Security

When using Onguard there is the following dependency:
1. First WLAN dot.1x-Auth - Posture state is UNKOWN, because no status has yet been transmitted by the agent

2. Web-Auth by the agent - posture status is transmitted, a port bounce must occur at this point so that the posture status can be evaluated.

3. Second WLAN dot.1x-Auth - At this point, the dot.1x service must evaluate the posture code. However, it does not see it because the dot1x-wlan service and the web-auth service do not communicate with each other.

The trick is to activate "Use Cached Results" in the Enforcement tab.

Then the dot.1x-Auth service can read the posture code from the endpoint cache. Then everything works as desired.

The tricky part is that I have configured this feature already. (Based on the official guide)

And yet the port bounce does not happens :(

Do I have to configure something on the AP - WLAN side? like enable Dynamic Authorization?   I did it already, and did not solve it.

When using Onguard there is the following dependency:
1. First WLAN dot.1x-Auth - Posture state is UNKOWN, because no status has yet been transmitted by the agent

2. Web-Auth by the agent - posture status is transmitted, a port bounce must occur at this point so that the posture status can be evaluated.

3. Second WLAN dot.1x-Auth - At this point, the dot.1x service must evaluate the posture code. However, it does not see it because the dot1x-wlan service and the web-auth service do not communicate with each other.

The trick is to activate "Use Cached Results" in the Enforcement tab.

Then the dot.1x-Auth service can read the posture code from the endpoint cache. Then everything works as desired.

Yes, I know, it's a difficult topic, but please don't give up.
The port bounce does not happen automatically, you have to configure it. In the web-auth service you have to send either coa in a RADIUS_DynAuthZ or bounce-client in an agent-enforcement-profile. If you use coa, you must also set up Dynamic Authorization in the WLAN. With agent enforcement, the agent bounces the port on the client side independently of Dynamic Authorization. It's a matter of taste, I use the agent variant.

Have you watched any videos of Herman? He explains it very well.

https://m.youtube.com/watch?v=l5Rt2K8KJiE

The tricky part is that I have configured this feature already. (Based on the official guide)

And yet the port bounce does not happens :(

Do I have to configure something on the AP - WLAN side? like enable Dynamic Authorization?   I did it already, and did not solve it.

When using Onguard there is the following dependency:
1. First WLAN dot.1x-Auth - Posture state is UNKOWN, because no status has yet been transmitted by the agent

2. Web-Auth by the agent - posture status is transmitted, a port bounce must occur at this point so that the posture status can be evaluated.

3. Second WLAN dot.1x-Auth - At this point, the dot.1x service must evaluate the posture code. However, it does not see it because the dot1x-wlan service and the web-auth service do not communicate with each other.

The trick is to activate "Use Cached Results" in the Enforcement tab.

Then the dot.1x-Auth service can read the posture code from the endpoint cache. Then everything works as desired.

Yeah I viewed that video, and configured everything like Herman.

Yet it seems the [ArubaOS Wireless - Terminate Session] enforcement profile has no effect, because after the Posture Scan, there is no connection bounce or anything like that.

So I am clueless now.

Yes, I know, it's a difficult topic, but please don't give up.
The port bounce does not happen automatically, you have to configure it. In the web-auth service you have to send either coa in a RADIUS_DynAuthZ or bounce-client in an agent-enforcement-profile. If you use coa, you must also set up Dynamic Authorization in the WLAN. With agent enforcement, the agent bounces the port on the client side independently of Dynamic Authorization. It's a matter of taste, I use the agent variant.

Have you watched any videos of Herman? He explains it very well.

https://m.youtube.com/watch?v=l5Rt2K8KJiE

The tricky part is that I have configured this feature already. (Based on the official guide)

And yet the port bounce does not happens :(

Do I have to configure something on the AP - WLAN side? like enable Dynamic Authorization?   I did it already, and did not solve it.

When using Onguard there is the following dependency:
1. First WLAN dot.1x-Auth - Posture state is UNKOWN, because no status has yet been transmitted by the agent

2. Web-Auth by the agent - posture status is transmitted, a port bounce must occur at this point so that the posture status can be evaluated.

