Security

With OnGuard posture enforcement, we can do a whitelist on the Aruba WLAN controller for known update sites for required software and windows updates. On the wired side (specifically Cisco), what are people using for an ACL to allow users to update their software? Right now my policy is that if Posture=anything but healthy, then push the OnGuard Cisco-AVPair url-redirect and url-redirect-acl to pop the captive portal to download the OnGuard agent. 

Ultimately I'm thinking that if posture=quarantine, then dump the computer into some DMZ'd vlan that only has internet access and port 6558/443 for talking to CPPM - but we can't display a captive portal page then explaining to the user why they are in that state. 

Id love to hear suggestions or how others are doing this. 

- You can create a Web Login page that has an accept button or Click here to continue button 

- Then Create a Web Auth service with your message this service will receive the Web Auth and in the Enforcement Policy you can add a custom endpoint attribute "Post Authentication Profile" and call it  for example Quaratine Page Attribute and also add a Cisco Terminate Session

- On the other authentication attempt you can use the attribute already added to the endpoint dabatase to give access (DMZ VLAN) to the user based on the posture and the attribute

- But in order for this to be successful you will then need to create another post authentication profile that removes the Quarantine Page Attribute if the device is healthy .

One caveat when doing this is that on the Web Login page you need to add a 20 seconds delay because you have to give time for the whole logic to run