When a Windows client first authenticates thru the switch using .1x and meets the conditions for the top service in the list (wired .1x service), it gets evaluated by the enforcement policy and hits the condition of Posture NOT-EQUALS HEALTHY because the posture is UNKNOWN (per below)
Tips:Role = user-authenticated
AND Tips:posture != HEALTHY
THEN ENFORCE THESE PROFILES:
---> Assign Quarantine VLAN Profile ---> Terminate Session
After that, the request never hits the health check service to start the posture evaluation.
What needs to be configured to force the client/device to hit the 'health check service'?
You don't want to "Terminate Session". You want to assign quarantine VLAN and bounce the port.
Also make sure that client device has access to Clearpass IP for onguard to communicate. Since you didnt mention what is going on at the client side.
Back from vacation and tested onguard again today, but changed the 802.1x service enforcement profile from 'terminate session' to 'arubaOS switching - bounce switch port'. The request still never hits the health check service after that. The access tracker only sees the one hit of the 802.1x service. The client gets the proper profile, gets moved to quarantine vlan and nothing happens after that (per below)
---> Assign Quarantine VLAN Profile ...this happens ---> [arubaOS switching - bounce switch port] ....this does not seem to do anything
I've attached the last several logs of the access tracker log file here in case that helps.
What else needs to be configured to force the client/device to hit the 'health check service'?
1) Which switch you are using alongwith firmware version?
2) Assuming its aruba switch (since you are using aruba CoA profiles), make sure dynamic authorization is enabled on the switch
3) Make sure the device added in clearpass properly with vendor selected as Aruba and Radius CoA is checked
The process should work like below, you may track to see which part is missing, or else give your switch configuration and clearpass snapshot for us to analyze it further
1) Client connects on the port
2) Since this is the first time, client's posture is unknown, it should be assigned quarantine vlan
3) Now onguard must be installed on the client. Either manually or through web redirect to CPPM web page, which gives the option to download onguard agent
4) once client is redirected and downloaded/installed onguard, onguard will try to connect to CPPM (make sure assigned role/acl allow access to CPPM IP)
5) once onguard sends HEALTHY token to cppm, NOW CPPM must send CoA to the switch.
6) Upon receiving the CoA, switch disconnects the client which results in re authentication
7) this time client's posture is known and HEALTHY, so it gets the required role/VLAN
8) Make sure your 802.1x service has "use the cached roles/postures" checked.
Thx for the follow-up.
1) Aruba 2930F
# sh versionImage stamp:/ws/swbuildm/rel_ajanta_qaoff/code/build/lvm(swbuildm_rel_ajanta_qaoff_rel_ajanta)Nov 1 2019 19:24:11WC.16.10.0002208Boot Image: Primary
Boot ROM Version: WC.16.01.0008
2) Yes, dyn-auth is configured via this command: radius-server host <CPPM IP> dyn-authorization
3) Yes to both
Regarding the process, we don't have onguard installed on the client. The customer would prefer to not have any additional steps for the user, so can we use a dissolvable agent instead of persistent? If so, what should this process be? This is where I need some clarity; I want to learn what all of our options are to simply get a health check done on each client each time a user authenticates. If there is a way to do this without any additional user steps, please explain that process and how the 802.1x service enforcement policy needs to be setup to trigger a health check, etc.
No, I haven't configured web-redirect. That must be the issue. I haven't been able to find good documentation on this topic. I have seen some docs saying to create a guest account to redirect them to Captive Portal, but we only have onguard licenses and no guest licenses.
Given that info, how do I configure the service(s) for this? Can this be done without guest licenses? Is there any doc out there that explains the CPPM config steps?
We are on CPPM v6.7, but may upgrade to 6.8
No, I haven't done this before. A video or any step-by-step document would be ideal.
Going by your responses, it appears that this process cannot be done without some additional steps from the user. Given that, I would like to find out what Aruba recommends that would take the least amount of time and effort for the users (the most simple process for users).?
Any update on this today would be much appreciated, even if it's not a complete video guide. I'd like to at least get started in understanding how to configure the web-redirect in the CPPM 802.1x service. Thx
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.