Session Time out’ or a ‘Client Bounce’, So that after this again 802.1X will be hit and appropriate enforcement will occur.

Sample Workflow:

a) Client authenticates using 802.1X Authentication. CPPM processes the authentication request and

assigns Quarantine VLAN because client health info is not available.

b) After the client gets IP address, Onguard agent sends client health info to CPPM. CPPM processes the health

and caches the client health status and trigger another 802.1X/MAC authentication by sending RADIUS Disconnect

to the NAD.

c) CPPM processes the 2nd authentication request from the client and assign proper VLAN based on the cached client

health status.

Hello Seth,

Thats awesome..! You just gave us a picture of what's going on in onguard now. Thank you!!!

By the way, from your persistent agents (PA), am I right to say that we have to permanently install this software in all PCs? Is there any way to automatically install it in all PCs without users' actions.

How about choosing dissolvable agents? which is recommended by Aruba?

Thanks,

Bharani..

Hi Seth,

We've around 1000 computers in our place. Whats the recommended way to install this persistent agent on all PCs?

Any automatic way to do with less user involvement?

Regards,

Bharani..

I also wanted to add that you can use policy in the service to detect that a user doesn't have the ONGUARD agent.  For example, if Posture == UNKNOWN, then we can redirect that user to a web page with a URL to download the agent.  This should take care of the non GPO clients (OS X) on the network.

Hi,

I am just trying to implement this scenario, 802.1X + OnGuard. But what can I do to redirect the user without ONGUARD Agent (Posture == UNKNOWN) to the web page with a URL to download the agent? I have to do this on CPPM or on Controller, after assign the role Quarantena from CPPM?

Thanks,

Massimo

just return a role which has a captive portal profile attached that redirects to the page you want it to go.

ok I understand it.

But it is possible to send the client not only the information that it is out of compliance

Send it also to  a website where it gets the newest software