That all depends on how you configure the Policies (what type of logic you put on it).
Let's take an example:
If you have a Policy which would authenticate based on Dot1x + OnGuard is mandatory to be installed = Permit Access or else = Shutd down port, then this would mean that the Device running the Windows Server 2016 will not be capable to connect to network because it will not fulfill the Criteria to have OnGuard installed.
So for this purpose, it all depends what you want to configure as Policy Enforcement to Permit/Deny.
For your use-case, you didn't provide sufficient information to know whether if it will work or not because, we need to understand how the services are configured, how the ports where the device is connected is configured, etc.
Based on this:
- Profiling not enabled
- No condition configured for profile conflict
- Posture policy configured allows only Windows 10 and Windows 11
For sure posture policies will not be met and health status would be = Unknown, because you don't have Agent Based OnGuard installed and neither Agentless Onguard installed.
If you have a policy which checks health-status, and you configured for Unhealthy and/or Unknown a Deny Profile, then it won't have access to Network.
------------------------------
Shpat | ACEP | ACMP | ACCP | ACDP
Just an Aruba enthusiast and contributor by cases
If you find my comment helpful, KUDOS are appreciated.
------------------------------
Original Message:
Sent: Jun 04, 2025 01:10 PM
From: nehabw
Subject: ClearPass Behaviour when device OS Changes
Hello..!
I would like to confirm if this needs to be addressed as a security concern.
Status:
- Profiling not enabled
- No condition configured for profile conflict
- Posture policy configured allows only Windows 10 and Windows 11
Scenario:
For testing purposes, a machine originally running Windows 10 has been formatted and replaced with a fresh installation of Windows Server 2016. The device retains the same IP and MAC address.
No OnGuard agent is installed on the machine after installation of Windows Server
Query:
Given that NAC configuration on the switch port remains unchanged, will ClearPass still treat this machine as a valid endpoint and allow network access?