Security

last person joined: yesterday 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Onguard Behavior

  • 1.  Onguard Behavior

    Posted Jan 03, 2021 11:02 PM

    Hi all,

    Have machine authenticate and  dot1x with session timeout 10800. CPPM behaves that whenever timeout is finished, client goes quarantine vlan, then web auth starts for posture check, lastly if it is healthy goes full access vlan. It is not good for employees, because when employees work, suddenly connection is lost about 30-45 seconds even if it was on access vlan.

    An other issue is; our onguard run as BothServiceAndAgent. When user connects his/her client, onguard immediately starts health check, and client goes inaccessable about 10 - 15 seconds (5-6 packet loss) if it is healthy. Similarly user disconnect his/her PC same things happen.

    When client is disconnected not signed out, Onguard is still running, but not trigger any new web auth periodically. After client connect, it will trigger immediately. From this behavior as we understand onguard does not trigger a web auth without user connected if any health check interver set.

    I want to configure 2 things;

    Run health check every 1 hour without any network connectivity lost. I mean without any COA after web auth. Only if client is not healthy, COA should send client to quarantine vlan.

    When user connect or disconnect on his/her machine, PC will not be interrupted.

    Is there any way to configure these? I am waiting for your help.



    ------------------------------
    Regards,
    omerfg
    ------------------------------



  • 2.  RE: Onguard Behavior

    Posted Jan 04, 2021 01:03 PM
    This is all configurable in the policy and services. What may be more important is to get a proper design so you can implement that.

    Have you found the three Onguard documents at arubanetworks.com/clearpassdocs?
    The Onguard configuration and Troubleshooting document should get you started.

    Alternatively, you can reach out to Aruba support or your Aruba partner to have a look at what you have configured already and suggest what to change to match your design or requirements.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    ------------------------------