Security

Hi team,

There is one thing that needs your help. We are using Onguard to check customer compliance. We created a policy that grants full access based on their role when the user status check results is health. If the client status check results are unknown (the client is not installed), they are redirected to a URL to run a dissolvable client or downloadable persistence client. But the problem now is that when a user powers on the computer and logs on, the Onguard client will run after the user logs on, at which point the check status of the user's first logon is unknown, and the unknown policy will match, causing the user who installed the Onguard client to also be redirected to this URL. So, is there a way to avoid this? For example, add a delay to user authentication, or add some restrictions to this rule, such as checking if the Onguard client is installed to avoid?

Thanks in advance for your GREAT help.

few things to note for a onguard solution.

1. you need to have a WEBAUTH service for the health check, here based on the health tokens, this service will CoA (terminate session) the client.
2. in addition to the webauth service, you also need to have an enforcement policy rule (for your dot1x service) to check for the health tokens that onguard agents send.
3. in the same enforcement policy, you need to enable the checkbox shown below to keep track of the



4. the starting status of onguard health token is always UNKNOWN and you should cater for that in your enforcement policy, by sending the client to a captive portal and/or to ensure it has limited access to the network so that the agent can send its health report to clearpass,
5. you need to ensure port TCP/6658 and 443 is allowed for the communication between the agent and clearpass
6. once the clearpass's webauth service receives the new status of healthy fro the onguard agent then, it will do a CoA and a new dot1x request is initiated and this time the health token is healthy and then the user gets whatever appropriate access you had configured for it.

check this for the onguard flow diagram
https://www.arubanetworks.com/techdocs/ClearPass/6.10/PolicyManager/Content/CPPM_UserGuide/Posture/postureArchandFlow.html


------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.
------------------------------

Original Message:
Sent: Jun 07, 2022 08:51 PM
From: Hevin Huo
Subject: OnGuard question

Hi team,

There is one thing that needs your help. We are using Onguard to check customer compliance. We created a policy that grants full access based on their role when the user status check results is health. If the client status check results are unknown (the client is not installed), they are redirected to a URL to run a dissolvable client or downloadable persistence client. But the problem now is that when a user powers on the computer and logs on, the Onguard client will run after the user logs on, at which point the check status of the user's first logon is unknown, and the unknown policy will match, causing the user who installed the Onguard client to also be redirected to this URL. So, is there a way to avoid this? For example, add a delay to user authentication, or add some restrictions to this rule, such as checking if the Onguard client is installed to avoid?

Thanks in advance for your GREAT help.

Please take a hard look at the question, okay?
Original Message:
Sent: Jun 07, 2022 09:12 PM
From: Ariya Parsamanesh
Subject: OnGuard question

few things to note for a onguard solution.

1. you need to have a WEBAUTH service for the health check, here based on the health tokens, this service will CoA (terminate session) the client.
2. in addition to the webauth service, you also need to have an enforcement policy rule (for your dot1x service) to check for the health tokens that onguard agents send.
3. in the same enforcement policy, you need to enable the checkbox shown below to keep track of the



4. the starting status of onguard health token is always UNKNOWN and you should cater for that in your enforcement policy, by sending the client to a captive portal and/or to ensure it has limited access to the network so that the agent can send its health report to clearpass,
5. you need to ensure port TCP/6658 and 443 is allowed for the communication between the agent and clearpass
6. once the clearpass's webauth service receives the new status of healthy fro the onguard agent then, it will do a CoA and a new dot1x request is initiated and this time the health token is healthy and then the user gets whatever appropriate access you had configured for it.

check this for the onguard flow diagram
https://www.arubanetworks.com/techdocs/ClearPass/6.10/PolicyManager/Content/CPPM_UserGuide/Posture/postureArchandFlow.html


------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.

Original Message:
Sent: Jun 07, 2022 08:51 PM
From: Hevin Huo
Subject: OnGuard question

Hi team,

There is one thing that needs your help. We are using Onguard to check customer compliance. We created a policy that grants full access based on their role when the user status check results is health. If the client status check results are unknown (the client is not installed), they are redirected to a URL to run a dissolvable client or downloadable persistence client. But the problem now is that when a user powers on the computer and logs on, the Onguard client will run after the user logs on, at which point the check status of the user's first logon is unknown, and the unknown policy will match, causing the user who installed the Onguard client to also be redirected to this URL. So, is there a way to avoid this? For example, add a delay to user authentication, or add some restrictions to this rule, such as checking if the Onguard client is installed to avoid?

Thanks in advance for your GREAT help.

The device with unknown token status, needs access to the network so the agent can send the updated health token.
the webauth service that should be configured will coa the client based on the token status which then results in a new auth req and this one should not match the posture=unknown enforcement rule.
you don't need to add extra delay.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.
------------------------------

Original Message:
Sent: Jun 07, 2022 10:04 PM
From: Hevin Huo
Subject: OnGuard question

Please take a hard look at the question, okay?
Original Message:
Sent: Jun 07, 2022 09:12 PM
From: Ariya Parsamanesh
Subject: OnGuard question

few things to note for a onguard solution.

1. you need to have a WEBAUTH service for the health check, here based on the health tokens, this service will CoA (terminate session) the client.
2. in addition to the webauth service, you also need to have an enforcement policy rule (for your dot1x service) to check for the health tokens that onguard agents send.
3. in the same enforcement policy, you need to enable the checkbox shown below to keep track of the



4. the starting status of onguard health token is always UNKNOWN and you should cater for that in your enforcement policy, by sending the client to a captive portal and/or to ensure it has limited access to the network so that the agent can send its health report to clearpass,
5. you need to ensure port TCP/6658 and 443 is allowed for the communication between the agent and clearpass
6. once the clearpass's webauth service receives the new status of healthy fro the onguard agent then, it will do a CoA and a new dot1x request is initiated and this time the health token is healthy and then the user gets whatever appropriate access you had configured for it.

check this for the onguard flow diagram
https://www.arubanetworks.com/techdocs/ClearPass/6.10/PolicyManager/Content/CPPM_UserGuide/Posture/postureArchandFlow.html


------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.

Original Message:
Sent: Jun 07, 2022 08:51 PM
From: Hevin Huo
Subject: OnGuard question

Hi team,

There is one thing that needs your help. We are using Onguard to check customer compliance. We created a policy that grants full access based on their role when the user status check results is health. If the client status check results are unknown (the client is not installed), they are redirected to a URL to run a dissolvable client or downloadable persistence client. But the problem now is that when a user powers on the computer and logs on, the Onguard client will run after the user logs on, at which point the check status of the user's first logon is unknown, and the unknown policy will match, causing the user who installed the Onguard client to also be redirected to this URL. So, is there a way to avoid this? For example, add a delay to user authentication, or add some restrictions to this rule, such as checking if the Onguard client is installed to avoid?

Thanks in advance for your GREAT help.

You might want to change the onguard global agent settings to run as "both service and agent".
Then you can get a posture pre-logon from the PC bouncing the user to the corporate vlan .
Original Message:
Sent: Jun 07, 2022 10:04 PM
From: Hevin Huo
Subject: OnGuard question

Please take a hard look at the question, okay?
Original Message:
Sent: Jun 07, 2022 09:12 PM
From: Ariya Parsamanesh
Subject: OnGuard question

few things to note for a onguard solution.

1. you need to have a WEBAUTH service for the health check, here based on the health tokens, this service will CoA (terminate session) the client.
2. in addition to the webauth service, you also need to have an enforcement policy rule (for your dot1x service) to check for the health tokens that onguard agents send.
3. in the same enforcement policy, you need to enable the checkbox shown below to keep track of the



4. the starting status of onguard health token is always UNKNOWN and you should cater for that in your enforcement policy, by sending the client to a captive portal and/or to ensure it has limited access to the network so that the agent can send its health report to clearpass,
5. you need to ensure port TCP/6658 and 443 is allowed for the communication between the agent and clearpass
6. once the clearpass's webauth service receives the new status of healthy fro the onguard agent then, it will do a CoA and a new dot1x request is initiated and this time the health token is healthy and then the user gets whatever appropriate access you had configured for it.

check this for the onguard flow diagram
https://www.arubanetworks.com/techdocs/ClearPass/6.10/PolicyManager/Content/CPPM_UserGuide/Posture/postureArchandFlow.html


------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.

Original Message:
Sent: Jun 07, 2022 08:51 PM
From: Hevin Huo
Subject: OnGuard question

Hi team,

There is one thing that needs your help. We are using Onguard to check customer compliance. We created a policy that grants full access based on their role when the user status check results is health. If the client status check results are unknown (the client is not installed), they are redirected to a URL to run a dissolvable client or downloadable persistence client. But the problem now is that when a user powers on the computer and logs on, the Onguard client will run after the user logs on, at which point the check status of the user's first logon is unknown, and the unknown policy will match, causing the user who installed the Onguard client to also be redirected to this URL. So, is there a way to avoid this? For example, add a delay to user authentication, or add some restrictions to this rule, such as checking if the Onguard client is installed to avoid?

Thanks in advance for your GREAT help.

Yes, this was very useful for us. Thank you !
Original Message:
Sent: Jun 27, 2022 06:46 AM
From: Matan Tal
Subject: OnGuard question

You might want to change the onguard global agent settings to run as "both service and agent".
Then you can get a posture pre-logon from the PC bouncing the user to the corporate vlan .
Original Message:
Sent: Jun 07, 2022 10:04 PM
From: Hevin Huo
Subject: OnGuard question

Please take a hard look at the question, okay?
Original Message:
Sent: Jun 07, 2022 09:12 PM
From: Ariya Parsamanesh
Subject: OnGuard question

few things to note for a onguard solution.

1. you need to have a WEBAUTH service for the health check, here based on the health tokens, this service will CoA (terminate session) the client.
2. in addition to the webauth service, you also need to have an enforcement policy rule (for your dot1x service) to check for the health tokens that onguard agents send.
3. in the same enforcement policy, you need to enable the checkbox shown below to keep track of the



4. the starting status of onguard health token is always UNKNOWN and you should cater for that in your enforcement policy, by sending the client to a captive portal and/or to ensure it has limited access to the network so that the agent can send its health report to clearpass,
5. you need to ensure port TCP/6658 and 443 is allowed for the communication between the agent and clearpass
6. once the clearpass's webauth service receives the new status of healthy fro the onguard agent then, it will do a CoA and a new dot1x request is initiated and this time the health token is healthy and then the user gets whatever appropriate access you had configured for it.

check this for the onguard flow diagram
https://www.arubanetworks.com/techdocs/ClearPass/6.10/PolicyManager/Content/CPPM_UserGuide/Posture/postureArchandFlow.html


------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.

Original Message:
Sent: Jun 07, 2022 08:51 PM
From: Hevin Huo
Subject: OnGuard question

Hi team,

There is one thing that needs your help. We are using Onguard to check customer compliance. We created a policy that grants full access based on their role when the user status check results is health. If the client status check results are unknown (the client is not installed), they are redirected to a URL to run a dissolvable client or downloadable persistence client. But the problem now is that when a user powers on the computer and logs on, the Onguard client will run after the user logs on, at which point the check status of the user's first logon is unknown, and the unknown policy will match, causing the user who installed the Onguard client to also be redirected to this URL. So, is there a way to avoid this? For example, add a delay to user authentication, or add some restrictions to this rule, such as checking if the Onguard client is installed to avoid?

Thanks in advance for your GREAT help.