Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Clearpass onguard Cache timeout

This thread has been viewed 16 times

  • 1.  Clearpass onguard Cache timeout

    Posted Aug 06, 2015 05:12 AM

    Ciao,
    regarding the Onguard CACHE value (Default value is 5min), that is what happens:
    1) 802.1x client is authenticated with posture UNKNOWN (initial role)
    2) Onguard agent triggers a new connection and send posture (HEALTHY)
    3) After 5 minute the cache expired
    4) A 802.1x reauthentication occurs without interface change (no Onguard agent triggers) and the posture now is UNKNOWN. The client is put in a initial role losing full connectivity.

    Is it right ?
    I temporarily resolved it changing the onguard Cache timeout to 1 week. But is it right ?

    Regards,
    Iarno



  • 2.  RE: Clearpass onguard Cache timeout

    EMPLOYEE
    Posted Aug 06, 2015 09:11 AM

    Is your 802.1x service's enforcement policy have "used cached roles" checked off?



  • 3.  RE: Clearpass onguard Cache timeout

    Posted Aug 06, 2015 11:35 AM
      |   view attached

    Yes

     



  • 4.  RE: Clearpass onguard Cache timeout

    Posted Oct 30, 2016 01:39 PM

    Hi Guys,

       I'm experiencing same issue too. 

    "Use cached Roles and Posture attributes" is clicked but I see UNKNOWN state in .1x Service in Access Tracker later 5 mins.

    Is anyone solved that problem?



  • 5.  RE: Clearpass onguard Cache timeout

    Posted Oct 30, 2016 01:47 PM

    Also version  6.6.2.86786.



  • 6.  RE: Clearpass onguard Cache timeout
    Best Answer

    Posted Oct 30, 2016 08:07 PM
    What’s your Policy result cache timeout set to ? This is under Cluster Parameters

    By default it is set to 5 minutes.


  • 7.  RE: Clearpass onguard Cache timeout
    Best Answer

    Posted Oct 31, 2016 05:07 AM

    Hi Victor,

     Yes, it is 5mins. I set to 600 mins and it solved my problem. I don't see problem any more. Thank you for your help.



  • 8.  RE: Clearpass onguard Cache timeout

    Posted Nov 01, 2016 04:59 AM

    Hi Victor,
        When I look access tracker I saw that clients go to quarantina because of UNKNOWN status again. But 2 or 5 seconds later agent sends back HEALTHY status and clients go to own Vlan again. For testing I changed cache timeout to 10 mins but it same affect. Because of this clients connections getting interrupt periodically. How can we supply the agent to send Posture Status to the Clearpass before cache timout?



  • 9.  RE: Clearpass onguard Cache timeout

    Posted Nov 01, 2016 07:12 AM
    You can use the Keep-alive Interval (in seconds) to force that the agent sends a health posture every X amount of time.

    This could really impact the users because every time you provide health it will reset the connection.

    You can use the endpoint db and custom attributes to avoid that sending CoA or an Agent bounce every time the agent provides a healthy posture and instead just do the CoA or Agent bounce when it is unhealthy .
    https://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Onguard-without-bounce-terminate-session/m-p/274517#M27429