Security

rayoflight · ‎01-25-2016

Lets say I have 2 zones, HQ, ZoneA in 1 cluster

HQ:

Subnets A,B,C override with hqzone.test.nac (virtual ip of ZoneA)

ZoneA:

Subnets D,E,F override with zoneA.test.nac,hqzone.test.nac (virtual ip of ZoneA and HQ)

Question:

If I connect from subnet Z (onguard is reachable to clearpass) which is not defined in the onguard zoning, what will happen? which server will I be talking to? Let say my last updated was from ZoneA with the agent.conf file being "zoneA.test.nac,hqzone.test.nac, 1.1.1.1,2.2.2.2". Will my agent.conf file stay put as it is? or it will update differently?

dannyjump · ‎01-25-2016

Can I suggest you take a review of my OnGuard in a Cluster Technote.

Find it here...... OnGuard in a Cluster

Best Regards
-d

ClearPass Product Manager

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.

rayoflight · ‎01-25-2016

I can't find my answer. it only state it will try the list of reachable server. I want to know the sequence. can anyone help?

rayoflight · ‎01-26-2016

anyone can help? urgent, need to get back to customer.

Saravanan · ‎01-27-2016

Hi Ray,

The client/agent will pick up the first 2 servers from agent.conf to check the rechability. If the first server is rechable, then it will download the agent settings(every time). From the agent settings the client will get to know it's own domain nodes + override(server IPs) and update the agent.conf file in the order like domain nodes,non-domain nodes and start contacting the domain nodes based on the override for healthcheck.

In your case, the client from subnet Z will get know that it doesn't have any domain nodes after reading the downloaded agent settings and just update the agent.conf with the nodes list from the agent settings and start contacting the first server to process the system health check.

Thank you,
Saravanan Rajagopal

**Did something you read in the Community solve a problem for you? If so, click "Accept as Solution" in the bottom right hand corner of the post.

rayoflight · ‎01-27-2016

thanks for the reply Saravaran! appreciate your reply.

I don't understand what you mean by "update the agent.conf with the nodes list from the agent settings and start contacting the first server to process". can I say that if server 1 is reachable, and it sees that the client ip is not in the zone, it will not download the agent setting? so whatever agent.conf data will remains as it is? and it will then update the posture to the 1st reachable clearpass (base on the "previous" list) . please correct if my understanding is wrong. thanks in advance. =)

Saravanan · ‎01-28-2016

Hi Ray,

The agent settings will be downloaded every time, it doesn't matter whether the client subnet belongs to the zones or not. Whatever the nodes list/order in the agent settings will be updated to the agent.conf(replace the current order in agent.conf) and the client start contacting the servers in order from the agent settings. You can do https://<clearpass_ip>/agent/settings to check the agent settings.

Thank you,
Saravanan Rajagopal

**Did something you read in the Community solve a problem for you? If so, click "Accept as Solution" in the bottom right hand corner of the post.

Security

Onguard Zoning Behavior

Onguard Zoning Behavior

Re: Onguard Zoning Behavior

Re: Onguard Zoning Behavior

Re: Onguard Zoning Behavior

Re: Onguard Zoning Behavior

Re: Onguard Zoning Behavior

Re: Onguard Zoning Behavior

Re: Onguard Zoning Behavior

Re: Onguard Zoning Behavior

Re: Onguard Zoning Behavior

Re: Onguard Zoning Behavior

Re: Onguard Zoning Behavior

Re: Onguard Zoning Behavior

Follow Us