hen you say redirect user to a portal, are you referring to remedy website or otherwise?
The remedy website could be use once you have the posture information so if its QUARANTINE then you could send the user to a remedy website
do you have a sample of the redirect?
The redirect I was talking about is just a simple informational Web Login Page (Aruba user-role using a Captive Portal Profile Pointing to that Web Login)
and when you said bounce you meant to 'kick' the client and the client will need to reauthenticate 802.1x right?
That's correct
is bounce really necessary? in the agent i can see 'retry' button.
The bounce is similar to the CoA
and what happen if lets say the client posture is healthy. for example client need to turn on windows firewall to pass the check. the agent checks and it pass. then the user close the agent and turn off the firewall. is there a way to disallow this kind of scenrio?
Even when you exit out or logout the Agent will be running in the backgroup and it will detect that within 5 minutes and it will force the client to do a reauth .
https://arubanetworkskb.secure.force.com/pkb/articles/Troubleshooting/Exiting-Onguard-Agent-on-Client-does-not-change-Role-as-Unhealthy
If the user disables the firewall the agent should be able to detect that within certain amount of time , please see this list
https://arubanetworkskb.secure.force.com/pkb/articles/FAQ/OnGuard-Check-Interval
You could also set a session timeout on the agent enforcement profile for force the agent to report back every certain amount of time
i also notice i have created 2 sets of 'identical' enformcement profile, 1 set is for 802.1x the other set is for webauth. 1 set is 'radius' and the other set is 'radius coa' because i could only use 'radius_coa' for webauth service. generally my profiles is just returning of role. Should that be the way?
You should use an agent enforcement profile in the web auth policy
And use a Radius enforcement profile in the .1X policy
but i guess my problem with now is unable to assign the role back to wlc with the right emforcement policy.