We've deployed OnGuard on one of our customer with agent-bouce option. But we've faced one problem and I would like to get your opinion.
If OnGuard agent status on client says "Not Known", when we disable-enable wired or wireless NIC, it triggers health-check and after bounce, clients goes to correct VLAN because ClearPass knows that its healthy. But if we do health-check and right after that we disconnect cable or wireless connection, OnGuard agent stays as healthy. Health Logs on agent says ethernet down but even after we connect cable it does not trigger health-check because it thinks its healthy. Because of this, client stays on quarantine VLAN. If we wait, sometimes it triggers health-check within a few minutes but this is too long.
Is there any option to set OnGuard agent to trigger health-check every time that wired or wireless connection flaps?
Faruk Binar - ACCX# 1350
I don't think you can trigger a health-check when the network connection flaps, and I don't fully understand why your client goes in the quarantine VLAN if the agent reports healthy. Or is this around switching between wired-wireless or wireless-wired?
It may be good to discuss this with Aruba support to get a better understanding of the problem and the options to fix it.
Firstly thank you for your answer. Before I've configured "Health-Check interval" in global agent settings to 1 hour and "Policy Cache Timeout" to 75 minutes (more than health-check interval), I was experiencing that problem. When a client does health-check and bounce or CoA, agent says healthy as expected. But just right after that health-check, if it loses network, for example a wireless drop or cable removal, agent stays in healthy status and while in that status, if we connect client to network again wired or wirelessly, health-check does not trigger and client stays in quarantine. I had to increase policy cache timeout for this and it seems fixed the issue.
But now there is one problem about health-check interval that I'd set to 1 hour. Every hour, client bounces even it stays in healthy status because of this interval. What is the best practice for this? If we don't set health-check interval on global agent settings, what is the interval behind that? Should we set anything to use policy cache timeout? And lastly, is there any disadvantage of settings policy cache timeout more than 1 hour or sth.?
Thank you in advance.
I don't recall that I needed to change the timers/parameters. The persistent Onguard Agent (installer) will also keep a session open with ClearPass and when status changes on the client tell ClearPass so it can take action.
There may be something wrong with your setup.... maybe good to go through the configuration and what you see with your Aruba partner or Aruba Support.
If you want to do some further troubleshooting yourself, the documents on the ClearPass Technotes page may help as well with flow-charts how Onguard works and interacts with ClearPass.
Sorry for repliyng late. As you've said, there is no problem about timers. There was a misunderstanding between me and my customer. There is no problem about OnGuard agent that I've said on my first post. I want to clarify this.
The only problem they have is agent starts to check health after a few minutes from logging to Windows. I will work on that but its not related to this topic. So, this can be closed. Thank you again for helping.
© Copyright 2024 Hewlett Packard Enterprise Development LPAll Rights Reserved.