Security

last person joined: 19 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Onguard - Staging VLAN and some questions

This thread has been viewed 0 times

  • 1.  Onguard - Staging VLAN and some questions

    Posted Mar 09, 2018 12:46 AM

    Hi,

     

     

     

    In order for Onguard to communicate to ClearPass so that a posture classification can be obtained, the clients needs an ip and needs to be able to reach ClearPass, at the same time the client should not be able to access the rest of the network. 

     

    This means that i need to create a vlan to assign to endpoints when they first access the network and then bounce the port once the posture has been establish (or not, if the client does not have Onguard), to then force a different vlan. Is this the correct way of doing it, through like a quarantine vlan? 

     

    In some instances, when the client would access the network, OnGuard would sit there doing nothing for like forever. I dont understand what is the criteria in which OnGuard trigger the collection of the posture, because if I have random client hanging there with OnGuard doing nothing, ClearPass would live the client in the quarantine. Most of the time thou as soon network connection is established Onguard kicks the posture check immediately.

     

    This is very scary as i will need to roll this out to a couple of hundreds endpoints...

     

    thanks in advance



  • 2.  RE: Onguard - Staging VLAN and some questions

    Posted Mar 09, 2018 07:41 AM
    Can you please provide more details of what’s your issue and how are you treating (enforcement) the device when a device doesn’t meet the posture requirements



    Thank you

    Victor Fabian

    Pardon typos sent from Mobile


  • 3.  RE: Onguard - Staging VLAN and some questions
    Best Answer

    MVP
    Posted Mar 11, 2018 08:01 AM
    Is this for wired or wireless? If Aruba Wireless, you can just utilize the user-roles to enforce network access whether they are posture healthy, unknown, or quarantined. If unknown, when they go through the posture check and pass or fail, ClearPass sends a CoA to the controller and can move into different role until remediated. If you wanted, the quarantined role can also have another VLAN, which still allows DHCP, DNS and access to update or install required items to become healthy. If wired, works the same way. You can use dACLs to enforce only ClearPass access if unknown, if healthy bounce and no dACL, if quarantined, bounce and quarantined VLAN. Either way, need to make sure CoA (RFC3576) is working between them. You can test it in access tracker. Click on an active log, and I think the button is "server actions" or something like that. See if it let's you bounce the client.


    #AirheadsMobile


  • 4.  RE: Onguard - Staging VLAN and some questions

    Posted Mar 11, 2018 05:32 PM

    aaahhhh i see what you mean. Using roles I wouldn't need to add extra VLANs (with all the hassle that go with it in terms of routing etc), but using roles i can allow access only to ClearPass. This would work for me.

     

    Thank you, this forum is amazing.