Security

Reply
Occasional Contributor II

Onguard without bounce / terminate session

We're using onguard to check the health of all of our wired devices. In the enforcement profile, we added a terminate session action so the switch is able to apply the new firewall filter. Without that or a bounce, a new firewall filter is not applied.

 

We want to check the health at least every 12h so we set the policy cache timeout to 12h and onguard session timeout to 11h30. All works well, but..

 

We have a few thin clients which are connected 24/7. When the Onguard session expires, the health is checked and the session is terminated because of the CoA. That results in a 5sec. network interuption we want to avoid. The session termination in this case is not needed because the enforcement profile remains the same and a new firewall filter is not needed.

 

A possible solution would be that Clearpass doesn't apply the session termination action when it's a reauthentication and the previous status was healthy. Is there a way to configure something like this please?

Re: Onguard without bounce / terminate session

You need to create the following enforcement policies :

- You can leverage using an custom attribute which is added the first time the device provides a healthy posture in onguard enforcement policy.

- Then if the is unhealthy you remove the custom attribute from the device and sends a CoA

- But if the devices stays healthy you use the custom attribute to apply an agent enforcement with no COA Or bounce

Get Outlook for iOS
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor II

Re: Onguard without bounce / terminate session

Great, works already. I figured I had to check if it's an active session as well but this simple method makes that unnecessary.

 

Thanks for your help!

Occasional Contributor I

Re: Onguard without bounce / terminate session

Victor,

 

Could you elaborate on this a little more.  I'm experiencing the same issue, it seems odd to me that this would be the expected behaviour.

 

Is this documented somewhere?

 

Thanks,

Victor

 

 

Occasional Contributor II

Re: Onguard without bounce / terminate session

A CoA is needed to make sure the switch applies a new role. This solution doesn't send a CoA when nothing has to change so there's no interruption. This is what I did:

1. Create a custom attribute named 'Last Health' (Administration --> Dictionaries --> Attributes). Entity: Endpoint / Type: String.
2. Create a post enforcement profile named 'Mark as Healthy'. Add the attribute created in step 1 with value 'Healthy'.
3. Create a post enforcement profile named 'Mark as Unhealthy'. Add the attribute created in step 1 with value 'Unhealthy'.
4. Edit the Onguard enforcement policy with conditions set in this order:

    1 When Posture is not Healthy AND Last Health = 'Unhealthy'     -->    No CoA
    2 When Posture is not Healthy                     --> 'Mark as Unhealthy' + CoA
    3 When Posture is Healthy AND Last Health = 'Healthy'         --> No CoA
    4 When Posture is Healthy                     --> 'Mark as Unhealthy' + CoA

New Contributor

Re: Onguard without bounce / terminate session

Hate to say this but the solution defined in effect does not work as designed. Let me give you an example. My security team requires that we posture on the quaratine network. Once you are deemed healthy then you get on the corporate network, so if we used the logic specified using another attribute to determine the last_health, the user will be stuck on the quarantined network. So, in a sence the best way to do this is not to posture very often. We set the posture to happen every 12 hours cache the results for 24 hours and use the posture cache to determine your health. I did run into one issue with that. I hit the clear cache and the client did not WEBAUTH for 12 hours. So the client could not get healthy. Wish there was a way for administrators to force the client to WEBAUTH from clearpass server. 

Occasional Contributor II

Re: Onguard without bounce / terminate session

I set a session timeout of 5 minutes for quarantained users so they have the chance to get out quickly. Also, remediation is enabled.

 

In the mean while, I've added a grace period to this configuration. When healthy, the timestamp is written in an attribute. If the scan results in unhealthy and last healthy scan is not older than 72h, the user goes in grace period for 15 minutes with a session timeout of 5 minutes.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: