I tested the change status and saw a successful re-auth and port-bounce this was also confirmed via Wireshark.
My new question goes back to the MAC address used, the OnGaurd is coming with a completely different MAC address while the dot1x uses the passthrough NIC I have assigned.
When I force a re-auth, the 1x MAC has never had any posture associated with it.
I can not attribute that MAC to anything on the machine unless the agent generates it.
So what I am stuck on is even if I trigger the auth, the passthrough NIC has never officially been postured, and no action can be taken on that value.
Original Message:
Sent: Jun 20, 2024 12:26 PM
From: DB86
Subject: ClearPass OnGuard | MAC used for auth | Terminate/Bounce issue
Have you verified that RADIUS CoA is working to the switch? You can test bouncing the clients session by using the "change status" button in the access tracker entry for the current session. If that doesn't work, then the cisco config would need some attention. Maybe the L4 port is wrong? You could also try using the agent bounce instead, which send the bounce to the OnGuard client itself instead of the switch. It will disable and enable the interface on the device.
------------------------------
Dustin Burns
Lead Mobility Engineer @Worldcom Exchange, Inc.
ACCX 1271| ACMX 509| ACSP | ACDA | MVP Guru 2022-2023
If my post was useful accept solution and/or give kudos
Original Message:
Sent: Jun 19, 2024 10:53 AM
From: Bkoelling
Subject: ClearPass OnGuard | MAC used for auth | Terminate/Bounce issue
Hello All,
I am currently working through a ClearPass LAB, and everything has gone smoothly until I try to integrate the OnGuard portion. I am running CPPM 6.12.0.300732 on CLABV.
My objective is to Authenticate utilizng EAP-TLS via Cisco Switch (this works wonderfully), grab a posture check, bounce/terminate the session, and utilize the posture status to drop the user into a specific VLAN.
Independently, these checks both work without issue. I am running the Agent-based unit. I see a good auth in the Tracker for the 802.1x and the WebAuth OnGuard comes shortly after. In my WebAuth enforcement, I have it set to enforce a bounce for anything posture-related. I have tried multiple methods to force any type of bounce but I can not see any attempt. I do have Wireshark in multiple spots, and I never see CPPM attempt to push that CoA.
Below is a summary of what I have configured
802.1x Summary
My Idea here and I could be wrong is if the device has a posture status the policy can take the correct action if it's unknown let it hang out and run the posture check
the fail and pass profiles return a VLAN number
The WebAuth/Posture policy is configured as follows
The Enforcement I currently have in place is to terminate the session no matter what. I have also tried to bounce, disable, and re-authenticate tied to specific posture values with no luck.
I see that both services are hit and complete in the Tracker, but I do not get any action from the WebAuth
I have realized that the Webauth uses a separate endpoint/MAC address that does not exist in the switch table.
I did change the global setting to utilize the username, but that, unfortunately, did not change the behavior.
I am stuck here, and I can not seem to get it to operate as I intend. Am I missing something, or is my understanding completely off on how this is supposed to operate?
I can provide anything more that may help in diagnosing/resolving. Thanks in advance for any support!