Wireless Access

Reply
Contributor II
Posts: 67
Registered: ‎06-29-2014

onguard and wired client issue

hi,

we have deployed cpmm wired with posture for wired client with cisco switches,

 

service is checking if the client is user auth and machine auth or not,

 

if yes he will get DACL "permit any"

in fot he will get limited access 

the issue , when the client boot his pc and logged in, the onguard agent doesnt work and commincate with cppm till unplug  and plug the ethernet cable again,

how can i make onguard to commincate authomatically with cppm??

thank you

MVP
Posts: 1,412
Registered: ‎11-30-2011

Re: onguard and wired client issue

it is a bit dificult to understand what exactly you build.

 

so just to be sure. onguard requires l3 connectivity to the cppm. so usually you do radius to provide access to the network and cppm. then onguard runs and provides you with a posture. then you disconnect the client via CoA and in the next attempt the posture will be used (if you turn on use cached info).

 

is above what you did ? if so where does it fail?

Guru Elite
Posts: 8,335
Registered: ‎09-08-2010

Re: onguard and wired client issue

Is your service that checks for machine/user auth requiring posture data? 

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
MVP
Posts: 4,238
Registered: ‎07-20-2011

Re: onguard and wired client issue

Keep this in mind:
https://arubanetworkskb.secure.force.com/pkb/articles/FAQ/Can-the-onguard-agent-run-before-user-login
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Contributor II
Posts: 67
Registered: ‎06-29-2014

Re: onguard and wired client issue

some pc's are working fine, and some of them wont comminicate till unplugg and plug the ethernet cable again, then it starts to communicate and the client right Dacl,

do i need to configure extra configuration on my cisco, i have configurd cisco as bellow:

 

aaa new-model
radius-server host 192.168.101.136 key aruba123
dot1x system-auth-control
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
aaa server radius dynamic-author
client 192.168.101.136 server-key aruba123
port 3799
auth-type all
ip dhcp snooping
ip device tracking
radius-server vsa send authenticat
exit
********************************************************************************
(config)interface vlan "ID"
ip address 192.168.X.X 255.255.255.0
ip helper-address 192.168.101.136
ip helper-address 192.168.101.130
exit

*************************************************************
interface range fa/gig
switchport access vlan "ID"
switchport mode access
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout server-timeout 30
dot1x timeout tx-period 10
dot1x timeout supp-timeout 30
dot1x max-req 3
dot1x max-reauth-req 10
spanning-tree portfast
lldp transmit
lldp receive
exit
exit

**************************************************************

 

device-sensor accounting
device-sensor notify all-changes
device-sensor filter-list dhcp list dhcp-list
option name host-name
option name parameter-request-list
option name class-identifier
exit

device-sensor filter-list cdp list cdp-list
tlv name version-type
tlv name platform-type
exit


device-sensor filter-list lldp list lldp-list
tlv name system-description
exit

device-sensor filter-spec dhcp include list dhcp-list
device-sensor filter-spec lldp include list lldp-list
device-sensor filter-spec cdp include list cdp-list
lldp run

cdp run

Guru Elite
Posts: 8,335
Registered: ‎09-08-2010

Re: onguard and wired client issue

You'll likely need to add an interim state that allows some access before the Onguard agent  has fully scanned the machine.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
MVP
Posts: 4,238
Registered: ‎07-20-2011

Re: onguard and wired client issue

[ Edited ]

If these are Windows devices, keep in mind that the time Onguard might take it will depend on a couple of things:

- Resources Available (Memory/CPU) on the Laptop

- And the different type of checks

Read this as well:

https://arubanetworkskb.secure.force.com/pkb/articles/FAQ/Onguard-takes-a-while-for-Health-check-of-Windows

 

You should consider Cappali's suggestion.

 

Another thing you could do is increase the cache posture value 

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Search Airheads
Showing results for 
Search instead for 
Did you mean: