I’m having a problem with Instant and captive portal as it pertains to Onguard.
When the user first connects, Posture is UNKNOWN, so I created a PostureUnknown role that gets returned to the Instant AP. This role allows http, https, and TCP 6658 to the Clearpass server. I can see on the Instant GUI that the client has this role.
The client can download and install the Onguard agent via the Clearpass webpage, but the Onguard agent can’t talk to the Clearpass server.
I even tried putting an ‘any any allow’ as the first access rule for testing, but that didn’t seem to make a difference. The client can’t even ping the Clearpass server. It would seem that I only have https access to the Clearpass server.
For testing, I had Clearpass return a different role with no captive portal, and an allow all access rule. Since the Onguard agent was already installed, it reached the Clearpass server, did the health check, and all was well.
What am I not understanding about Instant and a role with an attached captive portal?
Is it possible to redirect clients to the captive portal, but also allow other access rules, such as port 6658 allow? Instant lets you enter access rules after the captive portal rule in a role, but they don’t seem to have an effect.
Thank you.