05-06-2015 12:10 PM
I'm wondering if something is possible and I'm just missing how to do it.
Ideally, we want to do the following:
User logins to 802.1x, based on user directory attributes are given a role. (Staff, Affiliate, etc)
Then, based on their role and other attributes, we decide which role to send to the aruba controllers.
The other attributes should ideally include: Existence of their device in our enterprise inventory system (This is an SQL lookup, already have this piece working); OnGuard health status (AV enable/updated, Firewall enabled/updated); AND whether or not a specific internal application is installed.
So User A is staff, their device is in inventory, it's healthy and has the application installed, they get the controller role Staff-Managed-WithApp. If the app is not installed they get Staff-Managed-Base. If the device is unhealthy, regardless of App or not, they get Staff-Quarantined. These roles then control access to various resources internally.
My question is.. is this possible? It doesn't look like it is from what I can see in the OnGuard configuration, but maybe I'm missing something.
Solved! Go to Solution.
05-06-2015 12:12 PM
OnGuard is scanning the computer.
Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
05-06-2015 12:18 PM
I think I already have that covered with the role mapping/enforcement profiles.
What I don't understand is how to handle the posture tokens so I can say
Healthy Device, WithApp = Posture Token Healthy (0)
Healthy Device, NoApp = Posture Token Whatever (5)
Unhealthy Device, WithApp = Posture Token Quarantine (20)
Unhealthy Device, NoApp = Posture Token Quarantine (20)
It seems the options are only based on whether you pass or fail ALL or One or more. Failing this check is worth 5 points, failing this one is worth 20.
05-06-2015 12:23 PM