So, with your "solution" all I have to do to bypass it is:
Bypass 1:
- Let's say the policy requires "encryption" or "antivirus" or even removes USB access
- I connect to the network with the PC compliant and running onguard.
- ClearPass will send the info to the Fortigate: IP of PC is Healthy.
- That information will stay there until a new info is sent by ClearPass. It never expires!
- Now, I'm on PC and disable OnGuard. Either I remove the app, or reinstall the PC, Whatever.
- I reconnect to the network
- The Fortigate will still have the old information saying the PC is healthy (because it never expires).
- I can now connect from a PC without OnGuard, that may no longer be compliant.
Bypass 2 - Dynamic IPs:
- Network is set to give dynamic IPs to PCs.
- I connect with PC1. Dhcp gives him IP1.
- Onguard runs. A message is sent to Fortigate saying IP1 => Healthy. Fortigate will keep this info until it receives a new info, that is only sent when Onguard runs.
- PC1 disconnects from the network.
- Now, PC2 connects at a later date and dhcp will give him the same IP1 as PC1.
- PC2 does not have OnGuard, but Fortigate still has the info that IP1 is healthy, because it neves expires.
- PC2 connects without OnGuard or without being compliant.
I can replicate both scenarios on my lab, and get into the network with computers not running OnGuard, so I know this happens with your "solution".
As an example, if I want to be able to access USB pen drive when OnGuard prevents that, I just connect first with everything running, let ClearPass send the POST to the Fortigate, and then remove OnGuard from the PC and am able to access the USB drive when connected.
This would only work if Fortigate had a timeout for the ClearPass info, which it doesn't.