Security

We're using onguard to check the health of all of our wired devices. In the enforcement profile, we added a terminate session action so the switch is able to apply the new firewall filter. Without that or a bounce, a new firewall filter is not applied.

 

We want to check the health at least every 12h so we set the policy cache timeout to 12h and onguard session timeout to 11h30. All works well, but..

 

We have a few thin clients which are connected 24/7. When the Onguard session expires, the health is checked and the session is terminated because of the CoA. That results in a 5sec. network interuption we want to avoid. The session termination in this case is not needed because the enforcement profile remains the same and a new firewall filter is not needed.

 

A possible solution would be that Clearpass doesn't apply the session termination action when it's a reauthentication and the previous status was healthy. Is there a way to configure something like this please?

You need to create the following enforcement policies :

- You can leverage using an custom attribute which is added the first time the device provides a healthy posture in onguard enforcement policy.

- Then if the is unhealthy you remove the custom attribute from the device and sends a CoA

- But if the devices stays healthy you use the custom attribute to apply an agent enforcement with no COA Or bounce

Get Outlook for iOS

Great, works already. I figured I had to check if it's an active session as well but this simple method makes that unnecessary.

 

Thanks for your help!

Victor,

 

Could you elaborate on this a little more.  I'm experiencing the same issue, it seems odd to me that this would be the expected behaviour.

 

Is this documented somewhere?

 

Thanks,

Victor

 

 

A CoA is needed to make sure the switch applies a new role. This solution doesn't send a CoA when nothing has to change so there's no interruption. This is what I did:

1. Create a custom attribute named 'Last Health' (Administration --> Dictionaries --> Attributes). Entity: Endpoint / Type: String.
2. Create a post enforcement profile named 'Mark as Healthy'. Add the attribute created in step 1 with value 'Healthy'.
3. Create a post enforcement profile named 'Mark as Unhealthy'. Add the attribute created in step 1 with value 'Unhealthy'.
4. Edit the Onguard enforcement policy with conditions set in this order:

    1 When Posture is not Healthy AND Last Health = 'Unhealthy'     -->    No CoA
    2 When Posture is not Healthy                     --> 'Mark as Unhealthy' + CoA
    3 When Posture is Healthy AND Last Health = 'Healthy'         --> No CoA
    4 When Posture is Healthy                     --> 'Mark as Unhealthy' + CoA

Hate to say this but the solution defined in effect does not work as designed. Let me give you an example. My security team requires that we posture on the quaratine network. Once you are deemed healthy then you get on the corporate network, so if we used the logic specified using another attribute to determine the last_health, the user will be stuck on the quarantined network. So, in a sence the best way to do this is not to posture very often. We set the posture to happen every 12 hours cache the results for 24 hours and use the posture cache to determine your health. I did run into one issue with that. I hit the clear cache and the client did not WEBAUTH for 12 hours. So the client could not get healthy. Wish there was a way for administrators to force the client to WEBAUTH from clearpass server. 

I set a session timeout of 5 minutes for quarantained users so they have the chance to get out quickly. Also, remediation is enabled.

 

In the mean while, I've added a grace period to this configuration. When healthy, the timestamp is written in an attribute. If the scan results in unhealthy and last healthy scan is not older than 72h, the user goes in grace period for 15 minutes with a session timeout of 5 minutes.

Hi just starting doing the OnGuard, could you perhaps elaborate on how this will look in the Clearpass GUI?

------------------------------
Richard Benedict Santero
------------------------------

Original Message:
Sent: Nov 18, 2016 02:47 AM
From: Kevin Lauwerijs
Subject: Onguard without bounce / terminate session

A CoA is needed to make sure the switch applies a new role. This solution doesn't send a CoA when nothing has to change so there's no interruption. This is what I did:

1. Create a custom attribute named 'Last Health' (Administration --> Dictionaries --> Attributes). Entity: Endpoint / Type: String.
2. Create a post enforcement profile named 'Mark as Healthy'. Add the attribute created in step 1 with value 'Healthy'.
3. Create a post enforcement profile named 'Mark as Unhealthy'. Add the attribute created in step 1 with value 'Unhealthy'.
4. Edit the Onguard enforcement policy with conditions set in this order:

    1 When Posture is not Healthy AND Last Health = 'Unhealthy'     -->    No CoA
    2 When Posture is not Healthy                     --> 'Mark as Unhealthy' + CoA
    3 When Posture is Healthy AND Last Health = 'Healthy'         --> No CoA
    4 When Posture is Healthy                     --> 'Mark as Unhealthy' + CoA

Hello! I was struggling few days ago to give a solution to this, the idea of dekvn helped me alot, see below what I did:

My case: The WLC request re authentication to the Clearpass with aleatorias time (it is a Ruckus WLC, there is no option to configure reauth timer), the cache police has been expired, so the clearpass responded with a limited ACL (the posture was unknown). The onguard agent in the cliente device keeps showing healthy(because for the agent, there is no new auth request (bounce)), but the client was with a limited ACL.

​Solution:

1. Increase the time of policy cache to 6 hours(Administration --> Server Manager  --> Server Configuration --> Cluster-Wide Parameters). Policy result cache timeout).
This will tell to Clearpass hold the posture token for 6 hours, the token will only change in less than 6 hours if the onguard agent tells it to the Clearpass (e.g.: Machine was healthy, and now is quarantine). 



2. Create an endpoint attributes called 'last-posture' (I'm Brazilian, so is in portuguese 'Ultima Postura') (Administration --> Dictionaries --> Attributes). Entity: Endpoint / Type: String)


3. Create three enforcement profiles (Configuration --> Enforcement --> Profiles). The template is 'ClearPass Entity update enforcement':
(Post_authentication)


These three enforcement will fill the field created in last step with the last posture

4. Create one enforcement profiles only for Bounce through onguard agent (Configuration --> Enforcement --> Profiles). The template is 'agent enforcement':

I hope this helps someone with the same problem!

------------------------------
Bruno Andrade - ACMP, ACSP, ACCP, CWNA, CCNA R&S, RCNA, ICX, SPSX
------------------------------

Original Message:
Sent: May 05, 2021 11:14 PM
From: Richard Benedict Santero
Subject: Onguard without bounce / terminate session

Hi just starting doing the OnGuard, could you perhaps elaborate on how this will look in the Clearpass GUI?

------------------------------
Richard Benedict Santero

Original Message:
Sent: Nov 18, 2016 02:47 AM
From: Kevin Lauwerijs
Subject: Onguard without bounce / terminate session

A CoA is needed to make sure the switch applies a new role. This solution doesn't send a CoA when nothing has to change so there's no interruption. This is what I did:

1. Create a custom attribute named 'Last Health' (Administration --> Dictionaries --> Attributes). Entity: Endpoint / Type: String.
2. Create a post enforcement profile named 'Mark as Healthy'. Add the attribute created in step 1 with value 'Healthy'.
3. Create a post enforcement profile named 'Mark as Unhealthy'. Add the attribute created in step 1 with value 'Unhealthy'.
4. Edit the Onguard enforcement policy with conditions set in this order:

    1 When Posture is not Healthy AND Last Health = 'Unhealthy'     -->    No CoA
    2 When Posture is not Healthy                     --> 'Mark as Unhealthy' + CoA
    3 When Posture is Healthy AND Last Health = 'Healthy'         --> No CoA
    4 When Posture is Healthy                     --> 'Mark as Unhealthy' + CoA