Security

 View Only
last person joined: 3 days ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

ClearPass OnGuard Health-Check Trigger Issue

This thread has been viewed 37 times
  • 1.  ClearPass OnGuard Health-Check Trigger Issue

    Posted Nov 29, 2023 02:32 PM

    Hi,

    We've deployed OnGuard on one of our customer with agent-bouce option. But we've faced one problem and I would like to get your opinion.

    If OnGuard agent status on client says "Not Known", when we disable-enable wired or wireless NIC, it triggers health-check and after bounce, clients goes to correct VLAN because ClearPass knows that its healthy. But if we do health-check and right after that we disconnect cable or wireless connection, OnGuard agent stays as healthy. Health Logs on agent says ethernet down but even after we connect cable it does not trigger health-check because it thinks its healthy. Because of this, client stays on quarantine VLAN. If we wait, sometimes it triggers health-check within a few minutes but this is too long.

    Is there any option to set OnGuard agent to trigger health-check every time that wired or wireless connection flaps?

    Faruk Binar - ACCX# 1350



  • 2.  RE: ClearPass OnGuard Health-Check Trigger Issue

    EMPLOYEE
    Posted Dec 06, 2023 05:37 AM

    I don't think you can trigger a health-check when the network connection flaps, and I don't fully understand why your client goes in the quarantine VLAN if the agent reports healthy. Or is this around switching between wired-wireless or wireless-wired?

    It may be good to discuss this with Aruba support to get a better understanding of the problem and the options to fix it.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 3.  RE: ClearPass OnGuard Health-Check Trigger Issue

    Posted Dec 06, 2023 05:33 PM

    Hi Herman,

    Firstly thank you for your answer. Before I've configured "Health-Check interval" in global agent settings to 1 hour and "Policy Cache Timeout" to 75 minutes (more than health-check interval), I was experiencing that problem. When a client does health-check and bounce or CoA, agent says healthy as expected. But just right after that health-check, if it loses network, for example a wireless drop or cable removal, agent stays in healthy status and while in that status, if we connect client to network again wired or wirelessly, health-check does not trigger and client stays in quarantine. I had to increase policy cache timeout for this and it seems fixed the issue.

    But now there is one problem about health-check interval that I'd set to 1 hour. Every hour, client bounces even it stays in healthy status because of this interval. What is the best practice for this? If we don't set health-check interval on global agent settings, what is the interval behind that? Should we set anything to use policy cache timeout? And lastly, is there any disadvantage of settings policy cache timeout more than 1 hour or sth.?

    Thank you in advance.




  • 4.  RE: ClearPass OnGuard Health-Check Trigger Issue

    EMPLOYEE
    Posted Dec 07, 2023 09:50 AM

    I don't recall that I needed to change the timers/parameters. The persistent Onguard Agent (installer) will also keep a session open with ClearPass and when status changes on the client tell ClearPass so it can take action.

    There may be something wrong with your setup.... maybe good to go through the configuration and what you see with your Aruba partner or Aruba Support.

    If you want to do some further troubleshooting yourself, the documents on the ClearPass Technotes page may help as well with flow-charts how Onguard works and interacts with ClearPass.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 5.  RE: ClearPass OnGuard Health-Check Trigger Issue

    Posted Dec 24, 2023 06:34 PM

    Dear Herman,

    Sorry for repliyng late. As you've said, there is no problem about timers. There was a misunderstanding between me and my customer. There is no problem about OnGuard agent that I've said on my first post. I want to clarify this.

    The only problem they have is agent starts to check health after a few minutes from logging to Windows. I will work on that but its not related to this topic. So, this can be closed. Thank you again for helping.