Security

Reply
Occasional Contributor II
Posts: 14
Registered: ‎10-30-2009

Clearpass onguard Cache timeout

Ciao,
regarding the Onguard CACHE value (Default value is 5min), that is what happens:
1) 802.1x client is authenticated with posture UNKNOWN (initial role)
2) Onguard agent triggers a new connection and send posture (HEALTHY)
3) After 5 minute the cache expired
4) A 802.1x reauthentication occurs without interface change (no Onguard agent triggers) and the posture now is UNKNOWN. The client is put in a initial role losing full connectivity.

Is it right ?
I temporarily resolved it changing the onguard Cache timeout to 1 week. But is it right ?

Regards,
Iarno

Aruba
Posts: 1,368
Registered: ‎12-12-2011

Re: Clearpass onguard Cache timeout

Is your 802.1x service's enforcement policy have "used cached roles" checked off?

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Occasional Contributor II
Posts: 14
Registered: ‎10-30-2009

Re: Clearpass onguard Cache timeout

Occasional Contributor II
Posts: 12
Registered: ‎12-26-2013

Re: Clearpass onguard Cache timeout

Hi Guys,

   I'm experiencing same issue too. 

"Use cached Roles and Posture attributes" is clicked but I see UNKNOWN state in .1x Service in Access Tracker later 5 mins.

Is anyone solved that problem?

Occasional Contributor II
Posts: 12
Registered: ‎12-26-2013

Re: Clearpass onguard Cache timeout

Also version  6.6.2.86786.

MVP
Posts: 4,012
Registered: ‎07-20-2011

Re: Clearpass onguard Cache timeout

What’s your Policy result cache timeout set to ? This is under Cluster Parameters

By default it is set to 5 minutes.
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor II
Posts: 12
Registered: ‎12-26-2013

Re: Clearpass onguard Cache timeout

Hi Victor,

 Yes, it is 5mins. I set to 600 mins and it solved my problem. I don't see problem any more. Thank you for your help.

Occasional Contributor II
Posts: 12
Registered: ‎12-26-2013

Re: Clearpass onguard Cache timeout

Hi Victor,
    When I look access tracker I saw that clients go to quarantina because of UNKNOWN status again. But 2 or 5 seconds later agent sends back HEALTHY status and clients go to own Vlan again. For testing I changed cache timeout to 10 mins but it same affect. Because of this clients connections getting interrupt periodically. How can we supply the agent to send Posture Status to the Clearpass before cache timout?

MVP
Posts: 4,012
Registered: ‎07-20-2011

Re: Clearpass onguard Cache timeout

You can use the Keep-alive Interval (in seconds) to force that the agent sends a health posture every X amount of time.

This could really impact the users because every time you provide health it will reset the connection.

You can use the endpoint db and custom attributes to avoid that sending CoA or an Agent bounce every time the agent provides a healthy posture and instead just do the CoA or Agent bounce when it is unhealthy .
https://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Onguard-without-bounce-terminate-session/m-p/274517#M27429
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Search Airheads
Showing results for 
Search instead for 
Did you mean: