Hi
The Onguard client must be able to send the device status to ClearPass, thus you can't deny access completely to clients that haven't reported a valid posture. Instead you can apply a role that only allow DHCP, DNS and access to ClearPass for the web authentication to take place.
In general terms the Onguard process works like this:
- Successful 802.1x authentication but unknown posture status: Return a limited role
- Web authentication to report posture: Perform CoA after the web authentication to initiate new 802.1x authentication
- Successful 802.1x authentication, known posture status: Return desired role.
The 802.1x service must have the option "Use Cached Results" enabled under the Enforcement tab otherwise the service can't utilize the posture status from the previous web authentication.
How you apply the first limited role differs depending on how your clients connects to the network and from what type of equipment. If the client connects from a wired connection and the switch is capable of Downloadable User Roles (AOS 2540, 2930F/M and 5400 or CX 6200-6400) you can apply a DUR. Same if it's a wireless client connecting to an Aruba SSID. But if the client connects from an Aruba switch that doesn't support DUR you have to apply the restriction in another way. Depending on the switch this can be different methods.
------------------------------
Best Regards
Jonas Hammarbäck
MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution
------------------------------
Original Message:
Sent: Jul 02, 2024 09:33 AM
From: Majed3730
Subject: How to Configure ClearPass to Block Devices Without OnGuard Installed?
Hi everyone,
I'm currently working on securing our network with ClearPass and need to ensure that only devices with OnGuard installed are allowed access. Can anyone guide me on how to create a rule in ClearPass that checks if the endpoint has OnGuard installed and blocks those that don't?
I've got the basics of ClearPass configuration down, but I'm a bit stuck on setting up this specific enforcement policy. Any detailed steps or resources would be greatly appreciated!
Thanks in advance for your help!