View Only
last person joined: 17 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

ClearPass OnGuard - Windows Service and Client Mode?

This thread has been viewed 13 times
  • 1.  ClearPass OnGuard - Windows Service and Client Mode?

    Posted Sep 09, 2022 10:49 AM

    I've got about 200 Windows laptop/desktop machines which use OnGuard. I need to run the agent in client/service mode.

    All OnGuard agents run in client mode - that is, when a user is logged on, the OnGuard client runs and does posture evaluation via ClearPass. If the VLAN needs to be changed (these ports are dynamic VLANs), ClearPass will send it to the new VLAN, and the Client will do an Agent Port Bounce. This is important, because without port bounce, we're at the mercy to the old DHCP lease as to when it gets a good address on the new VLAN. We need to use the Agent Port Bounce, because the smaller Juniper switches we use can't do a CoA to port bounce. (but they do run the dot1x dynamic VLAN fine)

    When the users logoff, the agent caches the posture state for, in our case, 2 hours.  After 2 hours, the posture state goes to "Unknown", and we want to move them to another VLAN.

    But there is no more port bounce when the user's logged off. So the devices stay on the new VLAN but keep the lease from the old VLAN so they're not accessible.

    What I need is to run OnGuard on the Windows machine in Client and Service mode.

    I wasn't the one that installed the agents in the PCs, but I need info on how to get this to work, if I need to do it to all of them at once, or can I do it PC by PC, etc. and what changes I'd need on ClearPass to get this to work.

    If there are ClearPass or OnGuard install documents that explain how to do this, please point me to them!




  • 2.  RE: ClearPass OnGuard - Windows Service and Client Mode?

    Posted Sep 12, 2022 08:55 AM
    Can you configure a switch port bounce via CoA instead of using the client bounce?
    Also, the recommendation is to switch roles/dACL instead of switching VLANs to avoid this type of complexity.

    Herman Robers
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

  • 3.  RE: ClearPass OnGuard - Windows Service and Client Mode?

    Posted Sep 14, 2022 02:34 AM
    In my case, I have 9300 Cisco switch and I set 'reauthentication timer server' config in switch so ClearPass will push down a reauth timer (equals to session timeout). You may need to find out what command equivalent to this in your Juniper switch.

    So when the Windows PC you have doing logout, it should do machine authentication (if your dot1x setting set to perform machine auth).

    So after machine auth maybe you can try configuring reauth timer enforcement profile, set to 2 hours ? So when 2 hours elapsed, the switch will do reauth by itself (since you said CoA is not working at your Juniper switch).

  • 4.  RE: ClearPass OnGuard - Windows Service and Client Mode?

    Posted Oct 12, 2022 09:23 PM


    Yes. I do that. But that's not what disconnects the port. The Agent Port Bounce, or RADIUS Port Bounce (depends on switch) disconnect and reconnect the port. 

    This is needed because if OnGuard (running on Windows) decides a device has transitioned from Healthy to Unhealthy (say, because one of the required services were stopped by a scheduled task), then ClearPass tells the dot1x port to change from the healthy to unhealthy (quarantine) VLAN.

    Herein is the issue. When the port was on VLAN 1 and Healthy, it may have an IP of, as assigned by DHCP. When it's gone to Unhealthy, the port is assigned to VLAN 100 (quarantine). Here, the problem will try to be resolved. If the reason was the anti-virus was out of date, it would be allowed to get to the AV's update device(s) but be prevented from using "healthy" access.

    But the issue is when moved from VLAN 1 to VLAN 100, the NIC still has the (VLAN 1) address, because the DHCP TTL is 8 days (by default in Windows AD DHCP servers). So even though the port is on the correct VLAN, no communication is possible, because the IP can't renew to the proper IP it should have, because the PC's DHCP agent is still holding the old address.

    The only way to fix this is to either set the TTL for DHCP very low - like 5 minutes for both VLAN 100 and 1 (which we don't want to do), or unplug and plug the port, then DHCP will work on the new VLAN 100. As we can't really unplug it, setting the "Agent Port Bounce" in the WEBAUTH service will do the same thing.

    Many switch vendors allow you to do a RADIUS port bounce, and many switch vendors already are in the RADIUS dictionary. But my small Junipers - while supporting dot1x fine, do not do RADIUS port bounce.

    To fix this, we have to run OnGuard as an agent and service, which is a OnGuard setting. The user goes from "Agent" to "Agent & Service" mode after the next user logins in. Then it will run as a service when the user is logged out. And when the AV or service issue is resolved, then the Enforcement Profile will dynamically move the port back to VLAN 1, and port bounce, then the PC port will get the proper DHCP.

    You can test this by setting a scheduled task in Windows to disable a service that's required to make a PC Healthy. Make it run when the OnGuard cache maybe try 4 hours or so after you logoff. Disable the service, and see that OnGuard changes the port's VLAN and the device gets the proper DHCP on each VLAN transition.

    We reauth all the time, but that just makes dot1x decide if the device should be on whatever VLAN the policy determines. It doesn't actually drop the port's carrier to allow DHCP to renew the least not on my Junipers the "clear dot1x interface X' also reauths, but the port doesn't flap. Remember the reauth is a RADIUS service, the OnGuard posture assessment is a WEBAUTH service.