Security

Reply
Contributor II
Posts: 50
Registered: ‎11-24-2014

Grace Period for Onguard Posture

Does anyone know to use the Insight database to see how long an endpoint has had "Unknown" Onguard posture? I would like to wait or delay posture enforcement after boot up, for say, 10 minutes prior to doing a CoA, to give the client a chance to check in.

 

Thanks,

Evan

Guru Elite
Posts: 8,182
Registered: ‎09-08-2010

Re: Grace Period for Onguard Posture

You can create two custom attributes in the endpoint repository to handle this. This is a common deployment method.

 

Here's the two attributes (you can change the names):

posture-custom-attributes.PNG

 

Create a few endpoint update enforcement profiles for each health status:

endpoint-lkpt-healthy.PNG

 

Create an endpoint update enforcement profile that stamps the current time:

lkptime-now.PNG

 

Now, you'll need to create a time attribute in [Time Source] that is your acceptable window for a valid posture token. In this example, it's two days:

custom-time-two-days.PNG

 

 

Now to put it all together, in your Health Check WebAuth service, add the two Last Known X enforcement profiles to each rule (the time one should be added to all of them and you'll want to switch between the correct posture token depending on the rule).

 

Now in your authentication service, you can do something like this:

enforcement-time-onguard.PNG

Be sure [Endpoints Repository] and [Time Source] are added as authZ sources.


Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Contributor II
Posts: 50
Registered: ‎11-24-2014

Re: Grace Period for Onguard Posture

What happens if it is the first time it has checked in or the attribute for LKP Token does no exist? I do not want to deny access right away.

Guru Elite
Posts: 8,182
Registered: ‎09-08-2010

Re: Grace Period for Onguard Posture

They would hit whichever rule you have for unknown posture. This setup is to
handle folks that have already passed posture in the past X hours/days to
allow the grace period.

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Contributor II
Posts: 50
Registered: ‎11-24-2014

Re: Grace Period for Onguard Posture

What about a grace period for all unknown postures?

Guru Elite
Posts: 8,182
Registered: ‎09-08-2010

Re: Grace Period for Onguard Posture

You would just set your access role with a session timeout that will
disconnect the user after X time.

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Contributor II
Posts: 50
Registered: ‎11-24-2014

Re: Grace Period for Onguard Posture

I'm confused by your enforcement policy logic. When would a future time (two days from now or even beyond the grace period) ever not be greater than a time in the past (last know posture time)?
Guru Elite
Posts: 8,182
Registered: ‎09-08-2010

Re: Grace Period for Onguard Posture

Good catch! Too much multitasking 😀

 

That time source query should be a subtract instead of an add like below:

localtimestamp(0)- interval '2 days' as two_days_ago

Then the rule would be:

lkpt-greater.PNG 


Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Search Airheads
Showing results for 
Search instead for 
Did you mean: