Security

Is there a list of supported switches that work with ClearPass OnGuard? Or is there a list of required features that the switch has to support in order to provide full OnGuard functionality?

 

thanks,

The primary requirement when it comes to a switch is dot1x support.  Check your switch model documentation and look for the ability to configure a RADIUS server using aaa and dot1x commands.  Different switches will provide differnt levels of richness when it comes to the dot1x.  E.g. can you pass back just a simple vlan vs. a role name vs. a dynamix ACL etc. etc. 

 

You should check with your local account team for more information.

We asked for this and basically got the exact information that cisco ISE has listed. We have cisco wired. Do you have OnGuard working in an 802.1x environment. Curious how you handle this on wired including how OnGuard agent is deployed.

i'll throw my name against this as well, i'm finding it very hard to work out what to do here.

Just curious what your trying to do on the wired side?

802.1x with 3750's and using the Onguard client to manage a quarantine VLAN.

 

 

We are hoping to get dot1x going. Our environment should be interesting as we have some switches that are 10years old. We have some 3750s too. So you went vlan switching as opposed to L3 ACLs?

haven't really decided on the overal solution yet, only just got the dot1x working with the NAP agent on Windows.

 

As it happens it doesn't look like you can use the onguard agent in an 802.1x installation. only microsoft NAP.

 

---

@scottdoorey wrote:

As it happens it doesn't look like you can use the onguard agent in an 802.1x installation. only microsoft NAP.

 

---

i used onguard agent (permanent one, not disolvable) fine with 802.1x wired and wireless. went for the dynamic vlan route, not optimal as clients don't like being thrown in a different VLAN (keep there DHCP address), but with a NIC bounce (via the agent) it worked well enough.

how do you tie the Onguard Posture policy in with the 802.1x posture policy?

 

When i setup an 802.1x service, it only allows me to select Microsoft NAP options.

 

When setting up onguard you are going to have 2 services. 

 

1. 802.1x (radius service)

1. OnGuard (webauth service)

 

 

You will need to have in your enforcement profile to look for posture tokens

 

 

 

Its not an easy process to do on your own the first time, so I always recommend that you work with your local SE or Clearpass SE.

So the enforcement profile in the dot1x service checks for posture tokens created by the Onguard service ?

The windows NAP agent just seems a little more elegant.

Sent from my iPhone

It maybe a little easier but NAP is very limited on what you can check

If you are only checking windows devices NAP is the easiest way of doing it but If you want to check advance settings (reg keys, etc) MAC you will need to use the onguard agent. 

 

http://www.arubanetworks.com/pdf/products/DS_ClearPass_OnGuard.pdf

 

yeah that detail escaped me, once i got used to it it felt "normal". as we were dealing with MacOS systems also Microsoft NAP was never an option.

 

the agent service provides the posture and the 802.1x wired service uses that posture token.

 

the problem is that you need IP connectivity for the onguard agent to communicate with the CPPM, only microsoft NAP is able to send data through the 802.1x process. would be nice if Aruba could pull that off also with the OnGuard agent :)

ok, now i get it.

 

I think i've got it working in this fashion however i'm not sure about dynamically reauthorising the user on dot1x after the web auth has been done.

 

Is this simply a case of sending a bounce client message to the NAS then the having the "cache posture from previous sessions" enabled in the dot1x service?

 

scott

correct

ok great, feeling much better about this now! Thanks for your help Troy.

 

Unfortunately our local SE's weren't fully up to speed on the Onguard stuff so i've been trying to work it out the hard way!

 

scott

Nice. May I ask if you had to have another server for Microsoft NAP or just the clearpass sever?

scottdoorey,

What are you trying to accomplish that you say you can use OnGuard in a .1x environment? I have multiple customers that have OnGuard installed with .1x and its one of the items you are taught how to use in the partner workshops.

Again I know this is a hot topic for everyone out there and we are hoping to have a document soon for public use on how to use on guard. There are a few examples in the CPPM server you just need to click the help link in the top right corner and search for posture.