Security

Reply
Occasional Contributor II

OnGuard - "Use cached roles" Grayed out

Hi,

 

Edit: forgot to mention i am running latest 6.7 

 

pretty new to OnGuard, i am trying to configure it. As far as i understand the authentication flow would look like something like this:

 

- client connects and authenticates using dot1x. Because posture is "unknown" the client is placed in a "staging" vlan.

- At this point the client has an ip and can connect to ClearPass 

- Onguard agent detects it's on the network and send posture information to ClearPass. At this point ClearPass knows whether the client is Healthy or whether it should be quarantined.

- ClearPass Onguard action is to bounce the port so that the client is forced to reauthenticate, this time with the cached information from the posture.

 

Problem is within the Webauth service that has the posture enabled, i cannot enable "Use cached roles and posture attributes", it is greyed out, therefore the client posture is always unknown.

 

Any ideas?

thanks

 

Re: OnGuard - "Use cached roles" Grayed out

Under the cluster wide parameters try changing the default (default value is 5 minutes) policy cache timeout .





Thank you

Victor Fabian

Pardon typos sent from Mobile
Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor II

Re: OnGuard - "Use cached roles" Grayed out

thanks!.

 

so no matter whether the service has that enabled, it will cache the client for 5 minutes by default?

Re: OnGuard - "Use cached roles" Grayed out

By default it is set to 5 minutes but you can increase it but should also
consider having the agent to send a keep-alive periodically (Under Global
Onguard Settings) and if the posture is healthy from a known device then
dont bounce the port and if it is unhealthy then bounce the port.
Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor II

Re: OnGuard - "Use cached roles" Grayed out

Thanks. For some reasons documents i have found all point to tick that box in the webauth, although maybe in 6.7 that is not the case, it works anyway.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: