for domain based devices that are using dot1x auth, you need to install onguard agent.
you can do this either through AD domain policies, or through redirection to a captive portal/web page for the users to download the agent and installs them
once it is installed the agent will try to contact clearpass and send health tokens, starting with Unknown health token.
so your dot1x serve needs to take care of this initial condition and assign a user role/VLAN that has some L3 connectivity for the laptop to contact clearpass node. Now this dot1x service needs to have enabled "use cache result from previous session" in the enforcement policy tab.
Your other service is the webauth type Health check that looks at the Health tokens from the agent in there you can configure it to send terminate session / port bounce through CoA.
check this video
https://www.youtube.com/watch?v=6WY48eIJZlE------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.
------------------------------
Original Message:
Sent: May 07, 2022 05:48 AM
From: Hevin Huo
Subject: How to setup a wired OnGuard
Our Clearpass ran into problems deploying the endpoint's health check, and we wanted to redirect the web page to a user who didn't have the OnGuard agent installed to allow him to download the agent or use a dissolvable proxy. After configuring 802.1x authentication and web authentication, it does not work. Our access layer switch is Cisco, has anyone successfully connected to the OnGuard configuration case? Or could you tell me how to do it?
------------------------------
Hevin Huo
------------------------------