Security

Reply
Occasional Contributor II
Posts: 30
Registered: ‎06-21-2014

Understanding Onguard

Hi Guys,

I like to understand more about Onguard, it's pre-requisites, what is installed (or not) on the client end and what it can do?

Basically, I understand that the deployment guide isn't out yet but I would like some basic questions resolved first:

1. I understand it is a NAC that can be integrated into any 802.1x switch. However, certain level of firmware version is required. But I also heard that it still can be achieve using SNMP. Is that correct?

2. I also understand that a client software needs to be installed. But there is also an option for being clientless. What is the pro and cons with or without client software installed?
MVP
Posts: 4,307
Registered: ‎07-20-2011

Re: Understanding Onguard

[ Edited ]

1. I understand it is a NAC that can be integrated into any 802.1x switch. However, certain level of firmware version is required. But I also heard that it still can be achieve using SNMP. Is that correct?

This is correct, but the snmp option have some caveats when changing VLANs or when a device is behind a VoIP phone

2. I also understand that a client software needs to be installed. But there is also an option for being clientless. What is the pro and cons with or without client software installed?

Yes

1-      Persistent agent

provides nonstop monitoring and automatic remediation and control. When running persistent OnGuard agents, ClearPass

Policy Manager can centrally send system-wide notifications and alerts, and allow or deny network access. The persistent agent

also supports auto and manual remediation.

 

2-      Dissolvable agent is ideal for personal

non IT-issued devices that connect via a captive portal and do not allow agents to be permanently installed. A one-time check at

login ensures policy compliance. Devices not meeting compliance can be redirected to a captive portal for manual remediation.

Once the browser page used during authentication is closed, the dissolvable agent is removed leaving no trace.

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Guru Elite
Posts: 8,759
Registered: ‎09-08-2010

Re: Understanding Onguard

What kind of switches do you have? 

 

The persistent agent also adds a ton more features like automatically killing banned applications (or not letting the device on the network if the application is installed, good example is BitTorrent). It can also detect registry keys, can shut down running VM guests, etc.

 

 


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II
Posts: 30
Registered: ‎06-21-2014

Re: Understanding Onguard

Mainly Cisco Catalyst switches. They are a mixture of C4506, C3750, C2960 and the older C2950.

How do I ensure compatibility? Assuming I have the datasheets for the switches, is there a specific feature that is required for Onguard?
Guru Elite
Posts: 8,759
Registered: ‎09-08-2010

Re: Understanding Onguard

You'll want to make sure they support RFC 3576
(RADIUS Change of Authorization). As far as I. know, newer cisco code supports it.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II
Posts: 30
Registered: ‎06-21-2014

Re: Understanding Onguard

Okay, I think I may have jumped my gun. I saw and read a very helpful post at the below link:

http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/ClearPass-OnGuard-switch-requirements/td-p/42478

1. It seems that the posture agent has better support on Windows. So I can do quite a number of checks with the agent. What about the dissolvable agent? Can it do the same for all platforms? I assume that if we are directed to a captive portal, a Java-based installer gets installed to perform the mediation before it is uninstalled. Since Java can run on any platform, it should support a forms of mediation???

2. For the posture agent, how is this pushed down to each clients, assuming I have 5000 over machines? GPO?
Occasional Contributor II
Posts: 30
Registered: ‎06-21-2014

Re: Understanding Onguard

Okay.. RFC3576. Noted.
Guru Elite
Posts: 8,759
Registered: ‎09-08-2010

Re: Understanding Onguard

2) you could push it down through group policy, yes. If all the machines are in your control (via AD), it might be better to use the Microsoft NAP integration.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor II
Posts: 67
Registered: ‎06-29-2014

Re: Understanding Onguard

hi,

i dont want to install onguard agent on my clinet pc,  and we dont have captive portal page,

 

can we use dissolvable agent for wireless pc connection?

 

how redirect them once they connect to network to dissolvable agent page?

 

thanks

Aruba
Posts: 1,548
Registered: ‎06-12-2012

Re: Understanding Onguard

You must have Clearpass and it will host the captive portal page.
Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Search Airheads
Showing results for 
Search instead for 
Did you mean: