Security

Dear Experts, 

One of my customer is facing this issue. Seems like common configuration but i think i am missing something obvious

1) Customer has 2 brand of switches, Huawei and H3c

2) OnGuard agent is installed on client devices that are connected to either of these switches. 

3) I created 2 services for both H3c and Huawei using the wizard. So there are total of 4 services configured. 1 x Web auth and Radius for Huawei and 1 x Web auth and Radius for H3C. 

4) Now the problem is client device shares the posture status with Clearpass which matches the FIRST WEB AUTH service. Is it ok? should we have single Web auth policy for onguard regardless of NAD devices?

5) I went with above assumption and disabled Huawei WEB AUTH service just to check, and in enforcement profiles i added Huawei CoA profiles alongside H3C CoA profiles, now when there is posture change (from H to UH) it only applies H3C CoA profiles and not Huawei Profiles as seen in the access tracker. Is it expected behavior? if yes how should i solve this problem?

Are you using device groups to group the two NAD types?  How are you controlling which Service the clients will hit?

Original Message:
Sent: Oct 03, 2023 06:32 AM
From: Owais101
Subject: ClearPass posture Checking - Services confusion

Dear Experts, 

One of my customer is facing this issue. Seems like common configuration but i think i am missing something obvious

1) Customer has 2 brand of switches, Huawei and H3c

2) OnGuard agent is installed on client devices that are connected to either of these switches. 

3) I created 2 services for both H3c and Huawei using the wizard. So there are total of 4 services configured. 1 x Web auth and Radius for Huawei and 1 x Web auth and Radius for H3C. 

4) Now the problem is client device shares the posture status with Clearpass which matches the FIRST WEB AUTH service. Is it ok? should we have single Web auth policy for onguard regardless of NAD devices?

5) I went with above assumption and disabled Huawei WEB AUTH service just to check, and in enforcement profiles i added Huawei CoA profiles alongside H3C CoA profiles, now when there is posture change (from H to UH) it only applies H3C CoA profiles and not Huawei Profiles as seen in the access tracker. Is it expected behavior? if yes how should i solve this problem?

Are you using device groups to group the two NAD types?  How are you controlling which Service the clients will hit?

Original Message:
Sent: Oct 03, 2023 06:32 AM
From: Owais101
Subject: ClearPass posture Checking - Services confusion

Dear Experts, 

One of my customer is facing this issue. Seems like common configuration but i think i am missing something obvious

1) Customer has 2 brand of switches, Huawei and H3c

2) OnGuard agent is installed on client devices that are connected to either of these switches. 

3) I created 2 services for both H3c and Huawei using the wizard. So there are total of 4 services configured. 1 x Web auth and Radius for Huawei and 1 x Web auth and Radius for H3C. 

4) Now the problem is client device shares the posture status with Clearpass which matches the FIRST WEB AUTH service. Is it ok? should we have single Web auth policy for onguard regardless of NAD devices?

5) I went with above assumption and disabled Huawei WEB AUTH service just to check, and in enforcement profiles i added Huawei CoA profiles alongside H3C CoA profiles, now when there is posture change (from H to UH) it only applies H3C CoA profiles and not Huawei Profiles as seen in the access tracker. Is it expected behavior? if yes how should i solve this problem?

A followup question is, if i configure only 1 Web auth policy for posture checking, can i apply multi vendor CoA profiles in the same condition? like

if condition x is true apply H3C CoA, Huawei CoA. 

When i tried this, its only apply H3C CoA and NOT Huawei CoA. 

Are you using device groups to group the two NAD types?  How are you controlling which Service the clients will hit?

Original Message:
Sent: Oct 03, 2023 06:32 AM
From: Owais101
Subject: ClearPass posture Checking - Services confusion

Dear Experts, 

One of my customer is facing this issue. Seems like common configuration but i think i am missing something obvious

1) Customer has 2 brand of switches, Huawei and H3c

2) OnGuard agent is installed on client devices that are connected to either of these switches. 

3) I created 2 services for both H3c and Huawei using the wizard. So there are total of 4 services configured. 1 x Web auth and Radius for Huawei and 1 x Web auth and Radius for H3C. 

4) Now the problem is client device shares the posture status with Clearpass which matches the FIRST WEB AUTH service. Is it ok? should we have single Web auth policy for onguard regardless of NAD devices?

5) I went with above assumption and disabled Huawei WEB AUTH service just to check, and in enforcement profiles i added Huawei CoA profiles alongside H3C CoA profiles, now when there is posture change (from H to UH) it only applies H3C CoA profiles and not Huawei Profiles as seen in the access tracker. Is it expected behavior? if yes how should i solve this problem?

You put the network devices into different device groups for each vendor. In the Enforcement Profile -> Profile tab you specify the device groups that need that profile.

A followup question is, if i configure only 1 Web auth policy for posture checking, can i apply multi vendor CoA profiles in the same condition? like

if condition x is true apply H3C CoA, Huawei CoA. 

When i tried this, its only apply H3C CoA and NOT Huawei CoA. 

Are you using device groups to group the two NAD types?  How are you controlling which Service the clients will hit?

Original Message:
Sent: Oct 03, 2023 06:32 AM
From: Owais101
Subject: ClearPass posture Checking - Services confusion

Dear Experts, 

One of my customer is facing this issue. Seems like common configuration but i think i am missing something obvious

1) Customer has 2 brand of switches, Huawei and H3c

2) OnGuard agent is installed on client devices that are connected to either of these switches. 

3) I created 2 services for both H3c and Huawei using the wizard. So there are total of 4 services configured. 1 x Web auth and Radius for Huawei and 1 x Web auth and Radius for H3C. 

4) Now the problem is client device shares the posture status with Clearpass which matches the FIRST WEB AUTH service. Is it ok? should we have single Web auth policy for onguard regardless of NAD devices?

5) I went with above assumption and disabled Huawei WEB AUTH service just to check, and in enforcement profiles i added Huawei CoA profiles alongside H3C CoA profiles, now when there is posture change (from H to UH) it only applies H3C CoA profiles and not Huawei Profiles as seen in the access tracker. Is it expected behavior? if yes how should i solve this problem?