Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Clearpass - Onguard - setup

This thread has been viewed 6 times

  • 1.  Clearpass - Onguard - setup

    Posted Feb 26, 2015 04:08 PM

    Hello ,

    I am new to Aruba. I was trying to setup clearpass for posture assessment of wired dot1x network connections. We use 3750 cisco switches and authentication is against AD servers. 

     

    Is there is a setup guide available i can find?

    Im trying to accomplish the following

    1. User connects the computer 

    2. onguard does the posture assessment, if passes

    3. Clear pass looks for his/her department and assigns the vlan

    4. If fails,shows the remediation or do auto remediation.

     

    I got the vlan assignment part working as that seems self explanatory.

     

    I understand that we have multiple options for doing the posture assessment 

    1. webpage

    2. install application 

    We would like to look at both 

     

    If someone can point me to a configuration guide or suggest me ideas i will be greatful.

     

    Thanks!

     

     



  • 2.  RE: Clearpass - Onguard - setup

    EMPLOYEE
    Posted Feb 26, 2015 04:14 PM
    Are you working with an Aruba partner? It can be a bit complex to explain on here. 


    Thanks, 
    Tim


  • 3.  RE: Clearpass - Onguard - setup

    Posted Feb 26, 2015 04:21 PM

    This is what i have done so far.

     

    we are using 802.1x to AD authentication on cisco 3750 switches.

     

    On Clearpass 

    Configuration -> service (new service) - 802.1x wired

    defaults in the service

    authentication to AD server

    we are not doing any roles

     

    Enforcement - new policy - I have created 2 conditions. 

    1. tips: rols equals {user authentication}

     and tips:posture equals healthy(0)

    Then assign employee vlan

    2. Tips:role Equals 

    {user authentication}

     and tips:posture NOT_Equals healthy(0)

    Then cisco-wired onguard redirect and temporary vlan

     

    For the cisco-wired onguard redirect profile i have set a url redirect to clearpass onguard

     

    ---Testing---

    Connected a windows 7 machine to the port - it does the authentication and fails rightaway. 

    however on the access tracker clearpass, i can see that login-status is ACCEPT 

    and summary says its using the right service that i have created and it falls under condition-2 

    on the output its sending the vlan attributes for temporary vlan and cisco-avpair url redirect. 

     

    As its not authenticating i cant get to the url. However in the profiles when i remove the radius attribute for url redirect and keep just the vlan  machine authenticates with my credentials and gives me the vlan i need but with out posture assessment. 

     

    One thing i have noticed is in access tracket - summary - I see below

     

    System Posture Status:
    UNKNOWN (100)

     

    I must be missing something. Any help will be much appreciated.



  • 4.  RE: Clearpass - Onguard - setup

    EMPLOYEE
    Posted Mar 02, 2015 01:19 PM
    Is it machine authenticating of user?

    What does the alerts tab say?


  • 5.  RE: Clearpass - Onguard - setup

    Posted Mar 02, 2015 01:22 PM

    Yes, authentication using user credentials.

     

    In the access tracker i only see summary , input and output .. I dont see alerts tab