Security

Reply
Contributor I
Posts: 25
Registered: ‎07-01-2014

Onguard Persistent Agent

Hoping someone here can help. I am building a PoC for Onguard and I am stuck on getting it to work using the persistent agent.

 

First, when using the persistent agent, the OnGuard agent requires credentials (userid and password), I thought it happen automatically based upon the 802.1X credentials already supplied. Not sure if this is the correct behavior or not.

 

Ignoring the first step and entering credentials into the OnGuard application, if I only have a “Web-Based Health Check Only” service configured, the client receives an authentication failure and CPPM logs it with a “AuthSources not configured for service=CPPM Health Check”. If I create a Web Auth service, the OnGuard agent authenticates correctly, but then receives a “Health Check failed. Invalid or Empty response received from server.” My impression was that only the dissolvable agent required a web authentication service, the PA did not.  Is this a correct assumption?

Anyone with ideas where my wires might be crossed?

MVP
Posts: 4,301
Registered: ‎07-20-2011

Re: Onguard Persistent Agent

[ Edited ]

How do you have configured the role that client lands ?

 

You need to make sure you allow the following:
https/http to CPPM

TCP 6658 to CPPM

 

You can just build a web-auth only service 

2014-11-05 15_08_15-ClearPass Policy Manager - Aruba Networks.png

 

Create your Posture policies

2014-11-05 15_08_24-ClearPass Policy Manager - Aruba Networks.png.And then create enforcement policies matching the onguard posture either "healthy' or "unhealthy" and then apply an agent enforcement profile that will bounce the agent or do an Aruba terminate session (if you are using an Aruba Solution)

Note: Make sure that you are using a Client that it is supported on your Posture Policy and also is supported by the Onguard Agent itself.

 

2014-11-05 15_10_18-ClearPass Policy Manager - Aruba Networks.png

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Guru Elite
Posts: 8,637
Registered: ‎09-08-2010

Re: Onguard Persistent Agent

Do you have the posture checkbox enabled in your service?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor I
Posts: 25
Registered: ‎07-01-2014

Re: Onguard Persistent Agent

The client lands on an inside role, so no issues between the client and CPPM (I did adjust IP address in agent.conf to reflect the mgmt. interface of CPPM.

 

The first two screen shots (Summary and Posture) are the same as what I have. The last one has me confused. Could you post a capture of the Health-agent-profile profile? Is the intent of this profile to place the client in the correct user-role on the controller or will the client re authenticate and then be placed in the correct user-role based upon an 802.1X service?

Contributor I
Posts: 25
Registered: ‎07-01-2014

Re: Onguard Persistent Agent

Under the Web –based Health check, posture is enabled.  Under the 802.1X service it is not.

MVP
Posts: 4,301
Registered: ‎07-20-2011

Re: Onguard Persistent Agent

One of the key things that you use the agent enforcement profile is to CoA device so then it can get the right access based on the Agent Posture on the 802.1X Service:

 

2014-11-05 15_46_52-ClearPass Policy Manager - Aruba Networks.png

 

As you can see here in the 802.1X I have different rules that apply an Enforcement Profile (Send a User-Role) based on the Posture 

 

2014-11-05 15_48_28-ClearPass Policy Manager - Aruba Networks.png

 

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Contributor I
Posts: 25
Registered: ‎07-01-2014

Re: Onguard Persistent Agent

Victor,

I have setup my services to resemble what you posted, but I am still stuck with my first two questions asked. Do I need to create to create a web authentication service for the persistent agent and should the OnGuard auto login?

MVP
Posts: 4,301
Registered: ‎07-20-2011

Re: Onguard Persistent Agent

You need two services:

- 802.1X Service

Web-based Health Check Only

 

On the Onguard settings set it to just do Web Auth and No auth

2014-11-05 18_34_01-ClearPass Policy Manager - Aruba Networks.png

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Contributor I
Posts: 25
Registered: ‎07-01-2014

Re: Onguard Persistent Agent

Thanks a bunch for your help.  That was the piece that I was missing.

Search Airheads
Showing results for 
Search instead for 
Did you mean: