- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
Clearpass & OnGuard (wired cisco)
Clearpass & OnGuard (wired cisco)
05-22-2013 09:11 PM
This is a Cisco Wired environment.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: Clearpass & OnGuard (wired cisco)
Re: Clearpass & OnGuard (wired cisco)
05-22-2013 09:33 PM
http://community.arubanetworks.com/aruba/attachments/aruba/amigopod/1301/1/#page19
Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: Clearpass & OnGuard (wired cisco)
Re: Clearpass & OnGuard (wired cisco)
05-22-2013 09:38 PM
I'd really like to have a DACL enforcement. With no Vlan switching.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: Clearpass & OnGuard (wired cisco)
Re: Clearpass & OnGuard (wired cisco)
05-22-2013 09:44 PM
OnGuard is a very flexable module and I would recomend to work with the local SE or partner on setting it up.
We are constantly releasing new How-To documents and I will post a notice here when its avaible.
Troy
--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.
--Problem Solved? Click "Accepted Solution" in a post.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: Clearpass & OnGuard (wired cisco)
Re: Clearpass & OnGuard (wired cisco)
05-22-2013 10:02 PM
Thanks. I'll look forward to more how-to's :-)
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: Clearpass & OnGuard (wired cisco)
Re: Clearpass & OnGuard (wired cisco)
05-22-2013 10:16 PM
You have the option to have the persistent client auto remediate without moving the client to a remediation role, or you can bounce or apply a role or DACL to the client and force the user to a captive portal to inform them to self remediate.
When a client is healthy
In my lab I have a sample posture to look for notepad.exe and if the agent finds the program running it will close the program and post a notification to the agent without moving the client to a different role. Again its very flexible so its comes down to what you would like to do. That's why its important to work with a local SE until a current document is posted.
Troy
--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.
--Problem Solved? Click "Accepted Solution" in a post.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: Clearpass & OnGuard (wired cisco)
Re: Clearpass & OnGuard (wired cisco)
05-23-2013 04:54 AM
Thanks for all your help.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: Clearpass & OnGuard (wired cisco)
Re: Clearpass & OnGuard (wired cisco)
05-25-2013 10:24 AM
i think this applies somewhat for the wired side if it isn't aruba:
http://community.arubanetworks.com/t5/ClearPass-formerly-known-as/Wired-Captive-Portal/td-p/57292
i build something similar and did use seperate vlans for healthy and unhealthy clients, the client can show a message and you do need it to do health checking, without your choices are limited.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: Clearpass & OnGuard (wired cisco)
Re: Clearpass & OnGuard (wired cisco)
06-05-2013 05:53 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: Clearpass & OnGuard (wired cisco)
Re: Clearpass & OnGuard (wired cisco)
06-07-2013 03:51 PM
Most end up using domain policy to just force the client down. There are many examples of Domain policy to install applications.
The general Idea is that the computer will do a Machine Auth that will get a DACL for the quarantine network that has access to the basics (DNS,ICMP, CPPM and normally AV server and AD);
Domain policy pushes onguard to the machine when it refreshes the domain policy.
When a user logs in the get [Machine Auth][User Auth] and Unknown role which can be another DACL
Onguard then runs and bounces the clients NIC
User comes in again with the above but healthy and gets the full DACL.
Your DACL's have to be exact or the cisco switch will not accept it. Meaning, no conflicting rules, not leading or trailing spaces.
(a conflicting rule would be something like allow UDP any any and another rule that says allow DNS any any, since DNS is UDP 53 cisco treats it as conflicting rules; at least it did on the build I was using);
Since I am not allowed to disclose client information, I can say there are several VERY large companies that are using onGuard with cisco, one specifically using DACL's.
Let me know if you have any other questions.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator