07-04-2014 05:41 AM - edited 07-04-2014 05:42 AM
Can anyone help me out with Onguard? I want to put unhealthy clients in a quarantine VLAN and redirect them to a webpage that has links to various update sites. My thinking is that I need to set up:
A new user role that has a CP profile that points to a webpage that we create on CPPM
The webpage, with multiple links to all the different downloads a user might need (on CPPM I expect but could be on an intranet page)
A firewall policy for the user role that only allows access to the sites on the page above
So, in my enforcement profile, I would be returning the user role to devices with the QUARANTINE status. Does this sound right? Is there a beter way to do this?
08-25-2014 12:42 PM
I was actually going to post the exact same question. Hopefully a reply to this message will give it a bump.
Here's what I was thinking:
- User connects to the wireless network
- OnGuard persistent agent runs and determents the health status of the client
- If the user is not healthy, the user is given a wireless role for a captive portal
- The captive portal says something like “You are currently placed in the quarantine…call the Help Desk” etc.
- There is also an Agent message triggered from Clearpass that pops up and says a similar message and also says, “You are currently placed in the quarantine…call the Help Desk” etc
- The user would then have to click a button on the captive portal page to allow them access. This would give them a user role of Internet-only access, plus access to Clearpass for posture updates.
I've got the above to work in a campus environment. The one issue I'm having is trying to come up with the above on a RAP and a split tunnel SSID with a captive portal and Clearpass is a funky config. I’d rather keep it as simple as possible, rather than having to explain a local NAT'd VLAN and all of that to pull it off on a RAP.
My question for the Airheads community is do you just rely on the status updates from the persistent client to let the user know what’s going on? Or, have you had success with the above?
08-25-2014 08:33 PM
Most of my current customers rely on the agent to notify the client of their status. It usally takes a little bit of training of the customers to make sure to check the status of the client if their are any issues connecting to the network.
--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.
--Problem Solved? Click "Accepted Solution" in a post.
08-26-2014 06:16 AM
Thanks for that info! The good thing is that we haven't deployed this yet, so we can set the expectations now rather than later.
Do you know anyone that is moving quarantined users to a captive portal? If so, do you know if they were able to replicate that same experience on a RAP with a split-tunneled SSID?
Thanks for the help, as always!
08-26-2014 07:05 AM
I managed to get the method you mentioned working with my customer. Quarantined users get a quarantined-user-role that redirects to a captive portal page that tells them they are quarantined and gives them web only access to download the AV updates or windows updates they require. We were going to apply a whitelist to this enabling them only to get access to windows updates and their AV providers update page but decided against that. There still needs to be good information coming from the Onguard agent so they know why they failed as you can't do that in the web page.
It would be nice if there were some included 'default' pages for this as my html is poor at best! Feature request?!