Security

Hi,

I have our OnGuard deployment set as agent and server now. This was supposed to stop Windows machines from getting an "Unknown (100)" enforcement posture. We want it to say "Healthy" or "Unhealthy" as appropriate. Agent & Service was supposed to keep the agent doing WEBAUTHs or at least reporting the posture properly.

Now, I see the number of active licenses for OnGuard on ClearPass (6.10.7) changing from 350+ during the day, to 80-100 during the evening. I can ping / RDP / etc. to these PCs as normal, and dot1x does reevaluate the physical VLAN according to our dot1x timeout. So when WEBAUTH decides the machine's not healthy the VLAN changes, and we require the Agent Port Bounce to flap the NIC so a new DHCP address is obtained on the new VLAN. The same port bounce happens when the device gets healthy again.

We have a cache set, but that's not overriding the actual checking of changes by OnGuard, is it? After the cache expires, the devices go Unknown.

Any assistance you can give would be appreciated!

Regards,

-Ambi

------------------------------
Ambidexter
------------------------------

Please work with Aruba Support. I see similar behavior in my lab, where clients that are locked/inactive don't send periodic webauths, but do seem to be 'connected' in the OnGuard activity. So it's not really clear to me if the client is connected on an existing/persistent connection, or it does not report any posture data. TAC would be able to find out if that is expected, and if it may hurt.

In ClearPass 6.11 a new feature 'Grace Period' has been added, which also may be a way to solve your problem.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Oct 21, 2022 10:23 PM
From: Lawrence Brandt
Subject: ClearPass running OnGuard as Agent & Service - doesn't scan during the night? Unknown posture at night?

Hi,

I have our OnGuard deployment set as agent and server now. This was supposed to stop Windows machines from getting an "Unknown (100)" enforcement posture. We want it to say "Healthy" or "Unhealthy" as appropriate. Agent & Service was supposed to keep the agent doing WEBAUTHs or at least reporting the posture properly.

Now, I see the number of active licenses for OnGuard on ClearPass (6.10.7) changing from 350+ during the day, to 80-100 during the evening. I can ping / RDP / etc. to these PCs as normal, and dot1x does reevaluate the physical VLAN according to our dot1x timeout. So when WEBAUTH decides the machine's not healthy the VLAN changes, and we require the Agent Port Bounce to flap the NIC so a new DHCP address is obtained on the new VLAN. The same port bounce happens when the device gets healthy again.

We have a cache set, but that's not overriding the actual checking of changes by OnGuard, is it? After the cache expires, the devices go Unknown.

Any assistance you can give would be appreciated!

Regards,

-Ambi

------------------------------
Ambidexter
------------------------------