Wireless Access

last person joined: 5 hours ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

onguard and wired client issue

  • 1.  onguard and wired client issue

    Posted Feb 09, 2015 05:49 AM


    we have deployed cpmm wired with posture for wired client with cisco switches,


    service is checking if the client is user auth and machine auth or not,


    if yes he will get DACL "permit any"

    in fot he will get limited access 

    the issue , when the client boot his pc and logged in, the onguard agent doesnt work and commincate with cppm till unplug  and plug the ethernet cable again,

    how can i make onguard to commincate authomatically with cppm??

    thank you

  • 2.  RE: onguard and wired client issue

    Posted Feb 09, 2015 06:15 AM

    it is a bit dificult to understand what exactly you build.


    so just to be sure. onguard requires l3 connectivity to the cppm. so usually you do radius to provide access to the network and cppm. then onguard runs and provides you with a posture. then you disconnect the client via CoA and in the next attempt the posture will be used (if you turn on use cached info).


    is above what you did ? if so where does it fail?

  • 3.  RE: onguard and wired client issue

    Posted Feb 09, 2015 08:13 AM
    Is your service that checks for machine/user auth requiring posture data? 

  • 4.  RE: onguard and wired client issue

    Posted Feb 09, 2015 08:40 AM

  • 5.  RE: onguard and wired client issue

    Posted Feb 09, 2015 10:01 AM

    some pc's are working fine, and some of them wont comminicate till unplugg and plug the ethernet cable again, then it starts to communicate and the client right Dacl,

    do i need to configure extra configuration on my cisco, i have configurd cisco as bellow:


    aaa new-model
    radius-server host key aruba123
    dot1x system-auth-control
    aaa authentication dot1x default group radius
    aaa authorization network default group radius
    aaa accounting dot1x default start-stop group radius
    aaa server radius dynamic-author
    client server-key aruba123
    port 3799
    auth-type all
    ip dhcp snooping
    ip device tracking
    radius-server vsa send authenticat
    (config)interface vlan "ID"
    ip address 192.168.X.X
    ip helper-address
    ip helper-address

    interface range fa/gig
    switchport access vlan "ID"
    switchport mode access
    authentication order dot1x mab
    authentication priority dot1x mab
    authentication port-control auto
    authentication periodic
    authentication timer reauthenticate server
    dot1x pae authenticator
    dot1x timeout server-timeout 30
    dot1x timeout tx-period 10
    dot1x timeout supp-timeout 30
    dot1x max-req 3
    dot1x max-reauth-req 10
    spanning-tree portfast
    lldp transmit
    lldp receive



    device-sensor accounting
    device-sensor notify all-changes
    device-sensor filter-list dhcp list dhcp-list
    option name host-name
    option name parameter-request-list
    option name class-identifier

    device-sensor filter-list cdp list cdp-list
    tlv name version-type
    tlv name platform-type

    device-sensor filter-list lldp list lldp-list
    tlv name system-description

    device-sensor filter-spec dhcp include list dhcp-list
    device-sensor filter-spec lldp include list lldp-list
    device-sensor filter-spec cdp include list cdp-list
    lldp run

    cdp run

  • 6.  RE: onguard and wired client issue

    Posted Feb 09, 2015 10:03 AM

    You'll likely need to add an interim state that allows some access before the Onguard agent  has fully scanned the machine.

  • 7.  RE: onguard and wired client issue

    Posted Feb 09, 2015 10:15 AM

    If these are Windows devices, keep in mind that the time Onguard might take it will depend on a couple of things:

    - Resources Available (Memory/CPU) on the Laptop

    - And the different type of checks

    Read this as well:



    You should consider Cappali's suggestion.


    Another thing you could do is increase the cache posture value