Security

 View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

ClearPass posture Checking - Services confusion

This thread has been viewed 14 times
  • 1.  ClearPass posture Checking - Services confusion

    Posted Oct 03, 2023 06:32 AM

    Dear Experts, 

    One of my customer is facing this issue. Seems like common configuration but i think i am missing something obvious

    1) Customer has 2 brand of switches, Huawei and H3c

    2) OnGuard agent is installed on client devices that are connected to either of these switches. 

    3) I created 2 services for both H3c and Huawei using the wizard. So there are total of 4 services configured. 1 x Web auth and Radius for Huawei and 1 x Web auth and Radius for H3C. 

    4) Now the problem is client device shares the posture status with Clearpass which matches the FIRST WEB AUTH service. Is it ok? should we have single Web auth policy for onguard regardless of NAD devices?

    5) I went with above assumption and disabled Huawei WEB AUTH service just to check, and in enforcement profiles i added Huawei CoA profiles alongside H3C CoA profiles, now when there is posture change (from H to UH) it only applies H3C CoA profiles and not Huawei Profiles as seen in the access tracker. Is it expected behavior? if yes how should i solve this problem?



  • 2.  RE: ClearPass posture Checking - Services confusion

    Posted Oct 03, 2023 09:22 AM

    Are you using device groups to group the two NAD types?  How are you controlling which Service the clients will hit?




  • 3.  RE: ClearPass posture Checking - Services confusion

    Posted Oct 03, 2023 09:32 AM
    Thats the question, how can i separate webauth from huawei vs h3c. I checked in access tracker, there is no indication or mention of the nad in incoming request that is hitting web auth.

    Yes huawei and h3c are in device groups and their radius services are properly configured and checking respective device groups.

    Problem is with web auth





  • 4.  RE: ClearPass posture Checking - Services confusion

    Posted Oct 03, 2023 12:30 PM

    A followup question is, if i configure only 1 Web auth policy for posture checking, can i apply multi vendor CoA profiles in the same condition? like

    if condition x is true apply H3C CoA, Huawei CoA. 

    When i tried this, its only apply H3C CoA and NOT Huawei CoA. 




  • 5.  RE: ClearPass posture Checking - Services confusion

    MVP
    Posted Oct 06, 2023 09:44 AM

    You put the network devices into different device groups for each vendor. In the Enforcement Profile -> Profile tab you specify the device groups that need that profile.



    ------------------------------
    Bruce Osborne ACCP ACMP
    Liberty University

    The views expressed here are my personal views and not those of my employer
    ------------------------------



  • 6.  RE: ClearPass posture Checking - Services confusion

    Posted Oct 06, 2023 10:21 AM
    No the thing is, same web auth service will be used by multiple vendors