Security

 View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Role empty on OnGuard Service

This thread has been viewed 17 times

  • 1.  Role empty on OnGuard Service

    Posted May 03, 2021 07:10 AM
    Hi,

    I want to apply some posture policies per-role, but when I look at Access Tracker for Onguard Webauth sessions the Role is always empty.
    So, when I filter a policy per role it will just never apply.
    Any idea what can be the problem?

    Thanks

    ------------------------------
    Ricardo Duarte
    ------------------------------


  • 2.  RE: Role empty on OnGuard Service

    Posted May 03, 2021 08:40 AM
    Try using this 

    Use active Username in Health Only mode

    When this option is enabled (set to True) and the OnGuard Agent is running in Health Only mode, instead of using the MAC address as the username, OnGuard Agent sends the currently active user's username as the username in the WebAuth request.

    Username format on Windows:

    Local users: <host_name>\<username>

    Domain users: <domain_name>\<username>

    Username format on macOS and Ubuntu:

    Local users and Domain users: <username>

    NOTE: When this option is enabled, OnGuard Persistent Agent sends the attribute Host:ActiveUserName in the WebAuth request. This attribute is available in both Service Rules and Role Mapping.

    NOTE: This option is not applicable for Native Dissolvable Agent and OnGuard running as Service.

    https://www.arubanetworks.com/techdocs/ClearPass/6.8/PolicyManager/Content/CPPM_UserGuide/Admin/Global_Agent_Settings-OnGuard_Settings.html

    ------------------------------
    Victor Fabian, ACEX#8
    Mobility Architect @ WEI
    ------------------------------

    Original Message


  • 3.  RE: Role empty on OnGuard Service

    Posted May 03, 2021 09:04 AM
    Hi,

    No changes. Still no Roles shown.

    Regards

    ------------------------------
    Ricardo Duarte
    ------------------------------

    Original Message


  • 4.  RE: Role empty on OnGuard Service

    Posted May 03, 2021 09:18 AM
    What roles are you trying to see ? are you tying these from AD attributes or endpoint db?
    If these are matched based on AD attributes , make sure you add AD as an authorization source and also add necessary role mapping configuration under the OnGuard service

    ------------------------------
    Victor Fabian, ACEX#8
    Mobility Architect @ WEI
    ------------------------------

    Original Message


  • 5.  RE: Role empty on OnGuard Service

    Posted May 03, 2021 10:24 AM
    Hi,

    I don't want to see anything.
    I want to apply different Posture Policies per Role.
    I assume OnGuard would reuse the roles of the RADIUS connection, but it seems it doesn't.

    Regards

    ------------------------------
    Ricardo Duarte
    ------------------------------

    Original Message