Requirement:Is it possible to configure session timeout for the OnGuard persistent agent and force it to re-post health check with the specified interval?
Solution:You can configure session timeout for the agent using agent based enforcement to keep the agent performing health check with the specified interval.
Configuration:Note: This article helps you setup only the agent session timeout. For basic ClearPass OnGuard configuration, please refer the OnGuard configuration tech note available in the below location.
https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Default.aspx?EntryId=7961
Follow the below steps to configure the agent session-timeout.
Create an agent based enforcement profile under Configuration >> Enforcement >> Profiles and specify the session timeout under the Attributes tab as shown below.
Map the created enforcement profile in the health check(WebAuth) service under Configuration >> Services to enforce the session timeout to the client/agent after the successful health check.
VerificationAfter the successful health check you will see the session timeout sent to the agent in the Access Tracker output as shown below.
Output Application Attributes -
Agent:SessionTimeout = 16200
You can see the session timeout enforced in the agent/client log(ClearPassOnGuard_*.log) as shown below.
2015-11-17 07:25:38,218 [Th 00002128] DEBUG OnGuardPlugin.AuthSession - GetEnfProfileAttrs: Auth Attribute: SessionTimeout=16200
2015-11-17 07:25:38,561 [Th 00002128] INFO OnGuardPlugin.InterfaceManager - SetState: Moving from WAIT_FOR_CREDENTIALS (2) to AUTH_COMPLETE (3) after 7 seconds
2015-11-17 07:25:38,561 [Th 00002128] INFO OnGuardPlugin.ActionQueue - Dequeue: AgentController - No pending events in the queue. Waiting for 5000 ms.
2015-11-17 07:25:38,561 [Th 000066e8] DEBUG OnGuardPlugin.BaseClient - Run: BaseClient Thread starting
2015-11-17 07:25:43,714 [Th 00002128] INFO OnGuardPlugin.ActionQueue - Dequeue: AgentController - No pending events in the queue 00000000040E8420
2015-11-17 07:25:43,730 [Th 00002128] INFO OnGuardPlugin.InterfaceManager - HandleNoOp: NoOp handling in state=DOWN (0) (Seconds in this state=2562) for Junos Pulse
2015-11-17 07:25:43,730 [Th 00002128] INFO OnGuardPlugin.InterfaceManager - HandleNoOp: NoOp handling in state=AUTH_COMPLETE (3) (Seconds in this state=5) for Local Area Connection
2015-11-17 07:25:38,421 [Th 00002128] INFO OnGuardPlugin.AuthSession - DoEnforcementActions: Enforcement actions for Local Area Connection: Bounce=0 timeout=16200 secs healthcheckquietperiod=-1 secs' hideretrybutton=0 hidelogoutbutton=0 hidequitoption=0 messages='
The AUTH_COMPLETE state in the client log shows the time in seconds since the last health check. The below output from the ClearPassOnGuard_*.log confirms that the client was forced to re-auth/post the health check after the session timeout.
2015-11-19 15:53:37,960 [Th 00001de4] INFO OnGuardPlugin.InterfaceManager - HandleNoOp: NoOp handling in state=AUTH_COMPLETE (3) (Seconds in this state=16146) for Local Area Connection
2015-11-19 15:53:43,012 [Th 00001de4] INFO OnGuardPlugin.InterfaceManager - HandleNoOp: NoOp handling in state=AUTH_COMPLETE (3) (Seconds in this state=16151) for Local Area Connection
2015-11-19 15:53:48,070 [Th 00001de4] INFO OnGuardPlugin.InterfaceManager - HandleNoOp: NoOp handling in state=AUTH_COMPLETE (3) (Seconds in this state=16156) for Local Area Connection
2015-11-19 15:53:53,122 [Th 00001de4] INFO OnGuardPlugin.InterfaceManager - HandleNoOp: NoOp handling in state=AUTH_COMPLETE (3) (Seconds in this state=16161) for Local Area Connection
2015-11-19 15:53:58,174 [Th 00001de4] INFO OnGuardPlugin.InterfaceManager - HandleNoOp: NoOp handling in state=AUTH_COMPLETE (3) (Seconds in this state=16166) for Local Area Connection
2015-11-19 15:54:03,234 [Th 00001de4] INFO OnGuardPlugin.InterfaceManager - HandleNoOp: NoOp handling in state=AUTH_COMPLETE (3) (Seconds in this state=16171) for Local Area Connection
2015-11-19 15:54:04,251 [Th 00001de4] INFO OnGuardPlugin.InterfaceManager - SetState: Moving from AUTH_COMPLETE (3) to AUTH_SERVER_DISCOVERY (1) after 16172 seconds
2015-11-19 15:54:07,713 [Th 00001de4] INFO OnGuardPlugin.InterfaceManager - SetState: Moving from WAIT_FOR_CREDENTIALS (2) to AUTH_COMPLETE (3) after 3 seconds
2015-11-19 15:54:12,764 [Th 00001de4] INFO OnGuardPlugin.InterfaceManager - HandleNoOp: NoOp handling in state=AUTH_COMPLETE (3) (Seconds in this state=5) for Local Area Connection
2015-11-19 15:54:17,815 [Th 00001de4] INFO OnGuardPlugin.InterfaceManager - HandleNoOp: NoOp handling in state=AUTH_COMPLETE (3) (Seconds in this state=10) for Local Area Connection
2015-11-19 15:54:22,867 [Th 00001de4] INFO OnGuardPlugin.InterfaceManager - HandleNoOp: NoOp handling in state=AUTH_COMPLETE (3) (Seconds in this state=15) for Local Area Connection
2015-11-19 15:54:27,918 [Th 00001de4] INFO OnGuardPlugin.InterfaceManager - HandleNoOp: NoOp handling in state=AUTH_COMPLETE (3) (Seconds in this state=20) for Local Area Connection
2015-11-19 15:54:32,970 [Th 00001de4] INFO OnGuardPlugin.InterfaceManager - HandleNoOp: NoOp handling in state=AUTH_COMPLETE (3) (Seconds in this state=25) for Local Area Connection
2015-11-19 15:54:38,021 [Th 00001de4] INFO OnGuardPlugin.InterfaceManager - HandleNoOp: NoOp handling in state=AUTH_COMPLETE (3) (Seconds in this state=30) for Local Area Connection
2015-11-19 15:54:43,073 [Th 00001de4] INFO OnGuardPlugin.InterfaceManager - HandleNoOp: NoOp handling in state=AUTH_COMPLETE (3) (Seconds in this state=35) for Local Area Connection
2015-11-19 15:54:48,124 [Th 00001de4] INFO OnGuardPlugin.InterfaceManager - HandleNoOp: NoOp handling in state=AUTH_COMPLETE (3) (Seconds in this state=40) for Local Area Connection