ClearPass Onguard Cache Timeout
01-31-2019 02:16 PM
I have a customer who has deployed ClearPass Onguard for a large scale enterprise. We have built what I think is the pretty typical set up for Onguard: Connect to 802.1x SSID with the 'Use cached Roles and Posture attributes from previous sessions' in the Enforcement Policy. Web Auth Service will get triggered for the posture check and the terminate session is applied to the webauth. The client will re-authenticate to the SSID now with the posture applied and get connected to the network.
If you do not have the agent installed, which is to say that the posture is 'unknown' you will be redirected to the captive portal in order to install the agent.
The challenge I am having is that when the client that does have the agent installed, but the cache timeout has passed and the posture also is 'unknown' at this point. These clients are getting redirected to the captive portal. The webauth service runs and they will then land in the correct VLAN, however is confusing to the end user as to why the portal page popped up when they do have the client.
Is there a way to make the posture something other than unknown for those devices that have the agent installed, but the cache timeout has passed. Since the RADIUS service hits first and then the webauth service second to get the posture, I need to do something different with the client that is unknown due to cache time than the client that is unknown from not having the agent installed.