05-17-2018 02:56 AM
I am working on wired NAC project where, before 802.1X service kicks in, Onguard agent should check device health. I have created two services (WEBAUTH for Onguard, and RADIUS for 802.1X). 802.1X is enabled on the switch. 802.1X service is referencing Posture (EQUALS, or NOT_EQUALS HEALTHY) in Enforcement Policy.
Problem I am experiencing is that in this scenario once I connect my wired client device to the network it never tries to use WEBAUTH service and gets rejected on RADIUS one. If I remove any reference to Posture in EP, both services get hit, but RADIUS first (hence removing any benefit of posture checks before authentication). I am sure I have omitted something in my EPs, but cannot see what. Thanks in advance.
NesaM --ACMP, ACCP--
Solved! Go to Solution.
05-17-2018 06:06 AM
Onguard webauth application works AFTER you first authentication.
So your first enforcement you can see "if health=unknown" enforce quarantine vlan
In the quarantaine vlan ongoard agent post his checkup status to onguard webauth, and use COA bounce to reconnect.
The next time you connect "if health=healthy" enforce corperate vlan.