In ClearPass version 6.6.2, A new enforcement profile, Agent Script Enforcement, was added. It allows admins to execute external scripts or programs on endpoints by using the ClearPass OnGuard Unified Agent as part of agent enforcement.
With this profile, OnGuard can execute external scripts or programs stored in the local machine.
Admin users can configure various attributes for the script to be executed, such as Path Of The Script, Command To Execute, Wait Time (Seconds) Before Executing Script, SHA256 Checksum.
However here are the limitation of Agent-Script enforcement profile.
1. This is only supported for Windows platform currently.
2. HTTP scripts only work with unauthenticated HTTP URL's. For HTTPS OnGuard will skip/by-pass the SSL handshake.
Please add a posture policy with the required checks enabled. In the example taken we have just enabled "Windows 7" OS check. [Which can be modified according to user convenience]
In order to configure Agent-Script enforcement, navigate to Configuration > Enforcement > Profiles > Add and select Agent Script Enforcement in the Template drop-down list. Once you have selected the template, administrator can specify 'Path of the script' and 'command to execute'. In the test case, we have specified an executable file 'tftpd32.exe' and path for the same as shown below:
The OnGuard web-based Health Check/authentication service should be created. In the example shown we are only going to have Health-Check Only without authentication.
Enforcement Policy condition can be set to verify client posture and assign the enforcement profile accordingly. However in this case we are applying Agent-Script enforcement, if client posture is HEALTHY then assign the Agent-Script enforcement as shown below:
NOTE: For testing purpose we have taken Tftpd32 application. In real-world scenario we could trigger various corporate applications or software according to the need/requirement.
Once you have OnGuard running, it will try to reach the ClearPass Servers according to zones mapped in order to post the health information.
Once it reached the ClearPass server, it will collect the health and POST it to the ClearPass server and wait for the server to respond.
At this time we can see a web-auth on ClearPass >Monitoring >Access Tracker which would hit the webauth service created and will return the agent-script enforcement profile:
[Please Note: On the Monitoring > Live Monitoring > Access Tracker > Output tab for an Agent Script enforcement profile, the Application Response area shows double backslash characters instead of single backslash characters in Path and Command attribute values.
This is normal display behavior for this form and is not an issue. Users should be aware that, when creating an attribute, only single backslash characters may be entered in attribute values. Although a double backslash is displayed in these attribute values on the Output tab, the value sent to OnGuard uses the single backslash.]
Now once the Onguard agent receives the Application Response it will process the script and opens the executable file.