Security

When a Windows client first authenticates thru the switch using .1x and meets the conditions for the top service in the list (wired .1x service), it gets evaluated by the enforcement policy and hits the condition of Posture NOT-EQUALS HEALTHY because the posture is UNKNOWN (per below)

***

Tips:Role = user-authenticated 

AND Tips:posture != HEALTHY     

THEN ENFORCE THESE PROFILES:

--->     Assign Quarantine VLAN Profile                                                        --->     Terminate Session 

***

After that, the request never hits the health check service to start the posture evaluation.  

What needs to be configured to force the client/device to hit the 'health check service'?

You don't want to "Terminate Session". You want to assign quarantine VLAN and bounce the port.

Also make sure that client device has access to Clearpass IP for onguard to communicate. Since you didnt mention what is going on at the client side. 

Back from vacation and tested onguard again today, but changed the 802.1x service enforcement profile from 'terminate session' to 'arubaOS switching - bounce switch port'.  The request still never hits the health check service after that.  The access tracker only sees the one hit of the 802.1x service.  The client gets the proper profile, gets moved to quarantine vlan and nothing happens after that (per below)

Tips:Role = user-authenticated 

AND Tips:posture != HEALTHY     

THEN ENFORCE THESE PROFILES:

--->     Assign Quarantine VLAN Profile    ...this happens                            --->     [arubaOS switching - bounce switch port]   ....this does not seem to do anything

 

I've attached the last several logs of the access tracker log file here in case that helps.

 

What else needs to be configured to force the client/device to hit the 'health check service'?

Hi,

 

1) Which switch you are using alongwith firmware version?

2) Assuming its aruba switch (since you are using aruba CoA profiles), make sure dynamic authorization is enabled on the switch 

3) Make sure the device added in clearpass properly with vendor selected as Aruba and Radius CoA is checked

 

The process should work like below, you may track to see which part is missing, or else give your switch configuration and clearpass snapshot for us to analyze it further

 

1) Client connects on the port

2) Since this is the first time, client's posture is unknown, it should be assigned quarantine vlan 

3) Now onguard must be installed on the client. Either manually or through web redirect to CPPM web page, which gives the option to download onguard agent

4) once client is redirected and downloaded/installed onguard, onguard will try to connect to CPPM (make sure assigned role/acl allow access to CPPM IP)

5) once onguard sends HEALTHY token to cppm, NOW CPPM must send CoA to the switch.

6) Upon receiving the CoA, switch disconnects the client which results in re authentication

7) this time client's posture is known and HEALTHY, so it gets the required role/VLAN

8) Make sure your 802.1x service has "use the cached roles/postures" checked.

 

Thx for the follow-up.  

1)  Aruba 2930F 

# sh version
Image stamp:
/ws/swbuildm/rel_ajanta_qaoff/code/build/lvm(swbuildm_rel_ajanta_qaoff_rel_ajanta)
Nov 1 2019 19:24:11
WC.16.10.0002
208
Boot Image: Primary

Boot ROM Version: WC.16.01.0008

 

2)  Yes, dyn-auth is configured via this command:  radius-server host <CPPM IP> dyn-authorization

 

3) Yes to both

 

-------------------

Regarding the process, we don't have onguard installed on the client.  The customer would prefer to not have any additional steps for the user, so can we use a dissolvable agent instead of persistent?  If so, what should this process be?  This is where I need some clarity; I want to learn what all of our options are to simply get a health check done on each client each time a user authenticates.  If there is a way to do this without any additional user steps, please explain that process and how the 802.1x service enforcement policy needs to be setup to trigger a health check, etc.

 

Thanks

 

Have you configured web redirect to download and run dissolvable agent? if
not how are you planning to get it installed and run?

No, I haven't configured web-redirect.  That must be the issue.  I haven't been able to find good documentation on this topic.  I have seen some docs saying to create a guest account to redirect them to Captive Portal, but we only have onguard licenses and no guest licenses.

 

Given that info, how do I configure the service(s) for this?  Can this be done without guest licenses?  Is there any doc out there that explains the CPPM config steps?

Hi,

Which CPPM version you are using? in current version guest licenses are
bundled with Access licenses.

Also you dont need guest setup for web redirect. You just need to create
the web page and redirect your users to that page if onguard check is not
performed.

If you have not done it before, the process might seem a bit tricky or
daunting at first. I will try to make the video of the process over the
next few days.

We are on CPPM v6.7, but may upgrade to 6.8

 

No, I haven't done this before.  A video or any step-by-step document would be ideal. 

 

Going by your responses, it appears that this process cannot be done without some additional steps from the user.  Given that, I would like to find out what Aruba recommends that would take the least amount of time and effort for the users (the most simple process for users).?

 

Thanks

Hi,

Seamless would require a web redirect after the user is authenticated but
has not passed/conducted the onguard test.

I will try my best to get the video done asap. i have the lab setup ready
so shouldnt take much time.

Any update on this today would be much appreciated, even if it's not a complete video guide.  I'd like to at least get started in understanding how to configure the web-redirect in the CPPM 802.1x service.  Thx