Yes! I can help. Using the persistent agent (PA), you need to create a webauth service. There should be one in the service templates. The PA sends its health and is checked against the WEBAUTH service configured. This derives the posture token (healthy, unhealthy, etc...). That token is then keyed off on in the 802.1x service. In the enforcement policy, you MUST select "Use cached roles and posture...". This tells the 802.1x service to look at context information (posture token) from other services in making enforcement policy decisions.
If I already have a 802.1X service, do I simply add Posture checking to it or do I create a web auth service in addition to the .1X service?
- With 802.1X you can use Windows Native agent for basic health checking. There is no need for an extra service. But if you want to do more specific detailed health checks, you should use Onguard Agent. And for Onguard agent to work you should add a Webauth Service as Onguard communicates with CPPM using HTTP Protocol. In that Webauth Enforcement you can either have a ‘Session Time out’ or a ‘Client Bounce’, So that after this again 802.1X will be hit and appropriate enforcement will occur.
Sample Workflow:
a) Client authenticates using 802.1X Authentication. CPPM processes the authentication request and
assigns Quarantine VLAN because client health info is not available.
b) After the client gets IP address, Onguard agent sends client health info to CPPM. CPPM processes the health
and caches the client health status and trigger another 802.1X/MAC authentication by sending RADIUS Disconnect
to the NAD.
c) CPPM processes the 2nd authentication request from the client and assign proper VLAN based on the cached client
health status.