Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Onguard and onboarding integration

This thread has been viewed 2 times

  • 1.  Onguard and onboarding integration

    Posted Aug 03, 2015 11:36 PM

    Hi Forum,

     

    I'm working with a customer and they are requesting to check the health of PC before onboard them and allow them to do EAP-TLS. I'm not sure at which point of the onboarding process I start the Onguard client check.

    Any advice on how to integrate the two modules would be great. Maybe the provisioning page asks for AD credentials and if pass authentication then ask to download the Onguard agent and so on...??



  • 2.  RE: Onguard and onboarding integration

    EMPLOYEE
    Posted Aug 03, 2015 11:41 PM
    You would have to put them in a posture check role then do a CoA that changes them into an Onboard enrollment role when healthy.


    Thanks,
    Tim


  • 3.  RE: Onguard and onboarding integration

    Posted Aug 03, 2015 11:51 PM

    Tim,

     

    The customer is relaying on me to get the work flow done right.

    What would you recommend doing here? onboard clients and have them do eap-tls and then check their health? or what?



  • 4.  RE: Onguard and onboarding integration

    EMPLOYEE
    Posted Aug 04, 2015 12:00 AM
    Depends on if you want to check their health everytime they connect to the network and also whether they want to install an agent.


    Thanks,
    Tim


  • 5.  RE: Onguard and onboarding integration

    Posted Aug 04, 2015 12:04 AM

    OK, so say yes to use persistent agent and check health every time they connect.



  • 6.  RE: Onguard and onboarding integration

    Posted Aug 04, 2015 01:34 AM

    I meant, should I onboard them and then install the persistent agent and check for posture? wouldn't that be the easiest most structured way?



  • 7.  RE: Onguard and onboarding integration

    EMPLOYEE
    Posted Aug 04, 2015 08:07 AM

    Yes, if you want continuous posture checking, Onboard them then go through the OnGuard process. For Windows clients, you can install the OnGuard client during the Onboard enrollment process.



  • 8.  RE: Onguard and onboarding integration

    EMPLOYEE
    Posted Aug 04, 2015 05:09 PM

    Couple of points on this.  If the requirement is continuous checking, you must use the persistent agent.  

     

    You could do the following:

     

    1. User logs into 802.1x SSID (user/pass)

    2. User is redirected to the onboarding page where they are given instructions to download the agent and also complete the onboarding process.  While you can deploy the agent with Windows, that is specific to that OS. We can make this specific to OS X and Windows onboard pages as well in ClearPass 6.5+.  You can add your own HTML to add instructions to download the agent for OnGuard.  In this way, the OnGuard agent is more or less integrated into the OnBoarding workflow.  

     

    Another option - you can redirect them to a web page to JUST download the agent POST onboarding but that is another step the user would have to take to get the agent. You can also leverage this workflow IF the posture state is UNKNOWN post onboarding meaning that the user "forgot" to download the agent.

     

    See screenshot:

     

    Screenshot 2015-08-04 17.03.37.png