New Contributor

Clearpass Onguard - Different Posture Checks for different domain groups

I am having a scenario where there are two sets of users, staff and students. The end devices used by the staff are company provided while the students use their own devices. There are two groups made in AD for these two sets of users.


Is it possible to have two different WebAuth Service for posture checking wherein:


1. First WebAuth Service will be for the Staff where the posture check will pass only if the devices are having the Antivirus software and Patch Management software provided by the company and these are up to date.


2. Second WebAuth Service will be for the Students wherein the posture check will pass if the end device have any Antivirus software and any Patch Management software and these are up to date.


I am unable to find any conditions in the Service Rule for WebAuth wherein I can match the Service Rule based on the Domain Group.



Is there a way around to configure two different Posture check for these two set of users.

Frequent Contributor I

Re: Clearpass Onguard - Different Posture Checks for different domain groups

Perhaps you could assign the users a different role based on the domain group and then use the role (previously assigned) in the enforment policy/profile.




Aruba Employee

Re: Clearpass Onguard - Different Posture Checks for different domain groups

I can suggest the following Options.

Option 1 - If you want to use two differernt WebAuth services for staff and student.

Update an endpoint attribute during Layer2 authenticaiton for staff devices and try that attribute in the service rule.


For ex:

Update an endpoint attribute like Staff_Device = true during the user authentication. 

And use that attribute in the service rule for WebAuth.


Option 2 - If you decide to use a single Web Auth service.

Do update the endpoint attribute as discussed above and use two different posture policies under a single WebAuth service. Keep the staff policy in the top position and map the student policy below the staff policy. This way the student devices will fail over to the second policy and evaluated for health check.

You will have challenge when the staff device is not complaint with the staff policy and follow the one for students. But this can be addressed with few additional conditions in the enforcement policy like below.

(Tips:Posture  EQUALS  HEALTHY (0))
AND  (Posture:Applied Policy  EQUALS  Staff_Policy)
AND  (Endpoint:Staff_Device  EQUALS  true)
Healthy Agent Bounce

The above options are well suited for the WebAuth service with "Health Check Only".

If you have Authentication + Health Checks enabled for OnGuard agent, then you can skip the endpoint update and just perform the checks for user group from AD and Applied policy.


(Tips:Posture  EQUALS  HEALTHY (0)) 
AND  (Posture:Applied Policy  EQUALS  Staff_Policy) 
AND  (Authorization:AD Groups  EQUALS  Staff)
Healthy Agent Bounce


Thank you,
Saravanan Rajagopal

**Did something you read in the Community solve a problem for you? If so, click "Accept as Solution" in the post.
Search Airheads
Showing results for 
Search instead for 
Did you mean: