Security

 View Only
  • 1.  Onguard Webauth Service for different switches

    Posted Sep 08, 2024 02:56 PM
    Edited by Ronin101 Sep 08, 2024 02:56 PM

    Dear Experts, 

    I have configured 3 x onguard web auth service for Cisco, H3C and Aruba (since all have different CoA). In the service matching criteria, how can i differentiate between a client coming from a cisco switch vs other switches? i have checked the radius input parameters and it doesnt mention the IP address of the NAD. 

    Or am i doing something wrong?



  • 2.  RE: Onguard Webauth Service for different switches

    Posted Sep 09, 2024 03:38 AM

    Hi.


    You have several options. 

    1. Create device groups for Cisco, H3C and Aruba swithces and put correct switches into their respective groups. This is usually how I do this so I can use these groups to limit enforcement profiles to specific NAD OS.
    2.  Add attribute to NAD device registration and check for this attribute value. Not very flexible, but can be handy sometime.

    Best, Gorazd



    ------------------------------
    Gorazd Kikelj
    MVP Guru 2024
    ------------------------------



  • 3.  RE: Onguard Webauth Service for different switches

    Posted Sep 09, 2024 04:41 AM
    Dear Gorazd,

    I checked the webauth request in access tracker. NAD ip address is not mentioned. How can i apply filter of device group then?





  • 4.  RE: Onguard Webauth Service for different switches

    Posted Sep 09, 2024 05:07 AM

    Hi Owais.

    You can include enforcement profiles for all platforms in the enforcement policy as last resort.

    It is quite difficult to gues, what you are doing wrong as no info is provided to analyze it. Can you post sanitized access tracker record and service config?

    Best, Gorazd



    ------------------------------
    Gorazd Kikelj
    MVP Guru 2024
    ------------------------------



  • 5.  RE: Onguard Webauth Service for different switches

    Posted Sep 09, 2024 02:10 PM

    You include all of the Enforcement Profiles in the Enforcement Policy rule.

    On each enforcement Profile, you set a Device Group List to which the profile applies to.



    ------------------------------
    Bruce Osborne ACCP ACMP
    Liberty University

    The views expressed here are my personal views and not those of my employer
    ------------------------------