Security

When using Onguard there is the following dependency:
1. First WLAN dot.1x-Auth - Posture state is UNKOWN, because no status has yet been transmitted by the agent

2. Web-Auth by the agent - posture status is transmitted, a port bounce must occur at this point so that the posture status can be evaluated.

3. Second WLAN dot.1x-Auth - At this point, the dot.1x service must evaluate the posture code. However, it does not see it because the dot1x-wlan service and the web-auth service do not communicate with each other.

The trick is to activate "Use Cached Results" in the Enforcement tab.

Then the dot.1x-Auth service can read the posture code from the endpoint cache. Then everything works as desired.

The tricky part is that I have configured this feature already. (Based on the official guide)

And yet the port bounce does not happens :(

Do I have to configure something on the AP - WLAN side? like enable Dynamic Authorization?   I did it already, and did not solve it.

When using Onguard there is the following dependency:
1. First WLAN dot.1x-Auth - Posture state is UNKOWN, because no status has yet been transmitted by the agent

2. Web-Auth by the agent - posture status is transmitted, a port bounce must occur at this point so that the posture status can be evaluated.

3. Second WLAN dot.1x-Auth - At this point, the dot.1x service must evaluate the posture code. However, it does not see it because the dot1x-wlan service and the web-auth service do not communicate with each other.

The trick is to activate "Use Cached Results" in the Enforcement tab.

Then the dot.1x-Auth service can read the posture code from the endpoint cache. Then everything works as desired.

Yes, I know, it's a difficult topic, but please don't give up.
The port bounce does not happen automatically, you have to configure it. In the web-auth service you have to send either coa in a RADIUS_DynAuthZ or bounce-client in an agent-enforcement-profile. If you use coa, you must also set up Dynamic Authorization in the WLAN. With agent enforcement, the agent bounces the port on the client side independently of Dynamic Authorization. It's a matter of taste, I use the agent variant.

Have you watched any videos of Herman? He explains it very well.

https://m.youtube.com/watch?v=l5Rt2K8KJiE

The tricky part is that I have configured this feature already. (Based on the official guide)

And yet the port bounce does not happens :(

Do I have to configure something on the AP - WLAN side? like enable Dynamic Authorization?   I did it already, and did not solve it.

When using Onguard there is the following dependency:
1. First WLAN dot.1x-Auth - Posture state is UNKOWN, because no status has yet been transmitted by the agent

2. Web-Auth by the agent - posture status is transmitted, a port bounce must occur at this point so that the posture status can be evaluated.

3. Second WLAN dot.1x-Auth - At this point, the dot.1x service must evaluate the posture code. However, it does not see it because the dot1x-wlan service and the web-auth service do not communicate with each other.

The trick is to activate "Use Cached Results" in the Enforcement tab.

Then the dot.1x-Auth service can read the posture code from the endpoint cache. Then everything works as desired.

Yeah I viewed that video, and configured everything like Herman.

Yet it seems the [ArubaOS Wireless - Terminate Session] enforcement profile has no effect, because after the Posture Scan, there is no connection bounce or anything like that.

So I am clueless now.

Yes, I know, it's a difficult topic, but please don't give up.
The port bounce does not happen automatically, you have to configure it. In the web-auth service you have to send either coa in a RADIUS_DynAuthZ or bounce-client in an agent-enforcement-profile. If you use coa, you must also set up Dynamic Authorization in the WLAN. With agent enforcement, the agent bounces the port on the client side independently of Dynamic Authorization. It's a matter of taste, I use the agent variant.

Have you watched any videos of Herman? He explains it very well.

https://m.youtube.com/watch?v=l5Rt2K8KJiE

The tricky part is that I have configured this feature already. (Based on the official guide)

And yet the port bounce does not happens :(

Do I have to configure something on the AP - WLAN side? like enable Dynamic Authorization?   I did it already, and did not solve it.

When using Onguard there is the following dependency:
1. First WLAN dot.1x-Auth - Posture state is UNKOWN, because no status has yet been transmitted by the agent

2. Web-Auth by the agent - posture status is transmitted, a port bounce must occur at this point so that the posture status can be evaluated.

3. Second WLAN dot.1x-Auth - At this point, the dot.1x service must evaluate the posture code. However, it does not see it because the dot1x-wlan service and the web-auth service do not communicate with each other.

The trick is to activate "Use Cached Results" in the Enforcement tab.

Then the dot.1x-Auth service can read the posture code from the endpoint cache. Then everything works as desired.