We have been implementing clearpass onguard feature now. Going to use 'Onguard agent' (not NAP agent).
Already created onguard policies for windows (as in the attached doc). But not sure how to integrate/use this policy in our 'Aruba 802.1x wireless service' as it is just having option 'Only NAP agent type posture policies are applicable for this service'.
Whats the right way to use onguard with aruba WLC? Could you please help with screenshots of services and policies if possible?
Yes! I can help. Using the persistent agent (PA), you need to create a webauth service. There should be one in the service templates. The PA sends its health and is checked against the WEBAUTH service configured. This derives the posture token (healthy, unhealthy, etc...). That token is then keyed off on in the 802.1x service. In the enforcement policy, you MUST select "Use cached roles and posture...". This tells the 802.1x service to look at context information (posture token) from other services in making enforcement policy decisions.
If I already have a 802.1X service, do I simply add Posture checking to it or do I create a web auth service in addition to the .1X service?
a) Client authenticates using 802.1X Authentication. CPPM processes the authentication request and
assigns Quarantine VLAN because client health info is not available.
b) After the client gets IP address, Onguard agent sends client health info to CPPM. CPPM processes the health
and caches the client health status and trigger another 802.1X/MAC authentication by sending RADIUS Disconnect
to the NAD.
c) CPPM processes the 2nd authentication request from the client and assign proper VLAN based on the cached client
Thats awesome..! You just gave us a picture of what's going on in onguard now. Thank you!!!
By the way, from your persistent agents (PA), am I right to say that we have to permanently install this software in all PCs? Is there any way to automatically install it in all PCs without users' actions.
How about choosing dissolvable agents? which is recommended by Aruba?
We've around 1000 computers in our place. Whats the recommended way to install this persistent agent on all PCs?
Any automatic way to do with less user involvement?
I also wanted to add that you can use policy in the service to detect that a user doesn't have the ONGUARD agent. For example, if Posture == UNKNOWN, then we can redirect that user to a web page with a URL to download the agent. This should take care of the non GPO clients (OS X) on the network.
I am just trying to implement this scenario, 802.1X + OnGuard. But what can I do to redirect the user without ONGUARD Agent (Posture == UNKNOWN) to the web page with a URL to download the agent? I have to do this on CPPM or on Controller, after assign the role Quarantena from CPPM?
just return a role which has a captive portal profile attached that redirects to the page you want it to go.
ok I understand it.
But it is possible to send the client not only the information that it is out of compliance
Send it also to a website where it gets the newest software
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.