Security

 View Only
  • 1.  ClearPass Behaviour when device OS Changes

    Posted 12 days ago
    Edited by nehabw 12 days ago

    Hello..!

    I would like to confirm if this needs to be addressed as a security concern.

    Status:

    • Profiling not enabled
    • No condition configured for profile conflict
    • Posture policy configured allows only Windows 10 and Windows 11

    Scenario:

    For testing purposes, a machine originally running Windows 10 has been formatted and replaced with a fresh installation of Windows Server 2016. The device retains the same IP and MAC address.
    No OnGuard agent is installed on the machine after installation of Windows Server

    Query:

    Given that NAC configuration on the switch port remains unchanged, will ClearPass still treat this machine as a valid endpoint and allow network access?



  • 2.  RE: ClearPass Behaviour when device OS Changes

    Posted 12 days ago
    Edited by shpat 12 days ago

    That all depends on how you configure the Policies (what type of logic you put on it).

    Let's take an example:
    If you have a Policy which would authenticate based on Dot1x + OnGuard is mandatory to be installed = Permit Access or else = Shutd down port, then this would mean that the Device running the Windows Server 2016 will not be capable to connect to network because it will not fulfill the Criteria to have OnGuard installed.

    So for this purpose, it all depends what you want to configure as Policy Enforcement to Permit/Deny.

    For your use-case, you didn't provide sufficient information to know whether if it will work or not because, we need to understand how the services are configured, how the ports where the device is connected is configured, etc.

    Based on this:

    • Profiling not enabled
    • No condition configured for profile conflict
    • Posture policy configured allows only Windows 10 and Windows 11

    For sure posture policies will not be met and health status would be = Unknown, because you don't have Agent Based OnGuard installed and neither Agentless Onguard installed.

    If you have a policy which checks health-status, and you configured for Unhealthy and/or Unknown a Deny Profile, then it won't have access to Network.

    ------------------------------
    Shpat | ACEP | ACMP | ACCP | ACDP
    Just an Aruba enthusiast and contributor by cases
    If you find my comment helpful, KUDOS are appreciated.
    ------------------------------



  • 3.  RE: ClearPass Behaviour when device OS Changes

    Posted 7 days ago

    The posture of the system will timeout, so if you have health checks enabled: Eventually the endpoint will be "UNKNOWN" then it is up to you on what to do with clients with that posture status.



    ------------------------------
    ACEX #137
    ------------------------------