Security

last person joined: an hour ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Understanding Onguard

Jump to Best Answer

tvliewJun 25, 2014 09:42 PM

  • 1.  Understanding Onguard

    Posted Jun 25, 2014 01:03 PM
    Hi Guys,

    I like to understand more about Onguard, it's pre-requisites, what is installed (or not) on the client end and what it can do?

    Basically, I understand that the deployment guide isn't out yet but I would like some basic questions resolved first:

    1. I understand it is a NAC that can be integrated into any 802.1x switch. However, certain level of firmware version is required. But I also heard that it still can be achieve using SNMP. Is that correct?

    2. I also understand that a client software needs to be installed. But there is also an option for being clientless. What is the pro and cons with or without client software installed?


  • 2.  RE: Understanding Onguard
    Best Answer

    Posted Jun 25, 2014 01:48 PM

    1. I understand it is a NAC that can be integrated into any 802.1x switch. However, certain level of firmware version is required. But I also heard that it still can be achieve using SNMP. Is that correct?

    This is correct, but the snmp option have some caveats when changing VLANs or when a device is behind a VoIP phone

    2. I also understand that a client software needs to be installed. But there is also an option for being clientless. What is the pro and cons with or without client software installed?

    Yes

    1-      Persistent agent

    provides nonstop monitoring and automatic remediation and control. When running persistent OnGuard agents, ClearPass

    Policy Manager can centrally send system-wide notifications and alerts, and allow or deny network access. The persistent agent

    also supports auto and manual remediation.

     

    2-      Dissolvable agent is ideal for personal

    non IT-issued devices that connect via a captive portal and do not allow agents to be permanently installed. A one-time check at

    login ensures policy compliance. Devices not meeting compliance can be redirected to a captive portal for manual remediation.

    Once the browser page used during authentication is closed, the dissolvable agent is removed leaving no trace.



  • 3.  RE: Understanding Onguard

    Posted Jun 25, 2014 04:54 PM

    What kind of switches do you have? 

     

    The persistent agent also adds a ton more features like automatically killing banned applications (or not letting the device on the network if the application is installed, good example is BitTorrent). It can also detect registry keys, can shut down running VM guests, etc.

     

     



  • 4.  RE: Understanding Onguard

    Posted Jun 25, 2014 08:42 PM
    Mainly Cisco Catalyst switches. They are a mixture of C4506, C3750, C2960 and the older C2950.

    How do I ensure compatibility? Assuming I have the datasheets for the switches, is there a specific feature that is required for Onguard?


  • 5.  RE: Understanding Onguard

    Posted Jun 25, 2014 09:37 PM
    You'll want to make sure they support RFC 3576
    (RADIUS Change of Authorization). As far as I. know, newer cisco code supports it.


  • 6.  RE: Understanding Onguard

    Posted Jun 25, 2014 09:41 PM
    Okay, I think I may have jumped my gun. I saw and read a very helpful post at the below link:

    http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/ClearPass-OnGuard-switch-requirements/td-p/42478

    1. It seems that the posture agent has better support on Windows. So I can do quite a number of checks with the agent. What about the dissolvable agent? Can it do the same for all platforms? I assume that if we are directed to a captive portal, a Java-based installer gets installed to perform the mediation before it is uninstalled. Since Java can run on any platform, it should support a forms of mediation???

    2. For the posture agent, how is this pushed down to each clients, assuming I have 5000 over machines? GPO?


  • 7.  RE: Understanding Onguard
    Best Answer

    Posted Jun 25, 2014 09:44 PM
    2) you could push it down through group policy, yes. If all the machines are in your control (via AD), it might be better to use the Microsoft NAP integration.


  • 8.  RE: Understanding Onguard

    Posted Oct 31, 2014 09:17 PM

    hi,

    i dont want to install onguard agent on my clinet pc,  and we dont have captive portal page,

     

    can we use dissolvable agent for wireless pc connection?

     

    how redirect them once they connect to network to dissolvable agent page?

     

    thanks



  • 9.  RE: Understanding Onguard

    Posted Nov 01, 2014 05:14 AM
    You must have Clearpass and it will host the captive portal page.


  • 10.  RE: Understanding Onguard

    Posted Feb 18, 2017 10:58 AM

    Are there any guides available from Aruba regarding the integration with Microsoft NAP?

    I hadn't heard of Microsoft NAP until reading this post.

     

    Ideally, I would like the ClearPass to remain as the RADIUS server, but have the NAP clients send their status information to the CPPM.



  • 11.  RE: Understanding Onguard

    Posted Feb 18, 2017 11:01 AM
    Outside of the user guide, we don't unfortunately. NAP has actually been deprecated by Microsoft.


  • 12.  RE: Understanding Onguard

    Posted Feb 18, 2017 11:14 AM

    Oh really? Thank you for telling me that. I am glad I didn't invest to much time into it.

     

    That being said, what would your recommendation be for the OP today?

     

    I like the idea of this agent.

    I have another tool I use to do software deployment that installs an agent. I could leverage the data stored in this tool to do "health checks". It is cool though that this agent can dynamically change the role of the device depending upon whether it is in violation or not.



  • 13.  RE: Understanding Onguard

    Posted Feb 18, 2017 11:18 AM
    This thread is very old.

    What are your questions?


  • 14.  RE: Understanding Onguard

    Posted Feb 18, 2017 11:18 AM
    This thread is very old.

    What are your questions?


  • 15.  RE: Understanding Onguard

    Posted Feb 18, 2017 11:20 AM

    Sorry, your right.

     

    I can start another post instead of highjacking someone elses.

     

    Cheers



  • 16.  RE: Understanding Onguard

    Posted Feb 18, 2017 11:01 AM
    Outside of the user guide, we don't unfortunately. NAP has actually been deprecated by Microsoft.


  • 17.  RE: Understanding Onguard

    Posted Jun 25, 2014 09:42 PM
    Okay.. RFC3576. Noted.