Security

Reply
Regular Contributor II
Posts: 242
Registered: ‎09-11-2013

Onguard and onboarding integration

Hi Forum,

 

I'm working with a customer and they are requesting to check the health of PC before onboard them and allow them to do EAP-TLS. I'm not sure at which point of the onboarding process I start the Onguard client check.

Any advice on how to integrate the two modules would be great. Maybe the provisioning page asks for AD credentials and if pass authentication then ask to download the Onguard agent and so on...??

Guru Elite
Posts: 8,793
Registered: ‎09-08-2010

Re: Onguard and onboarding integration

You would have to put them in a posture check role then do a CoA that changes them into an Onboard enrollment role when healthy.


Thanks,
Tim

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Regular Contributor II
Posts: 242
Registered: ‎09-11-2013

Re: Onguard and onboarding integration

Tim,

 

The customer is relaying on me to get the work flow done right.

What would you recommend doing here? onboard clients and have them do eap-tls and then check their health? or what?

Guru Elite
Posts: 8,793
Registered: ‎09-08-2010

Re: Onguard and onboarding integration

Depends on if you want to check their health everytime they connect to the network and also whether they want to install an agent.


Thanks,
Tim

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Regular Contributor II
Posts: 242
Registered: ‎09-11-2013

Re: Onguard and onboarding integration

OK, so say yes to use persistent agent and check health every time they connect.

Regular Contributor II
Posts: 242
Registered: ‎09-11-2013

Re: Onguard and onboarding integration

I meant, should I onboard them and then install the persistent agent and check for posture? wouldn't that be the easiest most structured way?

Guru Elite
Posts: 8,793
Registered: ‎09-08-2010

Re: Onguard and onboarding integration

Yes, if you want continuous posture checking, Onboard them then go through the OnGuard process. For Windows clients, you can install the OnGuard client during the Onboard enrollment process.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Aruba
Posts: 1,377
Registered: ‎12-12-2011

Re: Onguard and onboarding integration

Couple of points on this.  If the requirement is continuous checking, you must use the persistent agent.  

 

You could do the following:

 

1. User logs into 802.1x SSID (user/pass)

2. User is redirected to the onboarding page where they are given instructions to download the agent and also complete the onboarding process.  While you can deploy the agent with Windows, that is specific to that OS. We can make this specific to OS X and Windows onboard pages as well in ClearPass 6.5+.  You can add your own HTML to add instructions to download the agent for OnGuard.  In this way, the OnGuard agent is more or less integrated into the OnBoarding workflow.  

 

Another option - you can redirect them to a web page to JUST download the agent POST onboarding but that is another step the user would have to take to get the agent. You can also leverage this workflow IF the posture state is UNKNOWN post onboarding meaning that the user "forgot" to download the agent.

 

See screenshot:

 

Screenshot 2015-08-04 17.03.37.png

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Search Airheads
Showing results for 
Search instead for 
Did you mean: