Security

Hi, (sorry this is so long!)

We are using 6.9.5 OnGuard on our 6.10.7 ClearPass (didn't push new agents yet). It seems to work as expected most times.

Our users are instructed to keep the machines logged in, as we do patching, security scans, etc at night. But if they, for whatever reason, decide to reboot the windows machine, we get into a situation where the PC has a chance (25%+) that the PC will be unhealthy when the WebAuth runs. 

Our OnGuard WebAuth is required to check for a good network connection (wired or wireless - but only 1 -  0 or more than 1 is unhealthy). We also require a certain security service to be running. 

When the PC goes to Quarantine(20), it is most likely that the posture assessment says the network and the Windows services (our security service) are unhealthy.

Usually, once a device goes Quarantine, we use the agent to bounce the port. This gets the PC on the new VLAN, as expected, with a new DHCP lease. The device would then be able to remediate whatever issue it has using the new VLAN. For example, if the AV signatures were out of date, it could download new ones, do another WebAuth, then become Healthy, and move back to the "regular" VLAN with an agent port bounce and its "regular" IP.

But here's the rub - when the PC is shutting down, the "network unhealthy" means the network is disconnected. So there is no way to get a new DHCP. 

Now, when the PC restarts (usually, it's just a reboot, not a shutdown-wait for hours-restart situation), I'd expect it asks for a new lease. But for some reason, the device is still on the quarantine VLAN and is not able to communicate. After the dot1x reauthenticate interval (say 60 mins), it usually will do another dot1x auth, then it does a WebAuth, gets healthy, and moves to the proper VLAN.

This may happen sooner, if I do a terminate-session CoA (or clear the dot1x on the interface of the switch), but these don't happen enough for me to see one that I can try to clear sooner. But the way it clears itself happens at the reauth interval.

Is there some way to ensure OnGuard is down or at least paused while the shutdown is happening? We are playing with a delayed start for OnGuard in case it's the restart that's causing an issue (no results yet), but are we going to need some group policy, task scheduler, or some agent script to shut down OnGuard before anything becomes unhealthy on a shutdown?

Thanks,

Ambi