AAA, NAC, Guest Access & BYOD

 View Only
last person joined: 3 days ago 

Clearpass, CPPM, OnBoard, OnGuard, Guest, QuickConnect, AirGroup, IntroSpect

OnGuard Agent failed to Auto Update on Windows after Upgrade/Update

By esupport Unpublished

  
Problem:

ClearPass OnGuard Agent failed to Auto Update on Windows after an Upgrade or Patch Update

Note: This issue only on upgrading the ClearPass server to 6.8.9 and 6.9.6 from older versions. This issue affects both Persistent and Agentless OnGuard.

Refer the below release notes update for more details (CP‑41145, CP‑41737, CP‑41738 and CP‑41679):

https://www.arubanetworks.com/techdocs/ClearPass/CP_ReleaseNotes_6.9.6/Default.htm#WhatsNew/KnownThisRls.htm#OnGuard

 



Diagnostics:

For auto-update, OnGuard agent download the exe/msi file from ClearPass server and validate the Code Signing Certificate before upgrading the OnGuard agent. In older version, ClearPass uses "Aruba Networks, Inc." as signer name.

Starting from 6.8.9 and 6.9.6, ClearPass updated the signer name for exe/msi file to "Hewlett Packard Enterprise Company". Older OnGuard agents will not able to validate the new exe file since it is not matching the Signer name.

 



Solution

To fix this issue, we can use "Agent Script Enforcement" Profile to auto-upgrade the Agent.

Step 1:

  • Create "OnGuard Custom Scripts".
  • Navigate Administration » Dictionaries » OnGuard Custom Scripts » Add

Path of the Script           =    c:\agent\ClearPassOnGuardInstall.exe
SHA256 Checksum        =    <Checksum value>
Command To Execute   =    c:\agent\ClearPassOnGuardInstall.exe /S
Signer Name                   =    Hewlett Packard Enterprise Company
Download URL                =    http://<CPPM_IP>/agent/installer/windows/ClearPassOnGuardInstall.exe
Execution Level               =    System

Step 2:

  • Map the Custom Script in Enforcement profile.
  • Navigate Configuration » Enforcement » Profiles » Add » Select Template as "Agent Script Enforcement".
  • Select the Script added in the Step 1.

Step 3:

  • Map the enforcement profile in OnGuard Webauth Service.
  • Configuration » Services » Select the Service
  • Add rules based on the old OnGuard agent version running on the server (Add multiple rules if different versions are running).

 

Note: This issue is only when updating agents from the older versions to 6.8.9 or 6.9.6 or above. 

0 comments
3 views