Security

Reply
Occasional Contributor II
Posts: 23
Registered: ‎07-28-2016

Onguard without bounce / terminate session

We're using onguard to check the health of all of our wired devices. In the enforcement profile, we added a terminate session action so the switch is able to apply the new firewall filter. Without that or a bounce, a new firewall filter is not applied.

 

We want to check the health at least every 12h so we set the policy cache timeout to 12h and onguard session timeout to 11h30. All works well, but..

 

We have a few thin clients which are connected 24/7. When the Onguard session expires, the health is checked and the session is terminated because of the CoA. That results in a 5sec. network interuption we want to avoid. The session termination in this case is not needed because the enforcement profile remains the same and a new firewall filter is not needed.

 

A possible solution would be that Clearpass doesn't apply the session termination action when it's a reauthentication and the previous status was healthy. Is there a way to configure something like this please?

MVP
Posts: 4,301
Registered: ‎07-20-2011

Re: Onguard without bounce / terminate session

You need to create the following enforcement policies :

- You can leverage using an custom attribute which is added the first time the device provides a healthy posture in onguard enforcement policy.

- Then if the is unhealthy you remove the custom attribute from the device and sends a CoA

- But if the devices stays healthy you use the custom attribute to apply an agent enforcement with no COA Or bounce

Get Outlook for iOS
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor II
Posts: 23
Registered: ‎07-28-2016

Re: Onguard without bounce / terminate session

Great, works already. I figured I had to check if it's an active session as well but this simple method makes that unnecessary.

 

Thanks for your help!

Occasional Contributor I
Posts: 5
Registered: ‎08-25-2009

Re: Onguard without bounce / terminate session

Victor,

 

Could you elaborate on this a little more.  I'm experiencing the same issue, it seems odd to me that this would be the expected behaviour.

 

Is this documented somewhere?

 

Thanks,

Victor

 

 

Occasional Contributor II
Posts: 23
Registered: ‎07-28-2016

Re: Onguard without bounce / terminate session

A CoA is needed to make sure the switch applies a new role. This solution doesn't send a CoA when nothing has to change so there's no interruption. This is what I did:

1. Create a custom attribute named 'Last Health' (Administration --> Dictionaries --> Attributes). Entity: Endpoint / Type: String.
2. Create a post enforcement profile named 'Mark as Healthy'. Add the attribute created in step 1 with value 'Healthy'.
3. Create a post enforcement profile named 'Mark as Unhealthy'. Add the attribute created in step 1 with value 'Unhealthy'.
4. Edit the Onguard enforcement policy with conditions set in this order:

    1 When Posture is not Healthy AND Last Health = 'Unhealthy'     -->    No CoA
    2 When Posture is not Healthy                     --> 'Mark as Unhealthy' + CoA
    3 When Posture is Healthy AND Last Health = 'Healthy'         --> No CoA
    4 When Posture is Healthy                     --> 'Mark as Unhealthy' + CoA

Search Airheads
Showing results for 
Search instead for 
Did you mean: