Security

Hi experts,

 

I want to use the OnGuard feature to check if the users are healthy or not when they access the network. My objetive is to enable the automatic installation of the OnGuard Agent if the clients don't have the OnGuard Agent when the first connect to the network. In order to achieve that, I have created a service with this enforcement policy:

Obviously, I also have the WEBAUTH service which returns the token.

When the client doesn't have the OnGuard Agent the token is Unknown and ClearPass matches the Limited Access Profile, which sends a RADIUS accept and a "guest" attribute to the NAD:

Then I have created the "guest" role in my Instant Cluster, which has a captive portal profile which redirects to the Web Login Page which allows users to download the OnGuard agents, since I have checked the Require a successful OnGuard agent health check checkbox.

Then, in my IAP the guest role I have created looks like this:

And the captive portal profile attached to it looks like this:

 

With all this, when the client without OnGuard Agent first connects to the network, gets the guest role, opens correctly the Web Login Page, but after logining in, the browser gets stuck. I have checked in the access tracker and the sequence is like this:

Entry 2 is my service which returns the guest attribute to my IAP, but I don't know why I get entry 1, which I get because I need a service. If I open this entry I see this:

Which service do I need?

 

Regards,

Julián

Why is the user logging in to download the agent when they have already authenticated to the network?

Hi Tim,

 

It is because it is the default of the Web Login Page. It is not necessary as you say but because I thought this was not a problem I wanted to optimize the Web Login Page later. However, when I changed the Pre-Auth Check field to "None - no extra checks will be made", the clients starts to download the OnGuard Agent. Then, I wanted to remove totally this authentication and changed the Authentication field to "Auto - Do not require a username or password and automatically submit the page", but I got the following warning:

Here, I was entering some non-existing users to get rid of this warning, but another warning appeared which says here I have to enter a valid ClearPass local account and set the Pre-Auth Check to "Local - match a local account". What is this? Why do I need it?

 

Regards,

Julián

Don’t use a web login. Use a regular web page.

Hi Tim,

 

But when I want to create a Web Page, there is not "Require a successful OnGuard agent health check" checkbox:

 

Regards,

Julián

The goal is to provide the agent to download correct? Just create links to the agent downloads. The web login functionality is the dissolvable agent.

Yes, you are correct. Two things:

 

1. When you say "create links to the agent downloads", do you mean to enter the URL of the agent installers instead of the URL of the Web Login Page in the external captive portal profile of my IAP? Please confirm. I tried that some days ago but failed (although I have to put more time on that) and for that reason I was trying with the Web Login Page way.
2. In relation to "The web login functionality is the dissolvable agent.", the "Technical Note - ClearPass OnGuard Configuration Guide" says "That will link the page to Login Page that will allow the user to download the Dissolvable agent" and later says "This page can be edited for the desired look and feel. Links can also be added to allow the user to download the persistent agent.". Does the last sentence mean to create links to the agent installers as well?
   

Regards,

Julián

1) No, create a new Web Page in Guest, not the IAP, and create links to the installers

2) No, ingore all of that if you're using the persistent agent

Ok, I will try option 1 and let you know.

 

Many thanks,

Julián

Hi Tim,

 

I have tried option 1 and the auto installation works very well. However, now I face this issue. After the installation of the OnGuard Agent, the client (laptop) and/or OnGuard Agent can not reach ClearPass, so it gets stuck there:

I don't know if I have to add some more rule to my guest role:

If a disconnect and connect the network again, because the OnGuard Agent have not communicated with ClearPass yet, the token keeps being Unknown, and then the service matches the Limited Access Profile again, which sends a RADIUS accept and a "guest" attribute to the NAD once again, which causes to load again the web page to download the agent installers. What am I missing?

 

Regards,

Julián

 

1) Why are you running 6.6.0? You should be on either 6.6.10 or 6.7.5

2) Did you allow 443 and 6658 in your quarantine role?

3) Why are you doing posture on guest users?

4) Did you enable posture cache in your enforcement policy?

 

I'd recommend you work with your Aruba ClearPass partner to deploy OnGuard. It can be a bit complex without prior experience.

Hi Tim,

 

1) Though is not the solution for the issue I am trying to solve, I am planning that upgrade in a few days.

2) I am not using the quarantine role yet, I will use it later.

3) I am not doing posture on guest users, it is for corporate users.

4) Yes.

 

I will spend more time on this, but I think to solve this issue I have to modify my guest role in my IAP, allow external captive portal and restricted access to ClearPass.

 

Thanks for your help,

Julián

Hi

Did you make any progress on this? In my setup I can redirect the client to the cppm web page where I have put the links to download the agent, but only if I use 'Radius authentication' as portal type in Instant. 'Authentication text' doesn't redirect anything. 

Also, as the captive portal rule is at the top in the 'unknown' role, all http(s) is always redirected to the web page as long as the device is unknown. Unfortunatly it will remain unknown as it cannot connect to the Clearpass server on the Onguard port. 

Maybe if we set an endpoint attribute when the device has the unknown health state, so that the second time the client connects, it is put in a quarantine role (based on that attribute and assuming that the agent has been downloaded) so that the agent can connect to Clearpass. 

Rgds

Peter

 

 

Hi please help me on how to redirect users traffic to download agent page. I'm using cisco switch and clearpass 802.1x service

------------------------------
Duy Anh
------------------------------

Original Message:
Sent: Jul 10, 2018 12:31 PM
From: Julian Ortiz
Subject: Enable OnGuard Agent Auto Installation

Hi experts,

 

I want to use the OnGuard feature to check if the users are healthy or not when they access the network. My objetive is to enable the automatic installation of the OnGuard Agent if the clients don't have the OnGuard Agent when the first connect to the network. In order to achieve that, I have created a service with this enforcement policy:

Obviously, I also have the WEBAUTH service which returns the token.

When the client doesn't have the OnGuard Agent the token is Unknown and ClearPass matches the Limited Access Profile, which sends a RADIUS accept and a "guest" attribute to the NAD:

Then I have created the "guest" role in my Instant Cluster, which has a captive portal profile which redirects to the Web Login Page which allows users to download the OnGuard agents, since I have checked the Require a successful OnGuard agent health check checkbox.

Then, in my IAP the guest role I have created looks like this:

And the captive portal profile attached to it looks like this:

 

With all this, when the client without OnGuard Agent first connects to the network, gets the guest role, opens correctly the Web Login Page, but after logining in, the browser gets stuck. I have checked in the access tracker and the sequence is like this:

Entry 2 is my service which returns the guest attribute to my IAP, but I don't know why I get entry 1, which I get because I need a service. If I open this entry I see this:

Which service do I need?

 

Regards,

Julián