Home > Community > Technology > Security > Onguard Zoning Behavior

Security

Reply
Topic Options
rayoflight
Occasional Contributor II
rayoflight
Posts: 78
Registered: ‎06-03-2014

Onguard Zoning Behavior

[ Edited ]
Options

‎01-25-2016 06:38 AM - edited ‎01-25-2016 06:40 AM

Lets say I have 2 zones, HQ, ZoneA in 1 cluster

HQ:

Subnets A,B,C override with hqzone.test.nac (virtual ip of ZoneA)

ZoneA:

Subnets D,E,F override with zoneA.test.nac,hqzone.test.nac (virtual ip of ZoneA and HQ)

 

 

Question: 

If I connect from subnet Z (onguard is reachable to clearpass) which is not defined in the onguard zoning, what will happen? which server will I be talking to? Let say my last updated was from ZoneA with the agent.conf file being "zoneA.test.nac,hqzone.test.nac, 1.1.1.1,2.2.2.2". Will my agent.conf file stay put as it is? or it will update differently?

Alert a Moderator
Message 1 of 7 (1,190 Views)
Reply
0 Kudos
Moderator
Moderator
dannyjump
Posts: 496
Registered: ‎11-09-2012

Re: Onguard Zoning Behavior
Options

‎01-25-2016 09:34 AM

Can I suggest you take a review of my OnGuard in a Cluster Technote.

 

Find it here...... OnGuard in a Cluster

 


Best Regards
-d

Snr Tech Marketing Engineer - ClearPass

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Alert a Moderator
Message 2 of 7 (1,157 Views)
Reply
0 Kudos
rayoflight
Occasional Contributor II
rayoflight
Posts: 78
Registered: ‎06-03-2014

Re: Onguard Zoning Behavior
Options

‎01-25-2016 02:39 PM

I can't find my answer. it only state it will try the list of reachable server. I want to know the sequence. can anyone help?
Alert a Moderator
Message 3 of 7 (1,139 Views)
Reply
0 Kudos
rayoflight
Occasional Contributor II
rayoflight
Posts: 78
Registered: ‎06-03-2014

Re: Onguard Zoning Behavior
Options

‎01-26-2016 05:50 AM

anyone can help? urgent, need to get back to customer.
Alert a Moderator
Message 4 of 7 (1,104 Views)
Reply
0 Kudos
Aruba Employee
Saravanan
Posts: 30
Registered: ‎09-10-2012

Re: Onguard Zoning Behavior
Options

‎01-27-2016 03:31 AM

Hi Ray,

 

The client/agent will pick up the first 2 servers from agent.conf to check the rechability. If the first server is rechable, then it will download the agent settings(every time). From the agent settings the client will get to know it's own domain nodes + override(server IPs) and  update the agent.conf file in the order like domain nodes,non-domain nodes and start contacting the domain nodes based on the override for healthcheck.

 

In your case, the client from subnet Z will get know that it doesn't have any domain nodes after reading the downloaded agent settings and just update the agent.conf with the nodes list from the agent settings and start contacting the first server to process the system health check.

 

Thank you,
Saravanan Rajagopal


**Did something you read in the Community solve a problem for you? If so, click "Accept as Solution" in the bottom right hand corner of the post.
Alert a Moderator
Message 5 of 7 (1,078 Views)
Reply
0 Kudos
rayoflight
Occasional Contributor II
rayoflight
Posts: 78
Registered: ‎06-03-2014

Re: Onguard Zoning Behavior

[ Edited ]
Options

‎01-27-2016 08:18 AM - edited ‎01-27-2016 08:19 AM

thanks for the reply Saravaran! appreciate your reply.

I don't understand what you mean by "update the agent.conf with the nodes list from the agent settings and start contacting the first server to process". can I say that if server 1 is reachable, and it sees that the client ip is not in the zone, it will not download the agent setting? so whatever agent.conf data will remains as it is? and it will then update the posture to the 1st reachable clearpass (base on the "previous" list) . please correct if my understanding is wrong. thanks in advance. =)
Alert a Moderator
Message 6 of 7 (1,072 Views)
Reply
0 Kudos
Aruba Employee
Saravanan
Posts: 30
Registered: ‎09-10-2012

Re: Onguard Zoning Behavior
Options

‎01-28-2016 10:14 AM

Hi Ray,

 

The agent settings will be downloaded every time, it doesn't matter whether the client subnet belongs to the zones or not. Whatever the nodes list/order in the agent settings will be updated to the agent.conf(replace the current order in agent.conf) and the client start contacting the servers in order from the agent settings. You can do https://<clearpass_ip>/agent/settings  to check the agent settings.

Thank you,
Saravanan Rajagopal


**Did something you read in the Community solve a problem for you? If so, click "Accept as Solution" in the bottom right hand corner of the post.
Alert a Moderator
Message 7 of 7 (1,049 Views)
Reply
0 Kudos
Search Airheads
turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

© Copyright 2017 Hewlett Packard Enterprise Development LP
Powered by Lithium