Security

Reply
Regular Contributor I
Posts: 159
Registered: ‎03-03-2011

OnGuard extend scan intervals / cache

[ Edited ]

How can I extend the OnGuard posture token to say, 2 weeks? 

 

Currently the default posture is unknown and I have the rule if unknown then send to remediation vlan. That works. The agent scans, gets a healthy token and bounces the NIC (the NAD doesn't support CoA). But this happens on every auth. So it takes 20-30 seconds to connect to the network to go through that process. If I could extend the policy cache value to 2 weeks, then that "bounce" process would only happen every 2 weeks. 

 

 

Regards,

Josh
___________
ACMP, ACCP
Frequent Contributor II
Posts: 122
Registered: ‎01-19-2013

Re: OnGuard extend scan intervals / cache

Yes there is a value under server config parameters that you need to increase. Default value is 5min. I'll post tomorrow if someone does not beat me to it.
Aruba
Posts: 1,528
Registered: ‎06-12-2012

Re: OnGuard extend scan intervals / cache

There has been some added features on this and I will try to post some information and slides from the latest TOI this Friday.
Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Frequent Contributor II
Posts: 122
Registered: ‎01-19-2013

Re: OnGuard extend scan intervals / cache

This is the value we changed to get our value to one week.

OnguardCache.PNG

MVP
Posts: 1,392
Registered: ‎11-30-2011

Re: OnGuard extend scan intervals / cache

that it is possible doesnt mean you should do it. personally i wonder how useful OnGuard is when you cache the result for two or one weeks. a lot can happen in one week, doesnt this give you a false sense of safety?

Aruba
Posts: 1,528
Registered: ‎06-12-2012

Re: OnGuard extend scan intervals / cache

So there is two parts to this.

 

1. If you cache the scan that just means that policy manager will continue to let you on until its required check in time.

 

2. That being said if you don't have auto remediation turned on yes that will open you up to issues if someone is out of compliance, but again 2 parts to that :)

 

  • A. Even if the cache is turned on it doesn't mean that is the only time the OnGuard runs. The service does constantly run and looks for compliance. That is just when the full scan is ran.

 

  • B. And if auto remediation is turned on it will put most items back into compliance. (update dat file, start and stop services, ETC)

 

 

For example in my lab (which is a simple test that you can run) I have OnGuard looking for notepad.exe and if I start Notepad it will automaticly close the program.

 

screenshot_01 Mar. 01 00.33.gif

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Regular Contributor I
Posts: 159
Registered: ‎03-03-2011

Re: OnGuard extend scan intervals / cache

Thanks guys. I understand the implications of caching posture tokens for extended times and have explained that to the end users. They would like to error on the side of usability. 

 

The real issue is their device doesn't support any kind of CoA or ability to re-auth the session, so you have to use the agent bounce and then you obviously lose connectivity no matter what. This happens on every session. Maybe there's a better to do this? I don't have screen caps and I'm not onsite now but here's my logic in the service:

 

If computer AND posture NOT EQUALS healthy --> quarantive vlan enforcement profile

 

OnGuard web service

 

If SHV passes all checks --> posture = healthy --> Agent bounce enforcement

If SHV fails one of more --> posture = quarantine --> Agent bounce enforcement

 

I'll get some screen caps tomorrow when I'm back onsite but is there a better / recommended way to do this?

 

 

Regards,

Josh
___________
ACMP, ACCP
Regular Contributor I
Posts: 159
Registered: ‎03-03-2011

Re: OnGuard extend scan intervals / cache

Troy - will OnGuard actually kill a process if it's running? I have the same policy configured and it only notifies the end user and doesn't actually stop the process. 

Regards,

Josh
___________
ACMP, ACCP
MVP
Posts: 360
Registered: ‎01-14-2010

Re: OnGuard extend scan intervals / cache

Troy,

 

I'm doing some research on this subject. Are there any improvements with the OnGuard cache and how the agent communicates to Clearpass in 6.5? 

 

I'm with a current customer right now that is hesitant to raise the cache, but also doesn't like how the agent becomes unknown after a small amount of time.

 

Any thoughts if 6.5 can help fix this problem?

 

Thanks for your time!

 

-Mike

Search Airheads
Showing results for 
Search instead for 
Did you mean: