few things to note for a onguard solution.
1. you need to have a WEBAUTH service for the health check, here based on the health tokens, this service will CoA (terminate session) the client.
2. in addition to the webauth service, you also need to have an enforcement policy rule (for your dot1x service) to check for the health tokens that onguard agents send.
3. in the same enforcement policy, you need to enable the checkbox shown below to keep track of the
4. the starting status of onguard health token is always UNKNOWN and you should cater for that in your enforcement policy, by sending the client to a captive portal and/or to ensure it has limited access to the network so that the agent can send its health report to clearpass,
5. you need to ensure port TCP/6658 and 443 is allowed for the communication between the agent and clearpass
6. once the clearpass's webauth service receives the new status of healthy fro the onguard agent then, it will do a CoA and a new dot1x request is initiated and this time the health token is healthy and then the user gets whatever appropriate access you had configured for it.
check this for the onguard flow diagramhttps://www.arubanetworks.com/techdocs/ClearPass/6.10/PolicyManager/Content/CPPM_UserGuide/Posture/postureArchandFlow.html
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.
Sent: Jun 07, 2022 08:51 PM
From: Hevin Huo
Subject: OnGuard question
There is one thing that needs your help. We are using Onguard to check customer compliance. We created a policy that grants full access based on their role when the user status check results is health. If the client status check results are unknown (the client is not installed), they are redirected to a URL to run a dissolvable client or downloadable persistence client. But the problem now is that when a user powers on the computer and logs on, the Onguard client will run after the user logs on, at which point the check status of the user's first logon is unknown, and the unknown policy will match, causing the user who installed the Onguard client to also be redirected to this URL. So, is there a way to avoid this? For example, add a delay to user authentication, or add some restrictions to this rule, such as checking if the Onguard client is installed to avoid?
Thanks in advance for your GREAT help.