3. Second WLAN dot.1x-Auth - At this point, the dot.1x service must evaluate the posture code. However, it does not see it because the dot1x-wlan service and the web-auth service do not communicate with each other.

The trick is to activate "Use Cached Results" in the Enforcement tab.

Then the dot.1x-Auth service can read the posture code from the endpoint cache. Then everything works as desired.

CoA is probably not working.
Make sure that ClearPass and WLAN controller synchronize the original time with the same NTP server. 
Make sure that RADIUS CoA is enabled in the ClearPass network device.
ClerPass uses UDP 3799 for CoA by default. Make sure that ClearPass can reach the controller via this port.

Authorization Radius Authorization or RFC 3576 Server must also be configured in the WLAN controller.

Please post enforcement from the web-auth service. 

Yeah I viewed that video, and configured everything like Herman.

Yet it seems the [ArubaOS Wireless - Terminate Session] enforcement profile has no effect, because after the Posture Scan, there is no connection bounce or anything like that.

So I am clueless now.

Yes, I know, it's a difficult topic, but please don't give up.
The port bounce does not happen automatically, you have to configure it. In the web-auth service you have to send either coa in a RADIUS_DynAuthZ or bounce-client in an agent-enforcement-profile. If you use coa, you must also set up Dynamic Authorization in the WLAN. With agent enforcement, the agent bounces the port on the client side independently of Dynamic Authorization. It's a matter of taste, I use the agent variant.

Have you watched any videos of Herman? He explains it very well.

https://m.youtube.com/watch?v=l5Rt2K8KJiE

The tricky part is that I have configured this feature already. (Based on the official guide)

And yet the port bounce does not happens :(

Do I have to configure something on the AP - WLAN side? like enable Dynamic Authorization?   I did it already, and did not solve it.

When using Onguard there is the following dependency:
1. First WLAN dot.1x-Auth - Posture state is UNKOWN, because no status has yet been transmitted by the agent

2. Web-Auth by the agent - posture status is transmitted, a port bounce must occur at this point so that the posture status can be evaluated.

3. Second WLAN dot.1x-Auth - At this point, the dot.1x service must evaluate the posture code. However, it does not see it because the dot1x-wlan service and the web-auth service do not communicate with each other.

The trick is to activate "Use Cached Results" in the Enforcement tab.

Then the dot.1x-Auth service can read the posture code from the endpoint cache. Then everything works as desired.

The tricky part is that I have configured this feature already. (Based on the official guide)

And yet the port bounce does not happens :(

Do I have to configure something on the AP - WLAN side? like enable Dynamic Authorization?   I did it already, and did not solve it.

When using Onguard there is the following dependency:
1. First WLAN dot.1x-Auth - Posture state is UNKOWN, because no status has yet been transmitted by the agent

2. Web-Auth by the agent - posture status is transmitted, a port bounce must occur at this point so that the posture status can be evaluated.

3. Second WLAN dot.1x-Auth - At this point, the dot.1x service must evaluate the posture code. However, it does not see it because the dot1x-wlan service and the web-auth service do not communicate with each other.

The trick is to activate "Use Cached Results" in the Enforcement tab.

Then the dot.1x-Auth service can read the posture code from the endpoint cache. Then everything works as desired.

When troubleshooting CoA, first check with Access Tracker that you see Accounting data, and use the 'Change Status' in Access Tracker to test a manual CoA first, before expecting that a policy triggered CoA works.

The tricky part is that I have configured this feature already. (Based on the official guide)

And yet the port bounce does not happens :(

Do I have to configure something on the AP - WLAN side? like enable Dynamic Authorization?   I did it already, and did not solve it.

When using Onguard there is the following dependency:
1. First WLAN dot.1x-Auth - Posture state is UNKOWN, because no status has yet been transmitted by the agent

2. Web-Auth by the agent - posture status is transmitted, a port bounce must occur at this point so that the posture status can be evaluated.

3. Second WLAN dot.1x-Auth - At this point, the dot.1x service must evaluate the posture code. However, it does not see it because the dot1x-wlan service and the web-auth service do not communicate with each other.

The trick is to activate "Use Cached Results" in the Enforcement tab.

Then the dot.1x-Auth service can read the posture code from the endpoint cache. Then everything works as desired.