Security

last person joined: 2 days ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Clearpass Onguard implementation and documentation

Jump to Best Answer
This thread has been viewed 9 times
  • 1.  Clearpass Onguard implementation and documentation

    Posted Nov 11, 2013 02:13 AM

    Guys,

     

    We have been implementing clearpass onguard feature now. Going to use 'Onguard agent' (not NAP agent). 

     

    Already created onguard policies for windows (as in the attached doc). But not sure how to integrate/use this policy in our 'Aruba 802.1x wireless service' as it is just having option 'Only NAP agent type posture policies are applicable for this service'.

     

    Whats the right way to use onguard with aruba WLC? Could you please help with screenshots of services and policies if possible?

    Attachment(s)



  • 2.  RE: Clearpass Onguard implementation and documentation

    Posted Nov 11, 2013 10:11 AM

    Yes!  I can help.  Using the persistent agent (PA), you need to create a webauth service.  There should be one in the service templates. The PA sends its health and is checked against the WEBAUTH service configured.  This derives the posture token (healthy, unhealthy, etc...).  That token is then keyed off on in the 802.1x service.  In the enforcement policy, you MUST select "Use cached roles and posture...". This tells the 802.1x service to look at context information (posture token) from other services in making enforcement policy decisions.  

     

    If I already have a 802.1X service, do I simply add Posture checking to it or do I create a web auth service in addition to the .1X service?

      • With 802.1X you can use Windows Native agent for basic health checking. There is no need for an extra service. But if you want to do more specific detailed health checks, you should use Onguard Agent. And for Onguard agent to work you should add a Webauth Service as Onguard communicates with CPPM using HTTP Protocol. In that Webauth Enforcement you can either have a ‘Session Time out’ or a ‘Client Bounce’, So that after this again 802.1X will be hit and appropriate enforcement will occur.

    Sample Workflow:

     

    a) Client authenticates using 802.1X Authentication. CPPM processes the authentication request and

    assigns Quarantine VLAN because client health info is not available.

     

    b) After the client gets IP address, Onguard agent sends client health info to CPPM. CPPM processes the health

    and caches the client health status and trigger another 802.1X/MAC authentication by sending RADIUS Disconnect

    to the NAD.

     

    c) CPPM processes the 2nd authentication request from the client and assign proper VLAN based on the cached client

    health status.



  • 3.  RE: Clearpass Onguard implementation and documentation

    Posted Nov 11, 2013 11:09 AM

    Hello Seth,

     

    Thats awesome..! You just gave us a picture of what's going on in onguard now. Thank you!!!

     

    By the way, from your persistent agents (PA), am I right to say that we have to permanently install this software in all PCs? Is there any way to automatically install it in all PCs without users' actions.

     

    How about choosing dissolvable agents? which is recommended by Aruba?

     

    Thanks,

    Bharani..



  • 4.  RE: Clearpass Onguard implementation and documentation

    Posted Nov 11, 2013 11:58 AM
    Persistent agents are the recommended option here...


  • 5.  RE: Clearpass Onguard implementation and documentation

    Posted Nov 13, 2013 09:04 AM

    Hi Seth,

     

    We've around 1000 computers in our place. Whats the recommended way to install this persistent agent on all PCs?

     

    Any automatic way to do with less user involvement?

     

    Regards,

    Bharani..



  • 6.  RE: Clearpass Onguard implementation and documentation
    Best Answer

    Posted Nov 13, 2013 09:09 AM
    Yes. Through group policy with Windows

    Sent from my iPhone


  • 7.  RE: Clearpass Onguard implementation and documentation
    Best Answer

    Posted Nov 13, 2013 09:39 AM

    I also wanted to add that you can use policy in the service to detect that a user doesn't have the ONGUARD agent.  For example, if Posture == UNKNOWN, then we can redirect that user to a web page with a URL to download the agent.  This should take care of the non GPO clients (OS X) on the network.



  • 8.  RE: Clearpass Onguard implementation and documentation

    Posted Mar 17, 2014 05:45 AM

    Hi,

    I am just trying to implement this scenario, 802.1X + OnGuard. But what can I do to redirect the user without ONGUARD Agent (Posture == UNKNOWN) to the web page with a URL to download the agent? I have to do this on CPPM or on Controller, after assign the role Quarantena from CPPM?

     

    Thanks,

     

    Massimo



  • 9.  RE: Clearpass Onguard implementation and documentation

    Posted Mar 17, 2014 02:30 PM

    just return a role which has a captive portal profile attached that redirects to the page you want it to go.



  • 10.  RE: Clearpass Onguard implementation and documentation

    Posted Jul 11, 2017 05:37 PM

    ok I understand it.

    But it is possible to send the client not only the information that it is out of compliance

    Send it also to  a website where it gets the newest software