Security

 View Only
last person joined: 13 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

How to setup a wired OnGuard

Jump to Best Answer
This thread has been viewed 14 times
  • 1.  How to setup a wired OnGuard

    Posted May 07, 2022 05:48 AM
    Our Clearpass ran into problems deploying the endpoint's health check, and we wanted to redirect the web page to a user who didn't have the OnGuard agent installed to allow him to download the agent or use a dissolvable proxy. After configuring 802.1x authentication and web authentication, it does not work. Our access layer switch is Cisco, has anyone successfully connected to the OnGuard configuration case? Or could you tell me how to do it?

    ------------------------------
    Hevin Huo
    ------------------------------


  • 2.  RE: How to setup a wired OnGuard
    Best Answer

    EMPLOYEE
    Posted May 08, 2022 07:56 PM
    for domain based devices that are using dot1x auth, you need to install onguard agent.
    you can do this either through AD domain policies, or through redirection to a captive portal/web page for the users to download the agent and installs them
    once it is installed the agent will try to contact clearpass and send health tokens, starting with Unknown health token.
    so your dot1x serve needs to take care of this initial condition and assign a user role/VLAN that has some L3 connectivity for the laptop to contact clearpass node. Now this dot1x service needs to have enabled "use cache result from previous session" in the enforcement policy tab.
    Your other service is the webauth type Health check that looks at the Health tokens from the agent in there you can configure it to send terminate session / port bounce through CoA.

    check this video
    https://www.youtube.com/watch?v=6WY48eIJZlE


    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.
    ------------------------------