Security

last person joined: yesterday 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Role empty on OnGuard Service

This thread has been viewed 16 times
  • 1.  Role empty on OnGuard Service

    Posted 15 days ago
    Hi,

    I want to apply some posture policies per-role, but when I look at Access Tracker for Onguard Webauth sessions the Role is always empty.
    So, when I filter a policy per role it will just never apply.
    Any idea what can be the problem?

    Thanks

    ------------------------------
    Ricardo Duarte
    ------------------------------


  • 2.  RE: Role empty on OnGuard Service

    Posted 15 days ago
    Try using this 

    Use active Username in Health Only mode

    When this option is enabled (set to True) and the OnGuard Agent is running in Health Only mode, instead of using the MAC address as the username, OnGuard Agent sends the currently active user's username as the username in the WebAuth request.

    Username format on Windows:

    Local users: <host_name>\<username>

    Domain users: <domain_name>\<username>

    Username format on macOS and Ubuntu:

    Local users and Domain users: <username>

    NOTE: When this option is enabled, OnGuard Persistent Agent sends the attribute Host:ActiveUserName in the WebAuth request. This attribute is available in both Service Rules and Role Mapping.

    NOTE: This option is not applicable for Native Dissolvable Agent and OnGuard running as Service.


    https://www.arubanetworks.com/techdocs/ClearPass/6.8/PolicyManager/Content/CPPM_UserGuide/Admin/Global_Agent_Settings-OnGuard_Settings.html

    ------------------------------
    Victor Fabian, ACEX#8
    Mobility Architect @ WEI
    ------------------------------



  • 3.  RE: Role empty on OnGuard Service

    Posted 15 days ago
    Hi,

    No changes. Still no Roles shown.

    Regards

    ------------------------------
    Ricardo Duarte
    ------------------------------



  • 4.  RE: Role empty on OnGuard Service

    Posted 15 days ago
    What roles are you trying to see ? are you tying these from AD attributes or endpoint db?
    If these are matched based on AD attributes , make sure you add AD as an authorization source and also add necessary role mapping configuration under the OnGuard service

    ------------------------------
    Victor Fabian, ACEX#8
    Mobility Architect @ WEI
    ------------------------------



  • 5.  RE: Role empty on OnGuard Service

    Posted 15 days ago
    Hi,

    I don't want to see anything.
    I want to apply different Posture Policies per Role.
    I assume OnGuard would reuse the roles of the RADIUS connection, but it seems it doesn't.

    Regards

    ------------------------------
    Ricardo Duarte
    ------------------------------