08-03-2015 08:36 PM
I'm working with a customer and they are requesting to check the health of PC before onboard them and allow them to do EAP-TLS. I'm not sure at which point of the onboarding process I start the Onguard client check.
Any advice on how to integrate the two modules would be great. Maybe the provisioning page asks for AD credentials and if pass authentication then ask to download the Onguard agent and so on...??
08-03-2015 08:40 PM
08-03-2015 08:50 PM
The customer is relaying on me to get the work flow done right.
What would you recommend doing here? onboard clients and have them do eap-tls and then check their health? or what?
08-03-2015 08:59 PM
08-04-2015 05:07 AM
Yes, if you want continuous posture checking, Onboard them then go through the OnGuard process. For Windows clients, you can install the OnGuard client during the Onboard enrollment process.
08-04-2015 02:08 PM
Couple of points on this. If the requirement is continuous checking, you must use the persistent agent.
You could do the following:
1. User logs into 802.1x SSID (user/pass)
2. User is redirected to the onboarding page where they are given instructions to download the agent and also complete the onboarding process. While you can deploy the agent with Windows, that is specific to that OS. We can make this specific to OS X and Windows onboard pages as well in ClearPass 6.5+. You can add your own HTML to add instructions to download the agent for OnGuard. In this way, the OnGuard agent is more or less integrated into the OnBoarding workflow.
Another option - you can redirect them to a web page to JUST download the agent POST onboarding but that is another step the user would have to take to get the agent. You can also leverage this workflow IF the posture state is UNKNOWN post onboarding meaning that the user "forgot" to download the agent.
Consulting Systems Engineer - ACCX, ACDX, ACMX
If you found my post helpful, please give kudos