08-26-2016 05:04 AM
We're using onguard to check the health of all of our wired devices. In the enforcement profile, we added a terminate session action so the switch is able to apply the new firewall filter. Without that or a bounce, a new firewall filter is not applied.
We want to check the health at least every 12h so we set the policy cache timeout to 12h and onguard session timeout to 11h30. All works well, but..
We have a few thin clients which are connected 24/7. When the Onguard session expires, the health is checked and the session is terminated because of the CoA. That results in a 5sec. network interuption we want to avoid. The session termination in this case is not needed because the enforcement profile remains the same and a new firewall filter is not needed.
A possible solution would be that Clearpass doesn't apply the session termination action when it's a reauthentication and the previous status was healthy. Is there a way to configure something like this please?
Solved! Go to Solution.
08-26-2016 05:17 AM
- You can leverage using an custom attribute which is added the first time the device provides a healthy posture in onguard enforcement policy.
- Then if the is unhealthy you remove the custom attribute from the device and sends a CoA
- But if the devices stays healthy you use the custom attribute to apply an agent enforcement with no COA Or bounce
Get Outlook for iOS
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
11-17-2016 12:21 PM
Could you elaborate on this a little more. I'm experiencing the same issue, it seems odd to me that this would be the expected behaviour.
Is this documented somewhere?
11-17-2016 11:47 PM
A CoA is needed to make sure the switch applies a new role. This solution doesn't send a CoA when nothing has to change so there's no interruption. This is what I did:
1. Create a custom attribute named 'Last Health' (Administration --> Dictionaries --> Attributes). Entity: Endpoint / Type: String.
2. Create a post enforcement profile named 'Mark as Healthy'. Add the attribute created in step 1 with value 'Healthy'.
3. Create a post enforcement profile named 'Mark as Unhealthy'. Add the attribute created in step 1 with value 'Unhealthy'.
4. Edit the Onguard enforcement policy with conditions set in this order:
1 When Posture is not Healthy AND Last Health = 'Unhealthy' --> No CoA
2 When Posture is not Healthy --> 'Mark as Unhealthy' + CoA
3 When Posture is Healthy AND Last Health = 'Healthy' --> No CoA
4 When Posture is Healthy --> 'Mark as Unhealthy' + CoA